Tags:: "Inside Job", South Korea, CEX Hack, Spear-Phishing
The best I have ever been able to parse out, the four separate hacks are as follows:
-
February 7th, 2017: ~$7 million or more. Or maybe 30k PII records - Attributed to DPRK in 2023 UN Report
-
June 29th, 2017: ~$7 million or more. Or maybe 30k PII records - Attributed to DPRK in 2023 UN Report
-
December 2017: the South Korean government attributed the attack(s) to DPRK.
-
January 16th, 2018: Recorded Future, a security firm known for analyzing state-sponsored attacks, attributed the attack to the Lazarus Group
-
June 19th, 2018 - $31 million - ~2000 BTC - goes to YoBit
-
"The proceeds of the third attack on Bithumb in June 2018 were transferred through YoBit. 36 By August 2018, less than two months after the attack, the funds were sent to YoBit in a complex series of hundreds of transactions with the aim of converting and cashing out the entirety of the stolen cryptocurrency (as opposed to spending the acquired cryptocurrency directly on goods and services). The above-mentioned cases show a clear evolution from the earlier Democratic People’s Republic of Korea cyberattack on the customers of a Republic of Korea online shopping mall, Interpark, which was designed to generate foreign currency."
-
March 29th, 2019 - $20 million
Bithumb has said regarding either the June 2018 hack or March 2019 hack that:
The attackers gained access to an employee’s personal computer. This may be the malicious HWP document researched and documented.
Bithumb believes the hack was an Inside Job and funds might have been moved by individuals associated with the company.
The UN Security Council's 2019 Midterm Report included:
The first two attacks, in February and July 2017, resulted in losses of approximately $7 million each, with subsequent attacks in June 2018 and March 2019 resulting in the loss of $31 million and $20 million, respectively, showing the increased capacity and determination of Democratic People’s Republic of Korea cyber actors. Similarly, Youbit (formerly Yapizon) suffered multiple attacks involving a $4.8 million loss in April 2017 and then 17 per cent of its overall assets in December 2017, forcing the exchange to close. Those attacks, along with an attack on UpBit on 28 May 2019, used similar tools, codes and attack vectors (including spear phishing and watering holes) to those used in previous cyberattacks on security and defenc e targets attributed to the Democratic People’s Republic of Korea.34 In addition to the Republic of Korea, the Panel investigated Democratic People’s Republic of Korea attacks on cryptocurrency exchanges in five other countries (see annex 21 B).
| Date | Incident | Details |
|---|---|---|
| Feb 2017 | Bithumb #1 | Theft of $7M USD in first attack on Bithumb |
| Jul 2017 | Bithumb #2 | Reported theft of more than $7M USD in second attack on Bithumb including: 870,000 USD in Bitcoin and $7M USD in Bitcoin and Ethereum. National Intelligence Services attributed to the DPRK. |
| June 2018 | Bithumb #3 | Third attack on Bithumb. Bithumb announced in a since deleted tweet that hackers stole approximately $31 million. Proceeds were laundered through a separate crypto-currency exchange called YoBit. |
| Mar 2019 | Bithumb #4 | Reported theft of 20M USD in fourth attack on Bithumb (3M EOS and 20 million Ripple coins stolen worth $13.4M USD and 6M USD, respectively) |
Laundered Via:: YoBit
Attribution:: UN Security Council - August 30th, 2019 2019 Midterm Report - https://undocs.org/S/2019/691 - https://securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S_2019_691.pdf)
Approximately $31 million in virtual currency was stolen from BitHumb, a South Korean cryptocurrency exchange, marking the third theft in the last 16 months.
In August 2019, the UN Security Council Panel of Experts indicated DPRK-affiliated actors were behind the theft. Proceeds were laundered through a separate crypto-currency exchange called YoBit. The company stated they would compensate customers affected.
