North Korea is famed for ballistic missiles, violation of human rights, disputes with neighboring countries, and international sanctions. However, the country in recent years has found its name in the book of infamy for cybercrimes especially hacking.
According to blockchain data platform, Chainalysis, in its report, North Korean cybercriminals stole $400 million worth of digital assets after launching at least seven attacks on cryptocurrency platforms in 2021.
The cybercriminals attacked primarily investment firms and centralized exchanges and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses. Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out.
The report stated these complex tactics and techniques have led many security researchers to characterize cyber actors for the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs).
This is especially true for APT 38, also known as “Lazarus Group,” which is led by DPRK’s primary intelligence agency, the US- and UN-sanctioned Reconnaissance General Bureau. While we will refer to the attackers as North Korean-linked hackers more generally, many of these attacks were likely carried out by the Lazarus Group in particular.
Lazarus Group first gained notoriety from its Sony Pictures and WannaCry cyberattacks, but it has since concentrated its efforts on cryptocurrency crime—a strategy that has proven immensely profitable. From 2018 on, The group has stolen and laundered massive sums of virtual currencies every year, typically over $200 million.
The most successful individual hacks, one on KuCoin and another on an unnamed cryptocurrency exchange, each netted more than $250 million alone. And according to the UN security council, the revenue generated from these hacks goes to support North Korea’s WMD and ballistic missile programs.
In 2021, North Korean hacking activity was on the rise once again. From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%.
Interestingly, in terms of dollar value, Bitcoin now accounts for less than one-fourth of the cryptocurrencies stolen by the DPRK. In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time, Ether accounted for a majority of the funds stolen at 58%.
Mixers were used on over 65% of the funds stolen in 2021, which is a threefold increase since 2019. A mixer is a software-based privacy system that allows users to hide the source and destination of the coins they send. Decentralized exchanges are increasingly preferred by hackers since they are permissionless and have ample liquidity for coins to be swapped at the user’s will.
Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers —software tools that pool and scramble cryptocurrencies from thousands of addresses—is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat.
Fresh sanctions were imposed on North Korea by the United States for a hypersonic missile test on January 5 and 11.