North Korean Hackers Target Cryptocurrency Exchange as Part of Larger Economic Warfare Strategy

Yapizon, which operates the South Korean cryptocurrency exchange Youbit, announced on Tuesday that it would suspend all trading activity and file for bankruptcy following a North Korean cyber attack. Youbit acknowledged that the breach resulted in the theft of 17 percent of the exchange’s total digital assets, consisting of 7.6 billion won, or $7 million worth of cryptocurrencies. The Youbit breach, which occurred at 4:35 am on Tuesday, is only one example of a larger North Korean strategy of cyber-enabled economic warfare targeting South Korea’s financial infrastructure. Its purpose is to both undermine South Korea’s political and economic stability and to evade international economic sanctions.

Over the past decade, as the United States and its partners have squeezed Pyongyang out of the formal financial system, the Kim regime has turned to state-sponsored crime and money laundering to generate income and undercut sanctions measures. As detailed in recent Congressional testimony by Frank Cilluffo of the GWU Center for Cyber and Homeland Security, North Korea has incorporated cyber crime into its multifaceted cyber strategy. Notable examples in the past year and a half alone include the WannaCry ransomware attack and Bangladesh Heist, which together generated as much as $81 million for the Kim regime, a significant amount for a country whose GDP is approximately $16 billion.

Tuesday’s attack is also not the first time Pyongyang has targeted South Korea’s financial infrastructure. Most notably, in 2013, North Korean cyber operatives spread the Dark Seoul virus to infect computers of three major South Korean banks, resulting in up to $800 million in damages.

The Youbit breach fits into this strategic pattern. As South Korea incorporates cryptocurrencies into its financial sector, it opens a new attack vector for Pyongyang. While Youbit is a relatively small cryptocurrency exchange, North Korea could also attack a target like Bithumb, which is one of the world’s largest and most active cryptocurrency exchanges and has about a 70-percent share of the South Korean market. A catastrophic attack on Bithumb could undermine public faith in South Korea’s financial systems, destabilizing the government and weakening its ability to respond to the North’s provocations.

In response to repeated attacks on South Korean cryptocurrency exchanges, Seoul plans to increase regulations for trading cryptocurrencies and reduce the influence cryptocurrencies have on South Korea’s financial infrastructure. The relevant legislation has yet to be passed, however.

In addition to enhancing their defenses, Washington and Seoul should go on the offense. Since cryptocurrency movements are tracked online in a public ledger, investigators can analyze the transaction data to uncover new details about Pyongyang’s money-laundering methods and allow policy makers to enact preventive measures for the future.

Furthermore, Washington should use targeted sanctions against foreign entities that facilitate North Korean hacking. For example, the research firm C4ADS reported that a Chinese company is the minority owner of the Chilbosan Hotel in Shenyang of China’s Liaoning province, where North Korean hackers are allegedly operating. This hotel’s majority owner is in fact the North Korean Pyongyang Economic Exchange Society. Treasury previously sanctioned the minority shareholding Chinese company in 2016 for enabling North Korean sanctions evasion. The U.S. government and its allies should urge the Chinese government to punish these companies and ensure the hotel in question no longer hosts North Korean hackers. More broadly, as the Youbit hack reflects North Korea’s broader campaign of economic warfare with cyber weapons, the U.S. and South Korea must similarly recognize that they retain significant tools of economic coercion and deploy these assets to deter and punish Pyongyang’s aggression.

Mathew Ha is a research associate at the Foundation for the Defense of Democracies, where Trevor Logan is a cyber research associate. Follow them on Twitter @Matjunsuk and @TrevorLoganFDD.

Follow the the Foundation for Defense of Democracies on Twitter @FDD.