Many attacks on cryptocurrency exchanges were executed by hacker units created by the Chinese authorities, researchers suggest. Hackers also help gather economic and political intelligence data.

FireEye, a cyber security company, released a report stating that Chinese authorities created and supported a special cyber unit called APT41 set up for spying. It “targets industries in a manner generally aligned with China's Five-Year economic development plans.”

The list of industries targeted by the cyber unit includes healthcare, high technology (semiconductors, batteries and electric cars), media, pharmaceuticals, retail, software, telecommunications, travel services, education, video games and cryptocurrencies.

Target countries are France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, the United Kingdom, the United States, and Hong Kong.

“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions.”

According to FireEye, in June 2018, APT41 sent malicious emails with hidden malware, and in October 2018, the group deployed XMRig, a Monero cryptocurrency mining tool in a victim's environment. It was reported that the email address used in the espionage operation against the Taiwanese newspaper was later involved in a hacker attack on an unnamed crypto exchange in June 2018.

Additionally, FireEye claims to have found a match in the malware code used in May 2016 to attack the US-based video game studio and the one used to compromise the supply chain in 2017 and 2018.

The report also notes that the unit is also actively using ransomware viruses, at least it was possible to identify one of the viruses launched by Chinese hackers.

“Unlike other observed Chinese espionage operators, APT41 conducts explicit financially motivated activity, which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests. The late-night to early morning activity of APT41's financially motivated operations suggests that the group primarily conducts these activities outside of their normal day jobs.”

It is not revealed which attacks on cryptocurrency exchanges were ordered by the Chinese government. Perhaps several attacks were carried out by APT41 hackers in their own financial interests.

Finally, FireEye researchers claim that “the group is also deployed to gather intelligence ahead of imminent events, such as mergers and acquisitions and political events.”