It’s pay day for the North Korean government. Cyber criminals in the Democratic People’s Republic of Korea (DPRK) had their busiest year yet in 2023, executing the highest number of individual crypto hacks than ever before, according to a new report from Chainalysis, a blockchain analysis firm headquartered in New York City.
But why is anyone in North Korea interested in your crypto anyway?
“[Bad actors in North Korea] have found an avenue where they can seize significant money in ways that they haven’t found through fiat currencies or other crime types. So, this has been a really lucrative endeavor for them,” Erin Plante, VP of investigations at Chainalysis, told IT Brew.
A government affair. North Korea-affiliated hackers have had their eyes on crypto for years, stealing nearly $1.7 billion in 2022 and a little over a billion the following year. Though the amount stolen decreased in 2023, the number of incidents shot up to 20, the highest number recorded for North Korean crypto hacks so far, according to the report.
The North Korean government sponsors these types of schemes because it’s one way the country can flaunt its global status—much like what China has done with stolen US intellectual property, or the way Russia funds its espionage machine, Meredith Fitzpatrick, the director of cryptocurrency investigations and compliance at Forensic Risk Alliance, an international consultancy based in Washington, DC, said in an interview.
“[North Korea] is completely cut off from the global financial system,” she said. “In order to further propel their nuclear weapons program—which for them that is because they’re so caught off from the rest of the world—they really see that as an element of state survival…They need money to do that.”
Fitzpatrick, a former special agent on the FBI’s virtual currency response team, noted that North Korean hackers aren't limited to crypto laundering schemes; they’ve also used traditional money laundering to fund their weapons programs. But the process of funding such programs with crypto is not as point-blank as it may seem.
“As far as funding a military [goes], you’re not buying a military arsenal of guns with crypto—you’re not buying a tank with crypto,” she said. “It still needs to go from crypto to fiat to do that.”
The major players. In 2019, the US placed sanctions on three North Korean state-sponsored malicious cyber groups—Lazarus Group, Andariel, and Bluenoroff—noting they were responsible for schemes involving “malicious cyber activity on critical infrastructure.”
Lazarus Group, in particular, remains a major force in these crypto schemes, previously hacking Sony Pictures, a crypto casino, the central bank in Bangladesh, and more. Also known as APT38, the group was behind the biggest cryptocurrency theft of 2020, and stole over $300 million in 2023—representing 17% of total losses for the year, according to a report by Immunefi. In 2022, US officials alleged that Lazarus was also behind a $615 million crypto heist on the Ronin Network.
“Lazarus Group is the primary hacking group that we see attacking the crypto platform,” Plante said. “It’s essentially a military that is focused on cyberattacks. So, they have all the support from the government.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
While businesses in Asia are most commonly impacted by these crypto scams, North Korean cyber criminals are not limited to that region. Their targets are global, Plante said, as these schemes have also reached US companies and entities.
In April of last year, a North Korean foreign trade bank representative was charged in a crypto laundering scheme, allegedly conspiring with over-the-counter crypto traders and using stolen funds to buy goods for the DPRK. According to the Department of Justice, the representative reportedly conspired to launder funds that North Korean IT workers who were working illegally at tech and crypto companies—including US-based companies—brought in.
In a separate incident, the FBI confirmed last year that Harmony Protocol, a US crypto firm headquartered in Palo Alto, California, was also hacked by Lazarus in 2022. The hacking group stealing $100 million in virtual currency.
“Western countries are increasingly susceptible to social engineering-based attacks, as generative AI is making it easier for attackers to write in perfect English and have profiles with pictures and content that makes them appear as someone they’re not,” Plante said in an email.
Since 2017, perpetrators around the globe have stolen over $10 billion in cryptocurrency, according to Chainalysis.
How they do it. Malicious actors in North Korea have a few different methods for stealing crypto, like exploiting and finding vulnerabilities in code, but the most common methods have been social engineering and phishing—tactics that have also been used by North Korean threat actors to target cybersec researchers. In doing so, a threat actor can pose “as somebody who, ultimately, you can gain the trust to have somebody click on a link and install malware,” Plante said.
After using social engineering to compromise seed phrases and gain access to a wallet, they transfer funds. From there, they use a mixer to obfuscate the source of the funds—or to then further convert it to a privacy coin like Monero, Fitzpatrick explained.
All of which, she said, makes it hard for investigators to trace.
“North Koreans are very reliant on peer-to-peer traders or over-the-counter traders,” she said. “And a lot of times these over-the-counter traders will be located in China or Southeast Asia. They’ll then take their crypto [to an over-the-counter trader and get] it back to back to…physically transport it back to North Korea, or they’ll buy high-value goods and then sell the goods for cash.”
Staying protected. Fitzpatrick said these crypto schemes run on vulnerabilities—finding bugs in computer code, taking advantage of weak seed phrases or computer systems—and that “it’s always a constant education battle with the public.”
“So I think we are going to continue to see these evolutions,” she said, noting the importance of complex passwords and 2FA. “But as security evolves, so [will] the tools and tactics, techniques, and procedures of the adversary.”