Lazarus Group distributing malicious documents created using the Hangul Word Processor (HWP) to cryptocurrency users in South Korea earlier in the year
Alienvault concluded that while it couldn't be certain the malware linked to in those HWP documents was responsible for the Bithumb heist "it seems a likely suspect."
"North Korea’s “cyberattacks on Republic of Korea South Korean targets have been increasing in number, sophistication and scope since 2008, including a clear shift in 2016 to attacks focused on generating financial revenue
In 2019, DPRK cyber actors shifted focus to targeting cryptocurrency exchanges. Some cryptocurrency exchanges have been attacked multiple times.
Reports within South Korea have suggested the the thefts from Bithumb started with malicious HWP files earlier in May and June. They also mentioned they are linked to previous attacks by Lazarus, and involved faked resumes.
Bithumb - > YoBit - 1,993 BTC was moved from Bithumb Hackers to YoBit over 68 transactions
However, on June 19th, 2018 the majority of these transactions switched to using a fee of exactly 0.1 BTC - a fee notable for its size and the fact that it only used one decimal place.
Over the 19th and 20th of June, 400 transactions of this type sent funds from Bithumb to a single bitcoin wallet made up of 70 addresses.
This wallet received a total of 1,993 BTC from Bithumb - close to the 2,016 BTC reported to have been lost.
These “stolen funds remained dormant in the suspected hacker’s wallet for over a month, before being sent to a cryptocurrency exchange called YoBit.
The entire 1,993 BTC was moved into YoBit over 68 transactions, between August 2nd, 2018 and August 6th, 2018.
https://elliptic.co/blog/following-money-from-bithumb-hack
https://quadrigainitiative.com/casestudy/bithumbprivacyphishinghack.php
https://assetforfeiturelaw.us/wp-content/uploads/2020/08/113-Virtual-Currency-Accounts-Affidavit.pdf
https://cointelegraph.com/news/bithumb-details-still-sketchy-after-30-mln-hack
https://elliptic.co/our-thinking/following-money-from-bithumb-hack
https://news.bitcoin.com/north-korean-hackers-threatened-bithumb-16m-ransom-amid-2017-data-breach/
Attribution:: UN Security Council
According to a report from CoinDesk Korea, Bithumb may have also lost 20.2 million XRP in the recent breach.
Based on currently available information, the attackers appear to have made off with around three million EOS, worth $13.4 million at the time of the hack, and another 20 million Ripple coins (XRP), worth another $6 million
In a surprising turn of events, Bithumb disclosed that it believes the hack was an Inside Job and funds might have been moved by individuals associated with the company.
Bithumb suspects that the hack was an Inside Job as it spotted an “abnormal withdrawal” from one of its wallets. The exchange claims it lost no user funds in the hack.
A cryptocurrency exchange company attacked with a malicious document containing the same macro. The document’s content provided information for coin listings with a translation in Korean Another macro-weaponized document contains a business overview of what seems to be a Chinese technology consulting group named LAFIZ.
These Windows malware samples were delivered using malicious HWP (Korean Hangul Word Processor format) documents exploiting a known PostScript vulnerability.
The heist came less than a year after another massive hack: $31 million in late 2018.
Update (09:30 UTC, April 1, 2019): According to a report from CoinDesk Korea, Bithumb may have also lost 20.2 million XRP in the recent breach. The XRP, worth $6.2 million at current prices, was moved from Bithumb's wallet on March 29 in transactions that can be seen on XRPSCAN. The exchange is not yet confirming or denying the report. The odds of Bithumb managing to retrieve the stolen funds may be small, according to crypto security expert Cosine Yu, co-founder of security firm SlowMist. The hacker has already managed to “launder” most of the stolen EOS and XRP, Yu said, meaning the assets have been transferred to a large number of addresses that are not necessarily owned by any exchanges
https://web3rekt.com/hacksandscams/bithumb-635
https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/
https://quadrigainitiative.com/casestudy/bithumbeosxrphack.php