Officials in South Korea say they incorrectly linked a Chinese IP address to a cyber-attack earlier this week.
On Thursday, the Korean Communications Commission said it had traced the attack to an internet address in China, although the identity of those behind the attack could not be confirmed.
But it said further investigation showed the malware came from a local computer in one of the affected banks.
However, officials still believe the attack was orchestrated from abroad.
Wednesday’s cyber-attack on six South Korean banks and broadcasters affected 32,000 computers and disrupted banking services.
The apparent link to China had fuelled speculation that North Korea was to blame.
Hackers can route their attacks through addresses in other countries to obscure their identities, and intelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks.
North Korea has been blamed for previous cyber-attacks on the South in 2009 and 2011.
South Korean officials initially linked the cyber-attack to an IP address in China, but on Friday said they had made a mistake.
Further investigation showed the IP address was in the internal server of Nonghyup bank, one of the victims of Wednesday’s attack.
Its IP address “coincidentally matched” a Chinese IP address, the KCC said.
“Malicious code seemed to be spread from the server [of Nonghyup Bank] and there were records of [it] being approached by someone at that time,” Lee Jae-il, vice-president of Korea’s Internet Security Agency (Kisa), told reporters.
“We’re still tracking some dubious IP addresses which are suspected of being based abroad,” he said, adding that they were “keeping all kinds of possibilities open”.