ESRC links several Korea-focused spear-phishing incidents through shared operational traces rather than naming a specific actor. In mid-2017, a malicious HWP document exploit targeted a South Korean person active in North Korea-related work, and the document metadata reused accounts such as “SEIKO,” “Lion,” and artifacts previously seen in attacks against South Korean power-sector and research targets. The same sending IP and message-ID domain later appeared in a December 2017 phishing operation impersonating a Korean portal account-protection page and aimed mainly at cryptocurrency exchange-related members. The report argues that infrastructure and mail-tracking overlaps suggest the operator that had targeted South Korean security, unification, defense, finance, and North Korea-related communities was also shifting toward cryptocurrency-related victims.