North Korea Secretly Funnels Monero Cryptocurrency Into Country Through University—Research

north korea bitcoin hackers monero
The Ryugyong Hotel in Pyongyang, North Korea, on September 5, 2010. New research suggests a university in the city is secretly mining cryptocurrency and funneling it into the country. Roman Harak/ Wikimedia Commons

North Korea is secretly mining cryptocurrency using foreign computers and funneling it into the country through a state university in the capital, Pyongyang, new research suggests.

Analysts at cybersecurity firm AlienVault discovered a new malware application that uses compromised machines to generate a bitcoin-like cryptocurrency called Monero.

The code, which was set up on December 24, 2017, uses the password KJU—a possible reference to North Korean leader Kim Jong Un—and sends money to Kim Il Sung University.

It is the latest indication that North Korea is supporting its economy and potentially funding its nuclear program through cryptocurrency, which the researchers say could provide a “financial lifeline” to a country hit hard by sanctions.

“There is strong evidence that North Korea is interested in mining cryptocurrencies,” Chris Doman, a security researcher at AlienVault who led the research, tells Newsweek.

Doman points to other reports that linked the North Korean hacking collective known as Lazarus to attacks that mined Monero through compromised websites.

“Additionally, Lazarus has been known to target a number of—primarily South Korean—bitcoin exchanges to steal their bitcoins, and are strongly linked to the WannaCry attacks, which demanded bitcoins in payment,” Doman added.

north korea hacking war bitcoin A North Korean flag is displayed in a window on a viewing deck of the Namsan Seoul Tower, in Seoul, South Korea, on July 6, 2017. Seoul-based bitcoin exchanges, including Yapizon and Coinis, were the target of cyber thieves suspected of being from North Korea in 2017. ED JONES/AFP/Getty Images

Doman and the other researchers found no evidence to link the Lazarus group to the latest operation. Instead they speculate the low-level programming used in the operation could well point to a university project.

When taking into account developments over the past year linking North Korea to cryptocurrencies, the project would likely be part of a much broader push to exploit the potential of the new technology.

Related: North Korea hacking war on bitcoin exchanges is part of “biggest global sting”

The researchers were unable to connect to the server within North Korea and so were not able to determine how much cryptocurrency the hackers made. It is also unclear whether the Monero mining is part of a legitimate operation—for which the owners of the hardware are aware of the mining taking place on their machines—or an early test for a wider attack.

“On the one hand, the sample contains obvious messages printed for debugging that an attacker would avoid,” states a blog post describing the mining methods. “But it also contains fake file names that appear to be an attempt to avoid detection of the installed mining software.”

 

 

Evidence that it may be part of an educational program is supported by an invitation from the Pyongyang University of Science and Technology extended to foreign cryptocurrency experts, who were asked to lecture students on the subject in November.

When questioned about the lectures, a university spokesperson told U.S.-based North Korean news site NK News that they were part of a broad curriculum.

“Our teaching is intended to assist the DPRK [Democratic People’s Republic of Korea] by building capacity that enables effective development and benefits for the people of the DPRK,” the spokesperson said.

“We are acutely aware of sanctions issues and the risks of misuse or misappropriation of resources and know-how and take care to avoid any sensitive or proscribed areas.”

Join the Discussion