Crypto Country: North Korea’s Targeting of Cryptocurrency

bitcoin, business, money-4647175.jpg

Since 2017, North Korea has greatly expanded its targeting of the cryptocurrency industry, stealing over an estimated $3 billion worth of cryptocurrency. Prior to this, the regime saw previous success in stealing from financial institutions by hijacking the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network. However, this activity brought heavy attention from international authorities, and financial institutions responded by investing in improving their cyber defenses. During the cryptocurrency bubble of 2017, when the technology reached the mainstream, North Korean cyber operators shifted their targeting from traditional finance to this new digital financial technology by first targeting the South Korean cryptocurrency market before significantly expanding their reach globally. North Korean threat actors were accused of stealing an estimated $1.7 billion worth of cryptocurrency in 2022 alone, a sum equivalent to approximately 5% of North Korea’s economy or 45% of its military budget. This amount is also almost 10 times more than the value of North Korea’s exports in 2021, which sat at $182 million, according to the Observatory of Economic Complexity (OEC).

North Korean threat actors’ operations targeting the cryptocurrency industry and how they launder the stolen cryptocurrency often mirror traditional cybercriminal groups that use cryptocurrency mixers, cross-chain swaps, and fiat conversions. However, state support allows North Korean threat actors to expand the scale and scope of their operations to a level not possible by traditional cybercriminal groups, with approximately 44% of stolen cryptocurrency in 2022 traced to North Korean threat actors. Targeting is not limited to cryptocurrency exchanges, with individual users, venture capital firms, and alternative technologies and protocols all having been targeted by North Korean threat actors. All of this activity puts anyone operating in the industry at risk of becoming a potential target of North Korean threat actors and allows the regime to continue operating and funding itself while under international sanctions.

Anyone operating in the cryptocurrency industry — individual users, exchange operators, and financiers with a portfolio of startups — should be aware of the potential to be targeted by North Korean threat actors. Entities operating in the traditional finance space should also be on the lookout for North Korean threat group activities. Once cryptocurrency is stolen and converted into fiat currency, North Korean threat actors funnel the funds between different accounts to obscure the source. Oftentimes stolen identities, along with altered photos, are used to bypass anti-money-laundering and know-your-customer (AML/KYC) verification. Anyone who is a victim of an intrusion linked to a North Korean threat group may have their personally identifiable information (PII) used to set up accounts to facilitate the laundering of stolen cryptocurrency. As a result, companies operating beyond the cryptocurrency and traditional finance industries should also be on the lookout for North Korean threat group activity and for their data or infrastructure being used as a launch pad for further intrusions. Since most intrusions by North Korean threat groups start with social engineering and a phishing campaign, organizations should train employees to monitor for this activity and implement strong multi-factor authentication such as FIDO2-compliant passwordless authentication.

The regime has clearly identified the continued theft of cryptocurrency as a major source of revenue, especially for funding its military and weapons programs. While it is unclear exactly how much of the stolen cryptocurrency ends up directly financing ballistic missile launches, it is clear that both the amount of cryptocurrency being stolen and the amount of missile launches have dramatically increased in recent years. Absent stronger regulations, cybersecurity requirements, and investments in cybersecurity for cryptocurrency firms, North Korea will almost certainly continue to target the cryptocurrency industry as a source of additional revenue to support the regime.

