North Korean hackers have reportedly started attacking those using South Korean cryptocurrency exchange UPBit with a phishing scheme designed to steal users’ private keys and information.
According to CoinDesk Korea, data released by cybersecurity firm East Security has revealed a hacker sent an UPBit user a phishing email on May 28, which claimed the cryptocurrency exchange needed account information related to a fictional giveaway.
The email included a file called “Event Winner Personal Information Collection and Usage Agreement.hwp,” which it claimed contained documentation for payout. Once opened, the file displayed a regular document, but would run malicious code as well.
The email, East Security revealed, didn’t come from UPBit, but from servers located outside of South Korea. The exchange itself warned users emails from this account aren’t to be trusted.
IMPORTANT NOTICE – Please note that any Upbit email using the address [email protected] is likely a scammer. All such emails should be deleted immediately and do not open any attachment files: https://t.co/z8z8m2YrhT
— Upbit Global (@upbitglobal) May 29, 2019
The code would collect data from the users’ machine, including private keys for cryptocurrency wallets and logins from their accounts. The security firm believes the emails were sent by North Korean hacker group Kim Soo-Ki over “unique characteristics” it detected.
The heard of the ESRC Center at East Security, Mun Chong Hyun, added the attack was similar to one on Korean government agencies seen earlier this month, and to one seen in January of this year, targeting reporters.
To avoid being detected by traditional anti-virus software, the hackers protected the malicious file using a password. Mun Chong Hyun noted that no damages have so far been reported, and that to avoid falling victim to these attacks users should “not install or click suspicious files or documents.”
As CryptoGlobe covered U.S. intelligence authorities have recently accused North Korean hackers of orchestrating large-scale cybercrimes involving cryptocurrency hacks and bank theft. Authorities claim the activity is a direct response to sanctions and have revealed they’re investigating the attacks.