North Korean Hackers Stealing Bitcoins on Massive Scale

Ray Walsh

Ray Walsh

April 21, 2017

North Korean government hackers thought to be behind a number of bank hacks are now also suspected of stealing bitcoins. The hackers, known as Lazarus, have long been suspected of a number of nefarious cyberattacks on banks from around the world. Now it is believed that the North Korean hackers – who also run a number of illegal gambling sites – have been using those sites to steal the valuable cryptocurrency.

Lazarus is the most recent name for Kim Jong-un’s notorious Bureau 121 hackers. It is an official hacking bureau under the direct control of the North Korean dictator. The hacking group is both highly skilled and well-equipped, making it extremely dangerous. So far, attacks on banks in 18 countries have been reported, including an $81 million heist last year on the central bank of Bangladesh.

In addition, a string of attacks (toward the end of 2016) on approximately 20 Polish banks have been attributed to the North Korean hackers, who appear to be growing in sophistication year after year. Following those hacks, security researchers discovered digital footprints that led them to other targets such as the World Bank, European Central Bank, and Bank of America. The concern is that the money is being siphoned off to be invested in the dangerous regime’s troubling nuclear program.

Financial Aims

Now, people who have invested in the popular cryptocurrency bitcoin, are being warned that Kim Jong-un’s hackers are focusing their efforts on stealing as many bitcoins from online coin wallets as they can.

The hacking campaign comes as no surprise, considering the vast growth in value that the cryptocurrency has seen in the last year. Early in 2016, bitcoins were valued at just under $400. A year on, their value has soared to the highest level it has ever seen, currently sitting at a stunning $1,200.

The massive growth, and the ease with which bitcoins can be laundered, is making them an incredibly large temptation not only to North Korea’s Lazarus but to cybercriminals the world over.

South Korean officials estimate that North Korea’s Bureau 121 hackers have expanded to a team of around 1,700 hackers, with up to 5,000 operatives (taking into account trainers and supervisors). That is a mammoth hacking collective, which lends all the more credence to the plausibility of such a multitude of hacks originating at the hands of Lazarus.

International Presence

Interestingly, it is believed that a huge number of the Lazarus hackers are located outside of the North Korean continent, instead mounting their attacks from IP addresses in countries like China, Southeast Asia, and Europe. With that in mind, it is possible that state-sponsored hacking suspected to originate from the Chinese government could, in fact, be attributed to North Korean hackers working out of neighboring China.

Symantec Research

Cybersecurity firm Symantec has been undertaking large amounts of research surrounding the Lazarus hackers. According to the firm, the attack vector involves using infected websites to get malware onto machines, known as a ‘watering hole’ attack.

The watering hole attack then delivers malware that communicates with command and control (C&C) servers in order to download further nefarious code onto the victim’s machine. Symantec refers to that software as a “loader” component of a custom exploit kit called Downloader.Ratankba.

Symantec says it has used indicators of compromise (IOCs) gained during the Polish cyberattacks in order to stop attacks on a number of other banks. From the Symantec blog on the subject:

“Symantec has blocked attempts to infect customers in Poland, Mexico, and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.”

Bitcoin Users Warned

Choi Sang-myong from the cybersecurity firm Hauri Inc in South Korea has gone on the record warning people that it is not just banks that are being targeted by Lazarus and Bureau 121 hackers. Money is the name of the game, and Sang-myong estimates that the North Korean hackers have been responsible for the theft of as much as $88,000 dollars worth of bitcoins per month:

“Cyber criminals have turned to bitcoin for money as it is very difficult to track them down. Since tracking down the culprits is very difficult, North Korea had jumped on the bandwagon of bitcoin extortion since around 2012.”

What Should Bitcoin Users Do?

Security is an integral part of the Blockchain. As such, the loss of bitcoins is usually due to insecurities (or corruption) at the bitcoin wallet level. In the case of Lazarus, it is believed that they may be using illegal gambling websites as a way into people’s machines, in order to steal passwords and ultimately bitcoins. The best solution is to store bitcoins offline and to protect them with strong passwords (that are also kept offline). This is the advice from cointelegraph:

“This should act as a signal to all of those holding cryptocurrencies to increase measures of security. North Korean hackers abroad are known to run illegal gambling sites and this might understandably be the link to bitcoin wallets being hacked.

Users can protect themselves by selecting reputable vendors, even if it costs a few satoshis more in the casino example. Frequently the human factor puts wallets at risk. Other factors to increase your assets include holding your own keys, hardware wallets or paper wallets.”

Furthermore, bitcoin users should watch out for possible phishing scams like the one that caught out 10,000 deep web marketplace users last year. Another popular method for stealing bitcoins is to deliver a keylogger onto people’s machines so that they can steal bitcoin wallet passwords and then transfer the funds out of the account.

How to Protect Your Bitcoins

One solution would be to use a secure on-screen keyboard when typing in the password. However, do be aware that the built-in Windows screen keyboard can also be hacked by keyloggers. As such, it might be worth looking into getting a secure third party on-screen keyboard (like Mouse Only Keyboard or Neo’s SafeKeys) for the job. Another option is to use behavioral analysis software such as SpyShelter or Zemana AntiLogger.

A final option is to use keystroke encryption like KeyScrambler to disguise the input as you type in the password. All of the above methods have pros and cons, so it is worth taking the time to look into them if you are interested in protecting your bitcoins.

Opinions are the writer’s own

Title image credit: ivosar/

Image credits: Anait/, M. Primakov/, Profit_Image/

Exclusive Offer
Get NordVPN for only
Get NordVPN for only