Theft of 58 billion won worth of virtual assets confirmed to be North Korea’s doing

The National Police Agency (National Investigation Headquarters) determined that the theft of 342,000 Ethereum (worth approximately 58 billion won at the time of the damage, and approximately 1.47 trillion won at the current price) from virtual asset exchange A in November 2019 was the work of North Korea.

There have been several UN reports and foreign government announcements that North Korea is using the virtual assets it steals through cyberattacks on virtual asset exchanges for nuclear and missile development, but this is the first case in Korea where it has been revealed that a cyberattack on a virtual asset exchange was carried out by North Korea. This conclusion was reached by synthesizing evidence obtained through investigations, such as North Korea’s IP addresses, the flow of virtual assets, and the content of North Korean vocabulary, as well as data acquired through long-term cooperation with the Federal Bureau of Investigation (FBI).

More than half of the stolen virtual assets (57% of the total victim assets) were converted into Bitcoin at a lower price (2.5% discount) than the market price through three virtual asset exchange sites presumed to have been created by the attackers, and the remainder was distributed to 51 overseas exchanges and then laundered.

Meanwhile, the police confirmed that some of the damaged virtual assets had been converted to Bitcoin and stored in a virtual asset exchange in Switzerland, and proved to the Swiss prosecutors that the virtual assets in question were part of what had been stolen from the Korean exchange. They also made active efforts to recover the damaged assets, including several video and phone conferences and visits to the Swiss Federal Prosecutor’s Office. After nearly four years of cooperation with the Korean prosecutors’ office and the Ministry of Justice, they finally recovered 4.8 Bitcoins (currently equivalent to about 600 million won) from the exchange in October 2024 and returned them to Company A.

The attack methods against virtual asset exchanges identified during the investigation were shared with the National Cyber ​​Crisis Management Unit of the National Intelligence Service, the Financial Supervisory Service, the Financial Security Institute, the Korea Internet & Security Agency, the military, and virtual asset exchange officials, and were utilized to detect similar crimes or prevent damage in the future.

This case is the result of long-term, organic cooperation with a number of related organizations, and with this as an opportunity, the police plan to further strengthen the cooperative system with related organizations at home and abroad, and do their best to identify the methods and perpetrators of cyber attacks, as well as prevent and recover damage.

Editor. Hong Se-yeong