North Korea blamed for two cryptocurrency scams, five trading platform hacks

Two new reports support FireEye's characterization that North Korea is "the most destructive cyber threat right now."

North Korea's hackers and operatives have fully adopted cryptocurrency as a method of bypassing international sanctions and raising funds for the Pyongyang regime.

Two reports released in the past two weeks by Group-IB and Recorded Future, respectively, reveal the depths to which North Korea has gone to do so, relying on hacks of cryptocurrency trading platforms, running cryptocurrency-related scams, and even creating a fully-functional scam coin.

Of these, by far the most common on successful were North Korea's cyber-attacks targeting cryptocurrency exchanges. A Group-IB report published last week pinned five of 14 cryptocurrency exchange hacks on Lazarus Group, a codename assigned by the cyber-security industry to North Korea's military hacking units.

Group-IB pegged Lazarus Group for successful hacks at exchanges such as Yapizon, Coinis, YouBit, Coincheck, and Bithumb, across 2017 and 2018. In total, North Korean hackers stole roughly $571 million from the five exchanges, the report said.

group-ib-trading-platform-hacks.jpg
Image: Group-IB

But hacks weren't the only trick North Korean operatives had up their sleeves. In a report published today by threat intel firm Recorded Future, individuals associated with the North Korean regime have also been blamed for running cryptocurrency-related scam.

"We have discovered an asset-backed cryptocurrency scam called Marine Chain operated by a network of North Korea enablers in Singapore," Recorded Future said.

"We came across discussions of Marine Chain as a cryptocurrency in a couple of Bitcoin forums in August 2018. Marine Chain was supposedly an asset-backed cryptocurrency that enabled the tokenization of maritime vessels for multiple users and owners," the report explains.

Recorded Future believes that any investments made in this venture ended up becoming losses for investors. The threat intel firm lists several reasons why it reached this conclusion:

The Marine Chain website was a clone of ShipOwner.io, a similar blockchain-based service that allowed users to buy and rent ships with cryptocurrency investments.

The Marine Chain website was hosted on four different IP addresses, which hosted several other cryptocurrency-related scams in late 2017 and throughout 2018.

One of the scam sites was a binary options trading company called Binary Tilt, which was deemed fraudulent by the government of Ontario, Canada.

Recorded Future linked two Marine Chain execs to Singaporean companies that have assisted North Korean sanctions circumvention efforts since at least 2013.

In addition to Marine Chain, the threat intel firm says it also linked North Korean individuals to another cryptocurrency launched in 2018 that rebranded four times (Interstellar, Stellar, HOLD, or HUZU), took investments from users, and later shut down, robbing users of their funds.

These two scams likely didn't yield the same profits as Lazarus hacks, but they show a trend in North Korean operations where operatives are supplementing cyber-heists on real banks with cryptocurrency-related profits, and the reason why FireEye called North Korea "the most destructive cyber threat right now."

RELATED SECURITY COVERAGE: