SEOUL—The messages are alluring, the pictures are attractive. But the women seeking to beguile South Korean bitcoin executives could actually be hackers from North Korea in disguise, experts warn.
In the face of sanctions over its banned nuclear and ballistic missile programs, cash-strapped North Korea is deploying an army of well-trained hackers with an eye on a lucrative new source of hard currency, they say.
Its cyberwarfare abilities first came to prominence when it was accused of hacking into Sony Pictures Entertainment to take revenge for “The Interview,” a satirical film that mocked its leader, Kim Jong-un.
But Pyongyang has rapidly expanded from political to financial targets, such as the central bank of Bangladesh and bitcoin exchanges around the world, with Washington this week blaming it for the WannaCry ransomware that wreaked havoc earlier this year.
And a South Korean cryptocurrency exchange shut down on Tuesday after losing 17 percent of its assets in a hacking—its second cyberattack this year, with North Korea accused of being behind the first.
According to multiple South Korean reports citing Seoul’s intelligence agency, North Korean hackers approach workers at digital exchanges by posing as beautiful women on Facebook, striking online conversations and eventually sending files containing malicious code.
They also bombard executives with e-mails posing as job seekers sending resumés—with the files containing malware to steal personal and exchange data.
Moon Jong-hyun, director at Seoul cybersecurity firm EST Security, said North Korea had stepped up online honeytrap tactics targeting South Korea’s government and military officials in recent years.
“They open Facebook accounts and maintain the online friendship for months before backstabbing the targets in the end,” Moon told a cybersecurity forum, adding many profess to be studying at a US college or working at a research think tank.
Simon Choi, director of Seoul cybersecurity company Hauri, has accumulated vast troves of data on Pyongyang’s hacking activities and has been warning about potential ransomware attacks by North Korea since 2016.
The United States has reportedly stepped up cyberattacks of its own against North Korea.
But Choi told Agence France-Presse (AFP): “The North’s hacking operations are upgrading from attacks on ‘enemy states’ to a shady, lucrative moneymaking machine in the face of more sanctions.”
Pyongyang’s hackers have showed interest in bitcoin since at least 2012, he said, with attacks spiking whenever the cryptocurrency surges—and it has soared around 20-fold this year.
US cybersecurity company FireEye noted that a lack of regulations and “lax antimoney laundering controls” in many countries make digital currencies an “attractive tactic” for North Korea.
Cryptocurrencies, FireEye said in a September report, were “becoming a target of interest by a regime that operates in many ways like a criminal enterprise.”
The company documented three attempts by Pyongyang to hack into Seoul cryptocurrency exchanges between May and July as a way to “fund the state or personal coffers of Pyongyang’s elite.”
In October, Lazarus, a hacking group linked with North Korea, launched a malicious phishing campaign targeting people in the bitcoin industry with a fake but lucrative job offer, according to US cybersecurity firm Secureworks.
Hacking attacks targeting digital currencies are only the latest in the long list of alleged online financial heists by North Korea.
North Korea is blamed for a massive $81-million cyberheist from the Bangladesh central bank in 2016, as well as the theft of $60 million from Taiwan’s Far Eastern International Bank in October.
Although Pyongyang has angrily denied the accusations—which it described as a “slander” against the authorities—analysts say the digital footprints left behind suggest otherwise.
Proceeds from such actions are laundered through casinos in the Philippines and Macau or money exchanges in China, said Lim Jong-in, a cybersecurity professor at Korea University in Seoul, making it “virtually impossible” to trace. —AFP
Google Chrome’s own ad blocker to go live on Feb. 15