North Korea-Linked Hackers Exploit Exizus Software to Target Crypto Assets

United States media reports indicate that hackers gained access to a software developer’s account managing the open-source platform Exizus for three hours on Tuesday morning. During this time, malicious updates were pushed to all organizations using the software. U.S. outlets suggest the attack’s primary objective was to steal cryptocurrency, with North Korea identified as the likely perpetrator.
According to CNN, Exizus software is widely used across sectors such as healthcare and finance, including some cryptocurrency companies. Experts investigating the attack believe it could be part of a long-term campaign to amass cryptocurrency, potentially funding specific government programs and weapons development.
The cyber intelligence firm Mandiant identified a North Korea-linked hacking group as the suspected actor. Chief Technology Officer Charles Carmakal noted that hackers aim to leverage the supply chain breach and compromised accounts for cryptocurrency theft, with full impact assessment expected to take months.
Security researcher John Hemmings reported that their firm has identified 135 compromised devices across roughly 12 companies, representing only a small portion of potentially affected organizations.
This incident adds to a series of recent supply chain attacks attributed to North Korea. Three years ago, hackers infiltrated a major software provider, targeting call and video systems used by hospitals and hotel chains.
Analysts say North Korean hackers are a significant revenue source for the state. UN and private reports show billions of dollars have been stolen from banks and crypto firms over recent years. A 2023 White House official stated that nearly half of North Korea’s missile program funding came from such digital thefts. Last year, hackers reportedly stole $1.5 billion in cryptocurrency, marking the largest crypto heist to date.
Ben Read commented that North Korea disregards exposure and is willing to absorb attention generated by such campaigns. John Hemmings highlighted that the attack’s timing was “perfect” because organizations increasingly rely on AI agents that deploy software without thorough review, leaving supply chains vulnerable to exploitation.