North Korean malware email seen behind Coincheck theft
Hackers plant software that steals customer info, South Korean spy agency says
SOTARO SUZUKI, Nikkei staff writer
SEOUL -- North Korean hackers likely deployed malware-laced email to steal 58 billion yen ($529 million) worth of cryptocurrency from Japanese exchange service provider Coincheck, according to South Korean intelligence.
The country's National Intelligence Service explained to lawmakers Monday how North Korea operates in cryptocurrency thefts. Hackers send virtual currency service providers or customers email containing malware or directing readers to malicious websites, installing software to steal passwords and other customer data. Malware is often sent in the form of a job application given that cryptocurrency companies are expanding rapidly to keep up with the booming market.
The North Koreans likely used the same method to make off with some 58 billion yen in the NEM cryptocurrency in the Coincheck case, the NIS alleges.
Phishing for sensitive information via email is a favorite method of North Korean hackers. Ha Tae-keung, a lawmaker from the South's conservative Bareun Party, told an emergency news conference Thursday that fraudulent email concerning virtual currencies had been sent to more than 30,000 recipients under his name. Ha is well-versed in North Korean issues and often speaks on matters related to virtual currencies.
Opening the message installs malware on the reader's computer, allowing it to be controlled remotely via a server in the U.S. Had a worker at a virtual currency company opened the email on a computer containing sensitive information, it could have resulted in a massive theft, Ha claimed. Ultimately, no damage came of the attack, thanks to Ha's loud warnings that the email "was sent not by Ha Tae-keung but by Kim Jong Un."
The NIS has not revealed its evidence for pinning the Coincheck breach on Pyongyang. But Japanese information security experts agree that an email attack could be responsible.
"Coincheck President Koichiro Wada was apparently recruiting workers on Facebook," according to Toshio Nawa, senior analyst at the Cyber Defense Institute. "It is plausible that North Korean hackers saw that and sent infected email under the guise of job seekers, thereby infiltrating the company's systems."
Others are more skeptical. "The stolen funds were handled fairly haphazardly, being transferred to individual accounts held by third parties, for example," said Takayuki Sugiura, head of information technology consultancy L Plus in Tokyo. If this was a state-orchestrated attack, it was an amateurish one, suggesting that an individual is more likely responsible, said Sugiura, who argued that a hacker in Russia or some other European country is the probable culprit.
Japan's investigation of the breach is ongoing. Tokyo "is gathering and analyzing information" on the attack "with the utmost interest" and looks to respond urgently in cooperation with the international community, Chief Cabinet Secretary Yoshihide Suga told a news conference Tuesday. Coincheck has provided server logs to police, who are looking into possible violations of computer access laws.