Mandiant reported suspected North Korean actors targeting South Korean cryptocurrency exchanges in 2017 as part of a broader shift from traditional espionage toward financially motivated cyber operations. The observed activity included spearphishing against exchange employees’ personal email accounts, often using tax-themed lures and deploying PEACHPIT or similar malware variants linked to actors previously tied to global bank intrusions. The report also notes related North Korean interest in cryptocurrency through a 2016 bitcoin news-site watering hole compromise and use of a covert cryptocurrency miner. The activity matters because compromising exchanges could allow operators to move funds through online wallets, alternate cryptocurrencies, and fiat off-ramps while sanctions restricted North Korea’s access to hard currency.