Key Findings

  • There has been a steady increase in the number of cyberattacks against the cryptocurrency industry attributed to North Korean threat actors since at least 2017.
  • Even though movement in and out of and within the country is heavily restricted, and its general population is isolated from the rest of the world, the regime’s ruling elite and its highly trained cadre of computer science professionals have privileged access to new technologies and information.
  • The privileged access to resources, technologies, information, and sometimes international travel for a small set of selected individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyberattacks against the cryptocurrency industry.
  • In 2017, North Korean threat actors were highly active in targeting the South Korean cryptocurrency industry during the cryptocurrency bubble before greatly expanding their targeting to the international cryptocurrency market.
  • North Korea has developed an extensive money-laundering network to facilitate the movement of billions of dollars worth of stolen cryptocurrency from when it’s stolen to when it’s converted to fiat currency or used to purchase goods and services for the regime.
  • North Korean threat actors’ cybercrime operations and money laundering mirror those of other traditional cybercriminal groups; however, state backing allows North Korean threat actors to scale their operations beyond what is possible for traditional cybercriminals.
  • North Korea has stolen over an estimated $3 billion worth of cryptocurrency, with $1.7 billion stolen in 2022 alone, possibly funding up to 50% of its ballistic missile program.

Background

North Korea has been called the “Hermit Kingdom” for its isolation from the rest of the world. The regime’s strict control of society, including the movement of goods, people, and, most importantly, information, means that very little information gets in or out. But even though the general population is heavily isolated from the outside world, leadership in Pyongyang is acutely aware of new technologies and actively exploits new technologies to fund its regime. In recent years, Pyongyang has found great success in stealing from both traditional fiat currency-based banks and digital assets such as cryptocurrency. This begs the question: despite being such a closed society, how has the regime been so successful in its cyber operations as well as its intrusions?

On July 12, 2023, American enterprise software company JumpCloud announced that a North Korean state-sponsored threat actor had gained access to its network. Researchers at Mandiant later published a report stating the group responsible was UNC4899, which “likely corresponds to TraderTraitor”, a North Korean cryptocurrency-focused threat actor. As recently as August 22, 2023, the United States (US) Federal Bureau of Investigation (FBI) issued a notice that North Korean actors were behind the heists affecting Atomic Wallet, Alphapo, and CoinsPaid, totaling $197 million in stolen cryptocurrency. The theft of cryptocurrency has allowed the regime to continue operating under strict international sanctions, funding up to 50% of its ballistic missile program. By 2018, some estimates assessed that North Korea was responsible for half the total amount of stolen cryptocurrency. While in recent years, most of the attention has been on the large cryptocurrency heists the regime has continuously pulled off, North Korea has a long history of using illicit activities to fund itself.

In our previous 2017 report, we highlighted the regime’s previous forays into criminality that go back decades. North Korea has been involved in smuggling since at least the 1970s and a recent report by the Financial Times showed that through the help of organized crime groups in East Asia, the regime continues to engage in smuggling activities today. As recently as 2019, Chinese authorities have caught North Korean officials smuggling methamphetamine across the border. The regime has also been identified participating in the manufacture and distribution of illicit drugs, as well as counterfeiting American $100 bills. It was estimated in 2016 that illicit economic activities generate $550 million to $1 billion annually for the country.

North Korea also recognized the asymmetric advantages of cyber when the internet was still in its nascent stage. While the regime initially deployed its cyber operators to conduct disruptive cyberattacks against its traditional adversary, South Korea, the country’s leadership quickly learned that cyber could also be used as a means to generate more illicit revenue. Initially, North Korean cyber operators focused on stealing personal information from websites and creating tools to steal cash from online games and then selling them to other criminal actors in the underground economy. The estimated amount of illicit revenue earned per North Korean operator in 2013 was approximately $500 per month. More recently, in October 2023, the FBI said that overseas North Korean IT workers had sent millions of dollars in wages back to North Korea for years.

It was not long afterward that the regime realized that it could generate more illicit revenue from targeting financial institutions instead of keeping its cyber operators on the fringes of internet cybercrime. From 2015 onward, North Korea likely targeted financial institutions in at least 38 countries. The most well-known heist, the cyberattack on Bangladesh Bank, resulted in $101 million in fraudulent transfers via the SWIFT protocol, $35 million of which was recovered. North Korean cyber operators also participate in ATM cash-out schemes, compromising payment switch application servers to approve fraudulent transactions at banks in Asia and Africa. While the full extent of the regime’s activities is unknown, some estimates put the amount of stolen funds in the tens of millions from banks in over 30 countries.

