2017-03

Chongho Easycash

Chongho Easycash/VANXATM involved cyber-enabled payment-card and ATM fraud in South Korea, with copied cards used for cash withdrawals and purchases after financial transaction information was stolen and distributed. Financial Security Institute’s Rifle r…

🇰🇷 Korea, Republic of

2017-02

Bithumb#1

In February 2017, about $7 million in virtual currency was stolen from South Korean cryptocurrency exchange Bithumb. UN Panel reporting later said Bithumb was attacked by DPRK cyber actors multiple times, with the first two attacks in February and July 20…

🇰🇷 Korea, Republic of

2016-12

AkBank

Group-IB's 2018 financial-sector threat reporting lists AkBank in Turkey as a December 2016 SWIFT theft attributed to Lazarus, with the loss shown as $4 million. The incident appears in the report's timeline of SWIFT and local interbank transfer attacks, …

🇹🇷 Türkiye

2016-10

Banco Republica

Banco República/BROU was included in the same global banking watering-hole activity that used compromised financial-sector websites to target a small set of selected IP addresses belonging mostly to banks and related organizations. The linked analyses des…

🇺🇾 Uruguay

2016-10

Comisión Nacional Bancaria y de Valores

The CNBV-related activity was part of a broader financial-sector watering-hole campaign in which compromised regulator and banking websites in Poland, Mexico, and Uruguay redirected selected visitors toward malicious infrastructure. Reporting connected th…

🇺🇾 Uruguay

2016-10

Komisja Nadzoru Finansowego

The KNF incident centered on a watering-hole compromise of the Polish Financial Supervision Authority website, where modified JavaScript redirected selected financial-sector visitors through sap.misapor[.]ch and eye-watch[.]in toward exploit and payload d…

🇵🇱 Poland

2016-08

Defense Network

DESERTWOLF involved a compromise of South Korean defense-network systems after attackers abused weaknesses in the military internet antivirus system and distributed malware through an internet antivirus relay server. Investigators found malware on defense…

🇰🇷 Korea, Republic of

2016-07

Union Bank of India

Union Bank of India appears in UN Panel reporting as part of a wider set of financial-institution and cryptocurrency-exchange incidents used to illustrate DPRK cyber-enabled theft and sanctions-evasion revenue generation. The linked evidence supports only…

🇮🇳 India

2016-07

Nigerian Bank

The Nigerian Bank incident is listed among DPRK-linked BangSwift financial operations in broad U.S. indictment and UN sanctions reporting that described North Korean RGB-associated actors, including activity associated in security reporting with Lazarus G…

🇳🇬 Nigeria

2016-05

Standard Bank

Standard Bank of South Africa was tied to a 2016 ATM cash-out in Japan in which forged cards using stolen customer-card data were used to withdraw about $18–19 million from roughly 1,700 ATMs across Tokyo and 16 prefectures. UN Panel-linked evidence says …

🇿🇦 South Africa, 🇯🇵 Japan

2016-05

SK/Hanjin

South Korean police attributed the GhostRAT compromise of domestic conglomerate networks to North Korea, reporting more than 130,000 infected computers and malware capable of keystroke logging, host profiling, microphone recording, remote-session control,…

🇰🇷 Korea, Republic of

2016-04

DSME#1

BLACKSHEEP is preserved as an Andariel-linked South Korea incident through FSI’s Rifle campaign archive, which grouped BLACKSHEEP with other linked intrusions and malware cases assessed as activity by the same attacker. The available evidence is limited b…

🇰🇷 Korea, Republic of

2016-03

Interpark

South Korean investigators attributed the Interpark breach and extortion case to North Korea’s Reconnaissance General Bureau after an employee PC was compromised via a spearphishing attachment, malware spread internally, and attackers reached systems used…

🇰🇷 Korea, Republic of

2016-02

Bangladesh Central Bank

The Bangladesh Bank BangSwift heist used authenticated SWIFT messages and custom malware tailored to SWIFT Alliance Access and an Oracle database environment to hide or manipulate transaction records, with reporting describing attempted transfers of rough…

🇧🇩 Bangladesh

2016-01

Initech

The INITROY incident involved a compromised financial information security company whose stolen code-signing certificate was used to make malware appear legitimate and distribute signed payloads to organizations via an academic association website server.…

🇰🇷 Korea, Republic of