How North Korea’s Durian Malware Targets Crypto Exchanges

North Korea unleashes its latest threat on crypto, Durian malware, which is already targeting exchanges in South Korea.

Hacker devil with his new technology up in the sky.
Created by Kornelija Poderskytė from DailyCoin
  • North Korea’s Durian malware targets South Korean crypto exchanges.
  • Utilizes a sophisticated multi-stage infection process.
  • Despite ongoing cybersecurity efforts, Durian still poses a threat. 

Crypto has long been a target of various hackers. Among them, those sponsored by North Korea are among the most notorious. Once again, North Korean hackers have made headlines with their efforts to undermine crypto exchanges and steal funds. 

Most recently, the Kimsuky group, a well-known entity associated with North Korea, has been actively deploying Durian malware to compromise South Korean crypto firms. 

North Korea’s Durian Malware Explained

According to a recent report by Kaspersky, a global cybersecurity firm, North Korea’s Kimsuky hacker group is deploying a new type of malware, specifically targeting South Korea’s crypto exchanges. While the exact deployment method is unclear, the firm has some insights into Durian’s operations.


Durian infiltrates systems by manipulating legitimate software. Specifically, it initially compromises systems via legitimate software updates. This disguises its malicious payload within trusted applications, bypassing initial security screenings.

Once inside the system, Durian installs itself and sets up mechanisms to ensure it remains active even after the system restarts. The malware then activates its backdoor functionality, allowing remote attackers to send commands and steal data. This enables attackers to extract sensitive information, including login credentials, which gives them access to funds. 

According to Kaspersky, Durian is often used alongside other malware and legitimate tools to maintain access and avoid detection. It uses data encryption and obfuscation to hide its communication with the attackers’ servers.

North Korean Hackers Steal Billions in Crypto

North Korean hackers, particularly from groups like Lazarus, have been highly active in cryptocurrency, stealing vast amounts through sophisticated cyberattacks. Over the years, they have siphoned off billions from crypto platforms by exploiting security vulnerabilities and employing advanced techniques like phishing, malware, and sophisticated laundering methods to obfuscate the trail of stolen assets.


In 2023 alone, North Korean-linked cyber groups stole approximately $1 billion in digital assets, targeting both decentralized and centralized financial platforms. They’ve employed various methods, such as compromising private keys, using crypto mixers, and targeting over-the-counter (OTC) brokers to launder the stolen funds. 

Despite the scale of the hacks committed by North Korean hackers, the overall value of the thefts has declined in recent years. Stolen funds have declined from $1.7 billion in 2022. 

On the Flipside

  • Hacks from state-sponsored actors have implications that go beyond crypto. For instance, North Korea allegedly uses the proceeds from crypto hacks for its military spending. 
  • The criminal activities of these hackers have spotlighted crypto mixers and other privacy-focused tools, including Railgun. However, the protocol claims any reports linking it to hackers are based on speculation. 

Why This Matters

The ongoing cyber activities of North Korean hacking groups underscore the persistent vulnerabilities within global financial and technological infrastructures. 

Read more reports about hackers from North Korea: 
North Korean Crypto Thefts Primarily Target Japan, Study Reveals

Read more about Solana’s performance compared to Ethereum: 
Solana Overtakes Ethereum DEX Volume: Is Ethereum Slipping?

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

David Marsanic

David Marsanic is a journalist for DailyCoin who covers the intersection of crypto, traditional finance, and government. He focuses on institutionalized crypto entities like major cryptocurrency exchanges and Solana, breaking down complex topics into easy-to-understand writing. David's prior experience as a business journalist at various crypto and traditional news sites has enabled him to maintain a critical approach to news while adhering to high journalistic integrity standards.