North Korean Cybercriminals Posing as South Korean Officials to Perpetrate Crypto Thefts

A state-sponsored North Korean hacking group, known as ‘Kimsuky,’ is reportedly orchestrating a cryptocurrency theft operation, impersonating South Korean government agencies to deceive individuals. According to a local report, these hackers, posing as South Korean journalists, government entities, and research institutes, managed to scam a total of 1,468 individuals from March to October 2023, as confirmed by local law enforcement.

The victims of this crypto heist included 57 current and former government officials involved in areas such as diplomacy, the military, and national security. The remaining 1,411 victims were employed in the private sector.

A police officer emphasized the ongoing efforts to combat these cyber threats, stating, “The police will work closely with relevant institutions and agencies to continuously track down North Korea’s cyber-attacks and breaches to prevent losses.”

Execution Through Phishing Emails

The South Korean National Police Agency identified that the cybercriminals utilized phishing emails to conduct their fraudulent activities. These emails were crafted to appear as if they were sent from legitimate South Korean government bodies, such as the National Police Agency, National Health Insurance Service, National Pension Service, and National Tax Service. The emails often contained enticing ‘clickbait’ links or attachments, luring victims to malware-infected web pages.

Once a victim opened the scam email or its attachments, the hackers deployed malware to infiltrate the victim’s computer system. This malicious software was used to extract personal information and cryptocurrency from the victims. “Illegal cyber activity was aimed at stealing cryptocurrency,” the police reported.

The police data revealed that the attackers used the stolen ID and profile information of 19 individuals to gain access to their cryptocurrency trading accounts. Furthermore, they utilized 147 proxy servers to execute cryptocurrency mining programs.

In response to these cybercrimes, the police have shut down 42 phishing websites operated by the Kimsuky group to mitigate further damages.

The Kimsuky hacker group is believed to operate under the umbrella of North Korea’s Reconnaissance General Bureau, the nation’s foreign intelligence agency. The South Korean government imposed sanctions on Kimsuky in June, recognizing its malicious cyber activities.