Earlier this week, major South Korean Bitcoin exchange Youbit suffered a large-scale security breach that led to the theft of one fifth of user funds.

Almost immediately after the hacking attack, Youbit’s parent company Yapian filed for bankruptcy. In an official statement, the Youbit team told its users that 75 percent of their holdings on the Youbit exchange will be accessible and ready for withdrawal. But, to claim the rest of the funds, the company stated that investors will have to wait until the final settlement of bankruptcy proceedings.

In the case of the now-defunct Bitcoin exchange Mt. Gox, which once was the largest Bitcoin exchange within the global cryptocurrency market, the settlement of bankrupt proceedings have taken more than four years. Still, the creditors of Mt. Gox have not received their funds and the procedure is still ongoing.

Unfortunately, for Youbit investors, it may take several months to years to receive the remaining 25 percent of their personal funds, as the settlement of bankruptcy proceedings will have to be finalized before the company can credit its customers.

North Korea accused

Upon the discovery of the hacking attack, the Youbit team told its clients that the company is working closely with local authorities and the South Korean law enforcement to evaluate and investigate the security breach. The Youbit team said:

“Currently, we are cooperating with law enforcement and third-party investigators to evaluate the breach. We are trying everything in our capability to minimize the losses of our users and we are considering several ways to handle this situation. We would like to apologize again for disappointing our users.”

According to the Wall Street Journal, sources familiar with the ongoing investigation into the Youbit security breach have discovered telltale signs and historical evidence that North Korean state-funded hackers likely engaged and initiated the hacking attack.

In September 2017, security research firm FireEye revealed in a threat research paper that it has found evidence to link various cryptocurrency exchange hacking attacks to North Korea by analyzing the tools that were used to hack into South Korean cryptocurrency platforms.

One of the methods used by the North Korean hacking group was Spear Phishing, the FireEye report stated, which targeted individual cryptocurrency users with highly sophisticated phishing attacks and malware. FireEye further emphasized that there is some evidence to link previous South Korean cryptocurrency exchange security breaches to North Korea.

Specifically, the FireEye team wrote that the following activities were likely initiated by North Korean hackers:

  • April 22: Four wallets on South Korean Bitcoin exchange Yapizon compromised.
  • Early May: Spear Phishing against South Korean exchange one.
  • Late May: South Korean exchange two compromised via Spear Phish.
  • Early June: Cryptocurrency service providers targeted by hackers.
  • Early July: South Korean exchange three targeted via Spear Phishing to a personal account.

Given the imposition of harsh international sanctions against North Korea by the US government and the financial instability of the North Korean regime, FireEye researchers wrote that North Korean hackers have had many incentives to target South Korean exchanges. The report read:

“While Bitcoin and cryptocurrency exchanges may seem like odd targets for nation-state actors interested in funding state coffers, some of the other illicit endeavors North Korea pursues further demonstrate an interest in conducting financial crime on the regime’s behalf. North Korea's Office 39 is involved in activities such as gold smuggling, counterfeiting foreign currency, and even operating restaurants.”

Korea Economic Institute hints North Korean activity

In an interview with The Wall Street Journal, Troy Stangarone, a senior director at the Korea Economic Institute, shared a similar sentiment with FireEye and stated that North Korea is in an ideal position to target Bitcoin companies as it has to find ways to earn back money from the recently imposed sanctions. Stangarone said:

“North Korea is an ideal country to use hacking and financial tools like Bitcoin. They’re experimenting with ways to earn back lost money from sanctions.”

Throughout the upcoming weeks, the South Korean law enforcement and cybersecurity agencies are expected to focus on finding solid evidence to link the hacking attack targeted at Youbit to North Korean hackers.