Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime
North Korea’s spree of state-sponsored cryptocurrency theft continued apace last year as Pyongyang hackers illicitly lifted about $1.7 billion worth of digital assets – close to half of the world’s cryptocurrency stolen in 2022, new analysis shows.
See Also: Live Webinar | Navigating the Difficulties of Patching OT
That $1.7 billion likely made up a sizable chunk of North Korea’s economy and funded its nuclear weapons program, says blockchain analysis firm Chainalysis. North Korea is the rare country whose state-sponsored hackers attack for their country’s financial gain. The hereditary totalitarian regime that has governed the country since 1948 has long funded criminal activity in a quest for hard currency, given its self-imposed autarchy and pariah status on the global stage.
Cybercriminals, including North Korean-linked hackers, use cryptocurrencies for the same reasons people use it for legitimate purposes: It is cross-border, liquid and instantaneous, Erin Plante, senior director of investigations at Chainalysis, tells Information Security Media Group. “This is particularly advantageous for countries that are cut off from the global economy,” she says.
North Korean hackers are “systematic and sophisticated” in hacking and laundering stolen funds and are backed by a nation that supports cryptocurrency-enabled crime on a massive scale, says Plante.
Decentralized finance presents a uniquely inviting target to hackers of all stripes, and Pyongyang has taken advantage of it. DeFi protocols are open source, allowing hackers to study them ad nauseam for exploits, Plante says. It is possible that protocols’ incentives to reach the market and grow quickly lead to lapses in security best practices, she adds. Of the $3.8 billion recorded as stolen by hackers in 2022, theft from DeFi platforms accounts for $3.1 billion of that total.
North Korean hackers use phishing lures, code exploits, malware and advanced social engineering to siphon funds into wallets they control, Plante says. They have a “calculated” laundering method and deploy obfuscation techniques such as mixing to create a disconnect between the cryptocurrency they deposit and withdraw. They also move stolen funds via chain hopping, which is the process of swapping between several different kinds of cryptocurrency in a single transaction.
As long as crypto assets held in DeFi services have value and are vulnerable, bad actors will try to steal them. The only way to stop them is for the industry to shore up security and train crypto companies to identify threats, such as social engineering, that are widely used by groups such as Lazarus, she said.
Cryptomixers are a “cornerstone” of North Korean money laundering, Chainalysis says. “Funds from hacks carried out by North Korea-linked hackers move to mixers at a much higher rate than funds stolen by other individuals or groups.”
Cryptomixer Tornado Cash was a favored platform for laundering money in 2021 and most of 2022, although the United States put a stop to that by sanctioning the service in August, crippling its use. Although still operational, mixers are less effective when fewer people use them, as the service relies on volume to obfuscate the origin and destination of the funds on its platform (see: North Korea Avoids Tornado Cash After US Imposes Sanctions).
North Korea-linked hackers are unlikely to be dissuaded by the threat of U.S. sanctions. But the sanctions make it harder for threat actors to cash out their ill-gotten gains, Plante says.
Chainalysis says the criminals diversified their mixer usage in the fourth quarter of 2022. They appear to have zeroed in on Sinbad, a bitcoin mixer that began advertising its services two months after the federal government sanctioned Tornado Cash. Investigators at the analytics firm observed the first transactions by North Korean hackers on the platform in December.
Between December 2022 and January 2023, hackers laundered $24.2 million on the mixer, Chainalysis concludes. This includes the North Korea-linked Lazarus Group, which laundered “a portion” of the funds stolen in the $600 million Axie Infinity hack via Sinbad.
Hackers also increasingly use underground services that aren’t as well known as standard mixers, accessible only through private messaging apps or the Tor browser, and usually only advertised on darknet forums, Plante tells ISMG.
She also sees an uptick in services with brand names and custom infrastructure, with varying complexities. Some function simply as networks of private wallets, while others are more akin to an instant exchanger or mixer, she says. “What links them is their ability to move cryptocurrency to exchanges on behalf of cybercriminals, exchange them for either fiat currency or clean crypto, then send that back to the cybercriminals.”
Law enforcement, Plante says, must continue developing its ability to seize stolen cryptocurrency to the point that hacks are no longer worthwhile.
Federal agents last year seized funds North Korean hackers stole from Axie Infinity’s Ronin bridge hack by partnering with Web3 security companies and tracing the funds on the blockchain. The U.S. FBI also identified Lazarus as the guilty party behind the $100 million Harmony-run Horizon bridge hack.
Similar actions will almost certainly occur in 2023, Plante says.
“When every transaction is recorded in a public ledger, it means that law enforcement always has a trail to follow, even years after the fact, which is invaluable as investigative techniques improve over time.”
Senior Subeditor, ISMG, Global News Desk
Rashmi has seven years of experience writing and editing stories on finance,enterprise and consumer technology,and diversity and inclusion. She has previously worked at (formerly) News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.
Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement
Finance & Banking
Endpoint Security
Blockchain & Cryptocurrency
Governance & Risk Management
Open XDR
Continue »
90 minutes · Premium OnDemand
Overview
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
Banner Year for North Korean Cryptocurrency Hacking
Banner Year for North Korean Cryptocurrency Hacking
Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.
Get detailed training system that shows an absolute beginner (without any skill) how to make huge profits in a short time with crypto.
The #1 course for profit in the Crypto & NFT world - You will discover the secrets that 99% of people don’t know yet