SEOUL (Reuters) – A cybersecurity company said it has found software that appears to install code for mining cryptocurrency and sends any mined coins to a server at a North Korean university, the latest sign that North Korea may be searching for new ways to infuse its economy with cash.
The application, which was created on Dec. 24, uses host computers to mine a cryptocurrency called Monero. It then sends any coins to Kim Il Sung University in Pyongyang, said cybersecurity firm AlienVault, which examined the program.
“Crypto-currencies may provide a financial lifeline to a country hit hard by sanctions, and as a result universities in Pyongyang have shown a clear interest in cryptocurrencies,” the California-based security firm said in a release, adding that the software “may be the most recent product of their endeavors.”
The company added a caveat that a North Korean server used in the code does not appear to be connected to the wider internet, which could mean its inclusion is meant to trick observers into making a North Korean connection. Kim Il Sung University, however, plays host to foreign students and lecturers, not just North Koreans.
Kim Il Sung University did not immediately respond to requests for comment. Government officials representing North Korea at the United Nations were not immediately available for comment.
Others have flagged increasing signs of North Korean interest in cryptocurrencies and underlying blockchain technology.
“With economic sanctions in place, cryptocurrencies are currently the best way to earn foreign currency in North Korea’s situation. It is hard to trace and can be laundered several times,” said Mun Chong-hyun, chief analyst at South Korean cybersecurity firm ESTsecurity.
Cryptocurrency watchers say technical details of Monero, the 13th-largest crypto asset in the world, according to www.coinmarketcap.com, with a total value of more than $7 billion, make it more appealing than bitcoin to those who value secrecy.
Monero funds go to an unlinkable, one-time address generated with random numbers every time a payment is issued. That makes it less traceable than bitcoin, where transactions can be linked to specific, albeit anonymous, private addresses, cybersecurity experts said.
South Korea-based Bithumb, the world’s busiest cryptocurrency exchange, is also the largest Monero trading exchange in the world, with about 24 percent of trading volume. The next largest were Europe-based exchange HitBTC and Hong Kong-based Bitfinex, as of Monday.
Cybersecurity firm FireEye cited in a November blog post a series of North Korean activities against South Korean cryptocurrency targets such as exchanges. Analyst Luke McNamara wrote that “it should be no surprise that cryptocurrencies, as an emerging asset class, are becoming a target of interest by a regime that operates in many ways like a criminal enterprise.”
In early November, Federico Tenga, the Italian co-founder of bitcoin startup Chainside, posted on his Twitter account pictures and comments on his visit to lecture on bitcoin and blockchain technology at the Western-funded Pyongyang University of Science and Technology.
“The lectures were at a quite basic level to give a general understanding of blockchain technologies, which are also very relevant to trade, supply chains and other e-business,” a spokesman for the university said.
“We believe this teaching can give the next generation of North Korean professionals additional concepts that may be valuable as they seek to develop their country,” the spokesman added. “We’re acutely aware of issues around sanctions, which we keep under regular review and take care to avoid any sensitive or proscribed areas.”
Tenga said his lectures were geared toward explaining the underlying technology of cryptocurrencies.
“The focus of the lectures was to make the students understand what the blockchain is, how it works (special focus on proof of work) and what are the main use cases. My aim was simply to spread technical knowledge, not suggesting them how to use it,” Tenga told Reuters in a series of messages.
AlienVault’s report said one North Korean IP address, 184.108.40.206, has been active on bitcoin trading sites. That is the same address used to control compromised web servers in 2014-15 cyberattacks on South Korean energy, traffic, telecommunications, broadcasting, financial and political institutions, according to security firm AhnLab .
The report also observed that North Korean IP addresses have downloaded several episodes of the automotive TV series Top Gear and documentaries by the show’s former presenter James May.
Reporting by Joyce Lee; Additional reporting by Haejin Choi and Marius Zaharia; Editing by Gerry Doyle