Borders were closed and trade was cut off while international sanctions continued throughout the COVID-19 pandemic, further isolating North Korea, one of the world’s most impoverished nations.
But its regime has discovered new ways of raking in funds to continuously pursue its missile ambitions and divert sanctions and regulations at the same time – via hacking cryptocurrencies.
The online theft of cryptocurrency has allowed Pyongyang free access to the new but less regulated financial system operated on blockchain technology, believed to be unhackable, through manipulation techniques that exploit human error to trick people into giving up confidential information or to download malware-ridden files.
Through such highly engineered methods, North Korean hackers have been channeling billions of dollars into the secluded regime’s pockets, according to experts from the US and South Korea.
It has become an efficient means to cover the astronomical costs of missile launches and nuclear tests for North Korea, with a gross national income that stands at 36.3 trillion won ($27.7 billion) – about 1.7 percent that of South Korea.
The pandemic has pushed the North Korean regime to further rely on cybertheft, allowing Kim Jong-un to expand his nuclear program without having to engage with the outside world.
“North Korea has engaged in a string of illicit moneymaking schemes over the decades, from manufacturing methamphetamine to counterfeiting $100 bills, and crypto theft is the latest,” said Jean Lee, a fellow at the Wilson Center in Washington and co-host of the “Lazarus Heist” podcast from the BBC World Service.
“Cryptocurrency is incredibly appealing for North Korean hackers because it promises the potential for huge gains – and remains largely unregulated.”
North Korea’s cryptocurrency theft – which began in 2017 – has begun to take centerstage this year as it has fired a record-breaking number of missiles at unprecedented speed and geared up for another nuclear test despite its still-sluggish economic conditions.
This year alone, North Korea has so far fired around 90 missiles, including eight intercontinental ballistic missiles.
While leaving its people on the verge of starvation, cash-strapped North Korea devoted around $400 million to $650 million to launch 31 ballistic missiles in the first half of this year, South Korea’s chief nuclear envoy Kim Gunn said in November at the first US-South Korea joint symposium on countering North Korean cyberthreats to cryptocurrency exchanges.
US Homeland Security Secretary Alejandro Mayorkas said in October that Pyongyang has “largely funded its weapons of mass destruction programs through cyber heists of cryptocurrencies and hard currencies totaling more than $1 billion” in the last two years alone.
North Korean hackers have commonly used traditional espionage tactics such as social engineering and phishing to gain access to networks of the targeted cryptocurrency exchanges and decentralized finance protocols.
They have advertised and distributed a modified, Trojanized version of a cryptocurrency trading application by establishing a legitimate-looking company. The US government previously identified the campaign as “AppleJeus.”
The Lazarus Group, an elite North Korean hacking group, created a new homepage with the domain name called BloxHolder by cloning the legitimate website HaasOnline. It then distributed a fake, malware-ridden cryptocurrency trading application, according to a Washington-based cybersecurity firm Volexity.
From January to July this year, North Korean hackers stole around $1 billion worth of cryptocurrency just from decentralized finance, or DeFi, protocols, according to the New York-headquartered Chainalysis.
They launched at least seven attacks on cryptocurrency platforms and stole nearly $400 million worth of cryptocurrency in 2021, up 40 percent compared to the prior year, Chainalysis said in its 2022 Crypto Crime Report.
For the isolated country, cryptocurrency itself has been attractive for its cross-border, anonymous and decentralized nature.
“Cybercriminals – including North Korean-linked hackers – use cryptocurrencies for the same reasons people use it for legitimate purposes: it’s crossborder, liquid, and instantaneous.
This is particularly advantageous for countries that are cut off from the global economy,” said Erin Plante, vice president of investigations at New York-headquartered Chainalysis.
A lower level of cybersecurity in cryptocurrency markets compared to traditional financial institutions, including commercial banks, is another key factor triggering cryptocurrency theft.
“Blockchain gives people assurance of the underlying technology platform. However, the cyber security maturity of cryptocurrency exchanges is generally far lower than banks. Crypto is an advanced technology but it is generally poorly defended,” said Robert Potter, co-founder and co-CEO of Australian-US cybersecurity company Internet 2.0.
In addition, open source development of blockchain technology makes cryptocurrency markets more vulnerable for hacking.
“Targeting of cryptocurrencies is enabled by the fact that blockchain technology is open source and non-proprietary, affording anyone the opportunity to get up to speed,” said Joe Dobson, a senior principal analyst at Mandiant, based in Virginia.
“Further, these technologies generally prioritization functionality over security, so security issues are worked out much farther down the line and they are susceptible to being targeted in the meantime. At some point, if easier or more profitable schemes are developed, we expect North Korean operators to move to those instead.”
Low risk, high return
North Korean hackers have taken advantage of almost no risk of retaliation or punishment for their cyber-enabled crimes. North Korea’s poor cyber infrastructure and its limited exposure to cyberattacks have allowed the country to conduct cyberwarfare with an asymmetrical advantage.
