Editions

ENGLISH

Police confirm‎ Pyongyang’s involvement in Ether heist in 2019

한국어

Police confirm‎ Pyongyang’s involvement in Ether heist in 2019

Posted November. 22, 2024 08:43,

Updated November. 22, 2024 08:43

Police confirm‎ Pyongyang’s involvement in Ether heist in 2019. November. 22, 2024 08:43. by 이상환기자 payback@donga.com.
The 2019 cyberattack on South Korea's largest cryptocurrency exchange, Upbit, has been traced to hackers affiliated with North Korea's Reconnaissance General Bureau, who stole digital assets worth 58 billion won at the time (now valued at 1.47 trillion won), South Korean authorities revealed Thursday. This announcement marks the first official confirmation by South Korean investigators of North Korea’s involvement in a cryptocurrency heist.

The National Police Agency’s National Investigation Headquarters identified the attackers as members of Lazarus and Andariel, two notorious hacking groups linked to the North Korean regime. In November 2019, the hackers stole 342,000 Ether from Upbit wallets, valued at 58 billion won at the time and approximately 1.47 trillion won today. Lazarus has historically targeted government and financial institutions, while Andariel has focused on military and defense industries.

Authorities refrained from disclosing specific attack methods due to concerns over copycat crimes. However, they cited evidence such as North Korean IP addresses, the flow of the stolen cryptocurrency, the use of unique North Korean terminology, and information shared by the FBI. Investigators found traces of the phrase “heolhan il” - a North Korean term meaning “trivial matter” - on a computer used in the attack.

The police said the hackers stole around 340,000 Ether in a single attack. They transferred 57% of the stolen Ether to three cryptocurrency exchange platforms they created, converting it to Bitcoin at a 2.5% discount to market prices. They likely laundered the funds by cashing out the Bitcoin, police said. The remaining 43% was dispersed across 51 exchanges in 13 countries, including China, the U.S., Hong Kong, and Switzerland. While the North Korean-run platforms have since been shut down, authorities lost the trail of the laundered funds two years ago.

In October 2020, investigators traced a portion of the stolen cryptocurrency—converted into Bitcoin - to an exchange in Switzerland. After a four-year effort to link the funds to the Upbit hack, South Korea successfully recovered 4.8 Bitcoin, valued at 600 million won, and returned it to Upbit. However, exchanges in countries such as China, the U.S., and Hong Kong either ignored cooperation requests or declined to assist, citing a lack of obligation.

Authorities shared the identified hacking techniques with other organizations, including the National Intelligence Service, the Financial Supervisory Service, the Financial Security Institute, and cryptocurrency exchanges, to bolster defenses. “Cryptocurrency exchanges now adhere to high-security standards, unlike in the past,” a police spokesperson stated, urging the public not to harbor undue fears.

한국어

The 2019 cyberattack on South Korea's largest cryptocurrency exchange, Upbit, has been traced to hackers affiliated with North Korea's Reconnaissance General Bureau, who stole digital assets worth 58 billion won at the time (now valued at 1.47 trillion won), South Korean authorities revealed Thursday. This announcement marks the first official confirmation by South Korean investigators of North Korea’s involvement in a cryptocurrency heist.

The National Police Agency’s National Investigation Headquarters identified the attackers as members of Lazarus and Andariel, two notorious hacking groups linked to the North Korean regime. In November 2019, the hackers stole 342,000 Ether from Upbit wallets, valued at 58 billion won at the time and approximately 1.47 trillion won today. Lazarus has historically targeted government and financial institutions, while Andariel has focused on military and defense industries.

Authorities refrained from disclosing specific attack methods due to concerns over copycat crimes. However, they cited evidence such as North Korean IP addresses, the flow of the stolen cryptocurrency, the use of unique North Korean terminology, and information shared by the FBI. Investigators found traces of the phrase “heolhan il” - a North Korean term meaning “trivial matter” - on a computer used in the attack.

The police said the hackers stole around 340,000 Ether in a single attack. They transferred 57% of the stolen Ether to three cryptocurrency exchange platforms they created, converting it to Bitcoin at a 2.5% discount to market prices. They likely laundered the funds by cashing out the Bitcoin, police said. The remaining 43% was dispersed across 51 exchanges in 13 countries, including China, the U.S., Hong Kong, and Switzerland. While the North Korean-run platforms have since been shut down, authorities lost the trail of the laundered funds two years ago.

In October 2020, investigators traced a portion of the stolen cryptocurrency—converted into Bitcoin - to an exchange in Switzerland. After a four-year effort to link the funds to the Upbit hack, South Korea successfully recovered 4.8 Bitcoin, valued at 600 million won, and returned it to Upbit. However, exchanges in countries such as China, the U.S., and Hong Kong either ignored cooperation requests or declined to assist, citing a lack of obligation.

Authorities shared the identified hacking techniques with other organizations, including the National Intelligence Service, the Financial Supervisory Service, the Financial Security Institute, and cryptocurrency exchanges, to bolster defenses. “Cryptocurrency exchanges now adhere to high-security standards, unlike in the past,” a police spokesperson stated, urging the public not to harbor undue fears.

이상환기자 payback@donga.com

Headline News

$Korea University\$ Korea University's main building represents people’s determination to independence

Opinion

About Dong-A Ilbo

Editions