North Korean Hackers Target Crypto Exchange UPbit's South Korean Users

North Korean hackers have been using a familiar phishing tool to steal UPbit customer details, security experts allege.

AccessTimeIconMay 31, 2019 at 2:21 a.m. UTC
Updated Sep 13, 2021 at 9:15 a.m. UTC

North Korean hackers have allegedly attacked users of South Korean exchange UpBit with a clever phishing exploit.

According to data released by the security company East Security, the hacker attempted a cyberattack by sending a phishing e-mail on May 28. The subject of the mail suggested that UPbit needed more information regarding a fictional sweepstakes payout for tax purposes. The mail did not come from the exchange but from another server outside of South Korea.

The email contained a file claiming to contain documentation for the payout. According to East Security, running this file displayed what looked like a normal document but would activate malicious code. It would then send data about the user's machine as well as exchange logins to the hackers and then connect the machine to a command-and-control system for later remote access.


"In analyzing attack tools and malicious codes used by hacker groups, there are unique characteristics we saw," said Mun Chong Hyun, head of the ESRC Center at East Security. He noted that these are similar to another attack called Operation Fake Striker that attacked Korean government agencies earlier this month.

The hackers also used the same techniques in January to target reporters, though this seems the first attack by the suspected group on a crypto firm.

"As bitcoin prices rise, more and more people are using exchanges. What this means to the hackers is that the number of targets have increased, and so have the chances of stealing cryptocurrencies stored in the exchanges," said Mun Chong Hyun.

In a clever move, the hackers password-protected the malicious file with the word "UPBIT." This means that traditional anti-virus tools would not be able to detect the malicious code.

"We have not heard of any reported damage," noted Mun Chong Hyun. "In order to avoid cyber attacks, you should not install or click suspicious files or documents."

Research by Park Geunmo at CoinDesk Korea.

Image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.