The IP address used in the incident was thought to have originated in China, the regulatory Korea Communications Commission told Agence France-Presse,but in fact appears to have been an internal IP address at one of the affected banks.
"We're still tracking some dubious IP addresses which are suspected of being based abroad," said Korea Internet and Security vice president Lee Jae-Il to AFP.
"Keeping all kinds of possibilities open, we're making efforts to track down the hackers," he added.
The IP address used at the bank appears to have been an accidental match to a Chinese address, noted the Associated Press, which added that investigators still believe the attack originated from abroad.
"We were careless in our efforts to double-check and triple-check," said Korean Communications Commission official Lee Seung-won to media. "We will now make announcements only if our evidence is certain."
South Korea initially accused North Koreans based within China of possibly orchestrating the attacks, which affected banks, television networks, and other infrastructure.
About 32,000 computers were affected and it was suspected it would take up to five days to restore functioning, noted Reuters, although efforts to return things to normal are going well.