In order for North Korea to steal and launder millions of dollars, it requires a large number of well-trained cyber operators committed to the regime’s objectives. On September 6, 2018, the US Department of Justice (DOJ) unsealed a criminal complaint against one such individual, Park Jin Hyok (박진혁). Park graduated from a prestigious North Korean university, Kim Chaek University of Technology (김책공업종합대학), and reportedly is proficient in multiple programming languages. Based on evidence in the complaint, it is estimated that Park was dispatched to Dalian, China, in late 2010 to work for Chosun Expo, a front company for the North Korean government, and returned to North Korea sometime in late 2013 or early 2014.

In addition to Park, the US DOJ also sentenced a US researcher to 5 years in prison for conspiring to help North Korea evade US sanctions and indicted 2 other North Korean cyber operators, Jon Chang Hyok (전창혁) and Kim Il (김일), in 2021. Kim previously lived in Singapore; North Korea has a diplomatic mission in the city-state, and Kim contacted individuals there when he took part in a cryptocurrency scheme to sell shares in Marine Chain, a blockchain-enabled platform for vessel transactions. While many North Korean cyber operators work from inside North Korea, the regime also sends some abroad to work, both in semi-legitimate IT consulting work and in conducting cybercrime from other countries. The 2 indictments also show that while these North Korean individuals were heavily involved in numerous schemes to earn money for the regime, from SWIFT hijacking to ATM cash-out schemes from 2015 to 2019, North Korean operators have increasingly focused on earning money through the extensive cryptocurrency system that has grown in recent years.

As mentioned above, the regime’s cyber operators attempted to steal money from financial institutions around the world, with a high amount of activity between 2015 and 2019. Despite their success, these efforts brought a lot of attention to North Korea’s activities and the scrutiny of government agencies and international organizations that were determined to stop them. Moreover, the financial institutions that the North Korean cyber operators were trying to steal from are some of the most well-defended private organizations in the world — for example, Bank of America announced its cybersecurity budget would increase to $1 billion a year in 2021. All of this took place as the lightly regulated cryptocurrency industry continued to grow in size, increasing from an estimated $1.09 billion in worldwide revenue in 2017 to a projected $37.87 billion in revenue in 2023. Many cryptocurrency companies are venture-backed startups with small staffs, and while it is unknown how many cybersecurity professionals are working in these small businesses, a recent survey reported that only 8% of small businesses with fewer than 50 employees had a cybersecurity budget. The North Korean regime seems to have found a rapidly growing financial technology industry that has little oversight and is unprepared for a relentless cyber assault.

Outlook

North Korea has seen major success in its cybercriminal operations targeting the cryptocurrency industry, but how much of an impact has this had on the country? As previously stated, some estimate up to 50% of the country’s ballistic missile program is funded through stolen cryptocurrency. North Korea’s gross domestic product (GDP) in 2019 was estimated to be roughly $33.5 billion, and in 2023, according to the Bank of Korea, South Korea’s national bank, North Korea’s economy had shrunk for 3 straight years in a row. Using the 2019 estimate, the amount of cryptocurrency stolen by North Korean threat actors in 2022 equals approximately 5% of North Korea’s economy. This does not include any other form of illicit activity or illegal employment of North Korean workers in the IT sector or otherwise. To put this in perspective, roughly 4.2% of US GDP is in the arts, entertainment, recreation, accommodation, and food services sectors. Looking at the amount of cryptocurrency stolen in 2022 as a percentage of North Korea’s estimated military budget of $4 billion in 2021, the country could finance 45% of it with cryptocurrency.

