Cryptocurrency Fraud
,
Fraud Management & Cybercrime
DPRK Hackers Likely Won’t Match 2022 Record But Remain Formidable Thieves
North Korea is on track to have a middling year of cryptocurrency theft despite Pyongyang’s constant demand for ready cash.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
Hackers deployed by the totalitarian regime so far have stolen $200 million in cryptocurrency this year – far less than the country’s banner year of cryptocurrency theft in 2022 and significantly below totals for 2018 and 2020, reports TRM Labs.
The blockchain intelligence company said the decline is not for lack of trying: The country’s attacks are 10 times larger than those made by other actors. And even in a bad year, North Korean crypto hacking makes up a substantial portion of cryptocurrency criminal activity. TRM said amounts stolen by North Korean hackers account for more than 20% of all crypto stolen globally so far this year.
Estimates of exactly how much North Korea stole last year vary. TRM said the amount is $800 million, while Chainalysis assessed it as totaling $1.7 billion.
North Korea’s attacks are particularly bold, said Ari Redbord, global head of policy and government affairs at TRM Labs. “Other hackers tend to be concerned with being caught or prosecuted. But DPRK cybercriminals, almost exclusively operating out of North Korea, brazenly attempt to steal as much as possible and move the stolen funds quickly to off-ramps,” he told Information Security Media Group. DPRK is the acronym for the Democratic People’s Republic of Korea, North Korea’s official name.
North Korea has stolen up to $3 billion worth of cryptocurrency over the past five years. Isolated for decades as a pariah state, North Korea has historically turned to illicit activity for injections of hard currency to keep its economy running and fund the development of weapons of mass destruction.
At first, it was counterfeit cigarettes, currencies and coal. As the world moved online, so did North Korea, building a “cadre of cyberwarriors set on causing chaos and stealing funds,” Redbord said.
The country’s state hackers attack not only for their country’s financial gain but to fund their own hacking operations as well.
“The crypto ecosystem is just a new and relatively easy target for North Korean actors seeking to steal funds at the speed of the internet. The difference with crypto is that law enforcement can trace and track the flow of funds in ways impossible in the annals of shell companies and Macau casinos,” Redbord said.
The hackers over the years have “almost exclusively” targeted the decentralized finance ecosystem, and cross-chain bridges continue to be a favored target, TRM Labs researchers said.
North Korea continues to use phishing, supply chain attacks and private key compromises that involve conventional cyber operations, but it has also introduced new complexities to its exploitation and money laundering techniques.
“North Korea’s early exploits – which tend to involve the direct use of cryptocurrency exchanges – now feature highly complex, multi-stage money laundering processes in response to more aggressive OFAC sanctions, law enforcement focus, and improved tracing capabilities,” TRM Labs said. OFAC is the Office of Foreign Assets Control, a U.S. Treasury Department agency that administers and enforces trade sanctions.
The evolution of North Korean money laundering is apparent even in just the past year, Redbord said.
In 2022, North Korean actors tended to move stolen funds quickly to Ethereum-based mixer Tornado Cash, since the majority of their hacks occurred on ethereum or other EVM blockchains. They bridged stolen funds to bitcoin via the Ren Bridge, where the bitcoin was again laundered through ChipMixer, a then-popular mixing service. U.S. and European authorities dismantled ChipMixer in March, and OFAC sanctioned Tornado Cash in August 2022 – making it harder for North Korean hackers to launder stolen money. Necessity has forced Pyongyang to shift tactics, Redbord said.
A recent $100 million heist of Atomic Wallet shows the new playbook. Hackers drained funds from more than 4,100 individual addresses to their own freshly created wallets. Then, they put the funds through automated software programs, mixers and cross-chain swaps. The money moved on to centralized exchanges for off-ramping to fiat currencies.
“As we have seen from OFAC sanctions against go-to mixers, sanctions can have an impact on North Korea’s ability to launder funds,” Redbord said.