Cryptocurrency Fraud , Fraud Management & Cybercrime

North Korea's Supercharged State-Backed Cryptocurrency Theft

Report Says State Backing Makes Pyongyang's Hackers Like Cybercriminals on Steroids
North Korea's Supercharged State-Backed Cryptocurrency Theft
Image: Shutterstock

Look out, cryptocurrency users: The North Koreans are coming.

See Also: Scams & Mule Defense: Real-Time Scam Prevention and Advanced Money Mule Detection

Crypto is too valuable and too easy for Pyongyang's hackers to ignore, thanks in part to the sector's often weak defenses. "The North Korean regime seems to have found a rapidly growing financial technology industry that has little oversight and is unprepared for a relentless cyber assault," says a new report from threat intelligence firm Recorded Future.

Hackers tied to the Democratic People's Republic of Korea are relentless in finding new ways to take down targets. "North Korea exploits vulnerabilities in the crypto ecosystem in a variety of ways including through phishing and supply chain attacks, and through infrastructure hacks which involve private key or seed phrase compromises," blockchain intelligence firm TRM Labs said.

One measure of their success: The scale of cryptocurrency theft attributed to hackers affiliated with the despotic regime based in Pyongyang remains staggering. In 2022, North Korean hackers pilfered $1.7 billion in crypto, largely from DeFi platforms, accounting for 44% of last year's crypto losses, according to blockchain analysis firm Chainalysis.

A recent victim appears to be Hong Kong exchange Coinex, which in September reported the theft of $70 million in tokens, which it traced to hackers stealing private keys for its hot wallets. Coinex attributed the attack to North Korea's prolific, government-aligned Lazarus hacking group.

Government officials say many of these proceeds are plowed into programs to further cyberespionage and the development of weapons of mass destruction.

The target continues to grow. Cryptocurrency revenues are set to hit $37.87 billion this year and grow to $64.9 billion by 2027, according to Statista Market Insights.

The scale of North Korean hackers' ambitions and success to date, driven by the regime's need for revenue that evades sanctions, leads security experts to predict that the pace of such attacks will increase. They're warning anyone and everyone involved in the cryptocurrency ecosystem, or anything affiliated, to take steps to prepare themselves for what seems to be yet more inevitable onslaughts.

Hacking, Industrialized

Part of the problem is that whatever ordinary cybercriminals might do, North Koreans regularly seem to do it better, or at least on an industrialized scale most hackers could never reasonably attain.

"North Korean threat actors' cybercrime operations and money laundering mirror those of other traditional cybercriminal groups, however, state backing allows North Korean threat actors to scale their operations beyond what is possible for traditional cybercriminals," Recorded Future's report says.

Their operations pose a risk to "anyone operating in the cryptocurrency industry - individual users, exchange operators and financiers with a portfolio of startups" as well as banks or anyone who touches fiat currency.

One piece of good news is that North Korean illicit gains appear to have declined from last year. TRM Labs traced $200 million in stolen cryptocurrency this year, as of August.

Blunting industrial-scale cyberattacks requires international cooperation, and the U.S. government is spearheading a global response to disrupt North Korean hackers' moneymaking efforts.

The U.S. continues to sanction key pieces of North Korea's money laundering ecosystem. On Wednesday, the U.S. blacklisted cryptocurrency mixer, seizing its website with help of Dutch and Polish authorities. U.S. officials described Sinbad as being the "preferred mixing service" for Lazarus Group.

Beyond affecting Lazarus, the mixer's takedown "will have implications across the criminal ecosystem - including ransomware, scams and darknet markets," Jackie Burns Koven, head of cyber threat intelligence at Chainalysis, said in a social media post.

Blockchain analysis shows Sinbad served as the world's second-largest mixer this year, based on volume, and also handled funds stolen from Atomic, AlphaPo, CoinsPaid, Harmony and Stake, TRM Labs said.

Following the Money

Multiple jurisdictions are requiring that funding for "know your customer" anti-money laundering and counterterrorism be applied to all things crypto, or are considering requiring it.

On Monday, the European Banking Authority issued new AML and counter-financing of terrorism - aka CFT - guidelines to crypto asset service providers, designed "to prevent the abuse of fund and crypto asset transfers" for money laundering or terrorism financing. The EBA said it had designed the guidelines to foster a risk-based approach and ensure that supervisors across the sector better communicate with each other to help spot and stop suspicious activity. The guidelines are due to take effect on Dec. 30, 2024, at which point crypto asset service providers will be legally required to comply with European AML and CFT "obligations and supervision," the EBA said.

Also, last week the European Banking Authority launched a public consultation on its proposed new "travel rule" guidelines, which is also set to take effect at the end of 2024. This would "specify the steps that payment service providers, intermediary PSPs, crypto asset service providers and intermediary CASPs should take to detect missing or incomplete information that accompanies a transfer of funds or crypto assets," to help prevent money laundering and terrorism financing, it said.

The banking authority's efforts followed the U.S. Department of the Treasury's Financial Crimes Enforcement Network in October proposing a rule that would require all U.S. financial institutions, including cryptocurrency businesses, to impose "special measures" and report transactions involving cryptocurrency mixing services. The move is primarily driven by money laundering concerns, FinCEN's document states.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.