But the decentralized, unregulated nature of cryptocurrency markets allows leeway for Pyongyang to more easily procure foreign currency to overcome multifaceted economic challenges, including increasing isolation from the global economy, which have been compounded by self-imposed border closures.
“For a financially isolated country looking for alternative, nontraditional sources of revenue, the decentralized and opaque cryptocurrency landscape is nothing but attractive.
“In the absence of meaningful international or jurisdictional regulation, North Korea can – and has on multiple counts – hack virtual assets to generate revenue while evading sanctions,” said Millie Kim, a researcher with the North Korea Cyber Working Group, an initiative of the Korea Project at Harvard University’s Belfer Center for Science and International Affairs.
“These cyber operations targeting cryptocurrency feed into the state’s overarching strategy of investing in asymmetric capabilities to achieve strategic objectives and, ultimately, ensure regime survival.”
The theft of cryptocurrency is an efficient way to generate high returns for the Kim Jong-un regime with lower risk and lower costs compared to other means to rake in money bypassing UN economic sanctions, such as exporting coal or selling counterfeit cigarettes.
“If you compare this to earnings they could make from things like coal or cigarettes or whatever, the revenue is so much greater. In a mere five days, basically, they could make $500 million with a team of 10 people,” said Nick Carlsen, a blockchain analyst at TRM Labs and a former FBI analyst.
“That’s an incomparable profit rate to anything else North Korea can do. So it’s a perfect source of revenue.”
Evidence shows that North Korean hackers’ attempt to siphon funds out of one cryptocurrency robbery alone was sufficient to cover the cost of launching more than 30 missiles.
Carlsen pointed out the lack of “offensive options” against cryptocurrency theft serves as a “key advantage” for North Korean hackers.
For instance, Mun Chol-myong is the only North Korean who has been extradited to the US for financial crimes. He was arrested in 2019 while in Malaysia, which in 2021 sent him off to US authorities.
“They can make so much money from this, and there’s no real consequence that the world can impose on them, aside from maybe trying to intercept some of the money that they’ve stolen or make it harder for them to steal,” Carlsen said. “So for them, it’s a no-brainer.”
Who is Lazarus Group? The world’s most sophisticated cybercrime unit
North Korea has several groups of world-class hackers trained at its elite institutions despite its poor internet infrastructure and severely restricted and state-controlled internet access.
The state-run Lazarus Group, accused of committing high-profile cryptocurrency thefts, including the $625 million Ronin bridge heist in March 2020 and the $275 million hack from KuCoin in 2020, is one of them.
Since 2009, the Lazarus Group, which appears to have been named after a man raised from the dead by Jesus in the Bible, has been behind nefarious cyber activities.
The list includes the destructive WannaCry 2.0 ransomware attack, which affected 300,000 computers in over 150 countries and caused billions of dollars of damage; the 2016 Bangladesh bank heist; and the 2014 cyberattack on Sony Pictures Entertainment.
“The North Koreans manage to fly under the radar because we underestimate the capability of hackers from a country where most of the population remains disconnected from the internet,” Lee from the Wilson Center said.
“But these North Korean hacking units have the backing of the North Korean state and are on a very important mission on behalf of their country,” Lee said.
“They are given the best training and they are given orders to devote their lives to this mission. As a result, they’ve been very clever at learning the technology behind cryptocurrency and have even managed to stay one step ahead of the technology, exploiting vulnerabilities to their advantage,” she added.
The Lazarus Group, already sanctioned by the US, is being controlled by North Korea’s principal intelligence agency, the Reconnaissance General Bureau, which oversees foreign business including weapon sales. The RGB, under the umbrella of the General Staff Department of the Korean People’s Army, is sanctioned by the United Nations and the US.
Lazarus is one of North Korea’s core hacking groups along with BlueNoroff and Andariel, which are all subordinate to the RGB’s Cyber Warfare Guidance Unit – better known as Bureau 121 – according to a 2020 report by the US Department of the Army called “North Korean Tactics.”
Over 6,000 members were estimated to belong to Bureau 121, but many of them operate from third countries including Belarus, China, India, Malaysia and Russia.
“North Korean hackers are enabled by the fact they can operate from China and other countries who are willing to host them. There, these individuals can leverage infrastructure and services not available to them in North Korea,” Dobson from Mandiant said.
The RGB has been tied to numerous “foreign kidnappings, assassinations, state-sponsored terror attacks, cyberoperations, and infiltration operations,” the US Defense Agency Intelligence said in 2021 in a special report on North Korea.
The bureau also recruits and co-opts foreign nationals to gather intelligence and execute operations in foreign countries.
The Lazarus Group, therefore, appears to be not just a group of hackers.
Anne Neuberger, deputy national security adviser for cyber and emerging technologies at the White House, said in July that North Korean hackers are a “criminal syndicate in terms of pursuing revenue in the guise of a country,” citing multiple hacks of cryptocurrency exchanges as an example.