While it is unclear exactly how much of the stolen cryptocurrency ends up directly financing ballistic missile development and tests, it is clear that both the amount of cryptocurrency being stolen and the amount of missile launches have dramatically increased in recent years. According to the Nuclear Threat Initiative, a US-based think tank that tracks the number of North Korean missile launches, the number of launches since 2015 has greatly increased, with a noticeable dip during the COVID-19 pandemic. However, 2022 saw the most North Korean missile launches in a year since the regime began, with almost 70 launches during the year. As there doesn’t appear to be a slowdown in the number of cryptocurrency heists attributed to the North Korean regime, it is very likely that some of these funds will end up in the regime’s nuclear and ballistic missile programs. Additionally, as seen above, given the amount of cryptocurrency being stolen in relation to the size of North Korea’s military budget, the regime has identified a lucrative way to avoid international sanctions and to keep developing its nuclear and missile technology. Absent stronger regulations, cybersecurity requirements, and investments in cybersecurity for cryptocurrency firms, we assess that in the near term, North Korea will almost certainly continue to target the cryptocurrency industry due to its past success in mining it as a source of additional revenue to support the regime.

Regimes such as North Korea are likely to continue to target and attack entities, organizations, and elements of the cryptocurrency ecosystem. The Ronin Network attack, one of the single largest cryptocurrency thefts in 2022 ($600 million in losses), was allegedly conducted by a state-sponsored APT group. With the success of these attacks, in the future, these groups are likely to continue to improve their tradecraft for stealing, laundering, and monetizing cryptocurrency in both the short and long term. It is even possible other heavily sanctioned entities, such as Russia, will attempt to duplicate this success or try to recruit insiders who are working at cryptocurrency firms and exchanges, following in North Korea’s footsteps.

Image by: Pixabay

 

Shopping Cart

Media Kit

    Data Protection

    Personal Data (“Data”) submitted for Media Kit (“Media Kit”), and/or collected in the form of first name, last name, email address and other contact details may be used for the purposes of inviting you to future events and for reaching out to you with content which may be of interest to you. For these purposes, The Digital Banker will share the Data with our associate companies (including event and content sponsors) to promote their products and services. You will also be automatically subscribed as a user on www.thedigitalbanker.com. If you would like to opt-out, email us at [email protected].

    By clicking Submit, you acknowledge that you consent/ have sufficient informed consent to the collection, use and disclosure of Data as set out above.

    The Digital Banker Summit

    Moving on from FTX: is 2023 the year of CBDCs?

    Indonesia, Jakarta

    Thailand, Bangkok

    Philippines, Manila

    Contact Us

      Data Protection

      The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

      Request Nomination Pack

        Data Protection

        The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

        Registration Form

          Data Protection

          The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

          Registration Form

            Data Protection

            The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

            Registration Form

              Data Protection

              The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

              Registration Form

                Data Protection

                The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

                Registration Form

                  Data Protection

                  The information you provide will be held on our database and may be used to keep you informed of our and our associate companies’ products and for selected third party mailings. Please tick the box if you would prefer not to be contacted for these purposes:

                  The world’s preeminent Private Banks and Wealth Managers are demonstrating a committed drive in innovation, advisory, new products and services to meet the sophisticated needs of their clients.

                  COVID-19
                  Amid economic activity revival on the back of the Covid-19 vaccine program, organisations moving from business continuity plans to stable working environments, together with the slightest improvement in unemployment numbers, forced the world to adjust to new realities. Coming to terms with the “new normal”, global investors are now on the look-out for attractive and stable investment opportunities.

                  Needs of Private Wealth customers and families worldwide have drastically changed due to the pandemic and banks have had to accelerate efforts to deploy a multi-channel service strategy and safeguard clients’ businesses and wealth against negative impacts of economic uncertainly.

                  The Global Private Banking Innovation Awards will recognise the world’s best private banks, wealth managers and asset managers that are championing innovation across advisory, service, products, customer experience and more.

                  Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. 

                  Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

                  Request Nomination Pack

                  Error: Contact form not found.