Five years after the theft of 58 billion won in cryptocurrency from a South Korean exchange, police have confirmed North Korea’s involvement. The stolen assets have since increased in value to 1.47 trillion won ($1.05 billion).
The South Korean National Police Agency announced Thursday that North Korean hacker groups Lazarus and Andariel orchestrated the theft of 342,000 Ethereum tokens from the Upbit cryptocurrency exchange in November 2019.
Police deduced that North Korea was behind the theft by analyzing North Korean IP addresses, cryptocurrency transaction records, linguistic traces of North Korean terminology and evidence obtained in cooperation with the U.S. Federal Bureau of Investigation.
Although there have been UN reports and statements by foreign governments about North Korea’s cryptocurrency-hacking activities, this marks the first time a domestic investigative agency has officially confirmed such involvement.
According to police, 57 percent of the stolen assets were traded off for Bitcoin at a price 2.5 percent lower than market price through three exchange sites. These sites are also suspected of being created by North Korea.
The rest of the stolen cryptocurrency was laundered through 51 overseas exchanges across 13 countries, including the United States and China.
Police were unable to confirm how the stolen 58 billion won was ultimately utilized. Most overseas exchanges reportedly did not respond to requests from South Korean police to return the misappropriated cryptocurrency.
However, police confirmed that a portion of the misappropriated cryptocurrency was stored in a cryptocurrency exchange based in Switzerland. After providing evidence to the Swiss prosecution, the police, in cooperation with the prosecution and the Ministry of Justice, pursued mutual legal assistance in criminal matters with Switzerland.
Last month, police eventually recovered approximately 4.8 Bitcoin tokens, valued at around 600 million won. The recovered cryptocurrency was then returned to Upbit.
While this is the first confirmed instance of North Korea targeting a domestic exchange, its hacking organizations have long been known in the international community for stealing virtual assets.
In July, India’s largest cryptocurrency exchange suffered over $200 million in damages due to an external attack, with Lazarus identified as the main culprit.
Around the same time, a Japanese cryptocurrency exchange lost $35 million in a theft also suspected to have been carried out by Lazarus.
According to a report published in March by the UN Security Council Sanctions Committee on North Korea, the state was estimated to have stolen about $3 billion through cyberattacks on cryptocurrency-related businesses from 2017 to 2023, with investigations ongoing into 58 suspected cases.
In the past, North Korea secured foreign currency through legitimate means such as exporting overseas labor and trade. However, these avenues have been largely blocked by international sanctions.
In addition to Lazarus and Andariel, other well-known North Korean hacking groups include Kimsuky and APT38, all of which are linked to the Reconnaissance General Bureau, North Korea’s military intelligence agency.
“We will do our best not only in investigating the methods and perpetrators of cyberattacks, but also preventing harm and helping with recovery,” said the police.
BY MINYOUNG KIM, YOUNGNAM KIM [kim.youngnam@koreadaily.com]
