Les Bell
Blog entry by Les Bell
A new report from threat intelligence firm Recorded Future's Insikt Group provides a trove of insights into how the North Korean state has been able to circumvent financial sanctions by simply stealing more than $US3 billion in cryptocurrency. Ironically, although the DPRK is a decidedly low-tech society internally, it is critically dependent on high-tech operations by hacking groups such as Lazarus Group, Kimsuky, Bluenoroff and others to fund its missile development program not to mention the lifestyle of its ruling regime. In 2022 alone, North Korean groups likely stole $US1.7 billion in cryptocurrency - roughly equivalent to 45% of the country's military budget and almost ten times the value of the country's exports for the previous year, showing its importance in sanctions-busting.
Fifteen years ago or so, North Korean hackers became active within massively multi-player online games such as World of Warcraft, amassing modest amounts of the game's "Credits" internal currency, which were then cashed out through early exchanges. However, they quickly realized that this was small change compared to the money flowing through banking networks, causing them to switch their focus to the SWIFT (Society for Worldwide Interbank Financial Telecommunications) banking network. Their successes there forced the financial institutions to quickly improve their defences and the cryptocurrency bubble of 2017 immediately drew the hackers' attention.
State support has allowed North Korean threat actors to expand their operations well beyond those of more traditional cybercriminal groups - to the extent that approximately 44% of cryptocurrency theft in 2022 was attributed to the North Korean groups. From a small start targeting South Korean crypto exchanges, they have broadened their operations to target anyone and everyone involved in cryptocurrency - individual users, exchanges, startups and venture capital firms. But they also target entities in conventional financial markets, as once the cryptocurrency has been converted into fiat currency, they rely on a range of money-laundering techniques to move the funds. In fact, almost anyone could be a useful victim, as they will use stolen personally identifiable information (PII) and altered photos to set up accounts which are then used to move funds, obscuring the original source.
North Korean actors are adept users of phishing attacks, both for general account access, but also spear-phishing attacks targeting the cryptocurrency industry - the latter targeting exchange employees by pretending to be other businesses and soliciting job applications. They have also targeted users with trojaned trading apps and 'permit phishing' attacks which use a malicious script or smart contract requiring the victim's approval to receive tokens - once the permission is granted, the attackers can drain the victim's assets.
During 2021, DPRK activity ramped up significantly; they breached at least 7 organizations, stealing $US400 million of cryptocurrency, and broadening their attacks to cover a variety of alternative coin, especially coins, smart contracts and NFT's based on the Ethereum Request for Comment ERC-20-based tokens. So successful were they that there seemed no urgency to cash out their gains - in January 2022 Chainalysis researchers identified $US170 million in cryptocurrency from breaches dating back to 2017.
The pace quickened further in 2022, with fake crypto job descriptions used as lures in malmail and phishing campaigns. The Bluenoroff (APT 38) group alone scored $US600 million from the Ronin Network cross-chain bridge breach, $US100 million from the Harmony blockchain bridge breach, $US190 million from the Nomad bridge and $US80 million from Qubit Finance (cross-chain bridges allow conversion between cryptocurrency blockchains).
2023 continued the trend, with Bluenoroff causing almost $US200 million in losses, expanding its use of spoofed recruitment emails and LinkedIn messages. In June of this year, Lazarus Group accessed systems belonging to directory-as-a-service firm JumpCloud, with the goal of compromising the company's cryptocurrency clients who rely on it as an Active Directory replacement. Some days after the breach was discovered, unusual activity was detected in the commands framework for a small group of customers, predominantly in the cryptocurrency business.
Stolen assets must be laundered and moved to accounts controlled by the North Korean government, and leaked documents from the US Financial Crimes Enforcement Network show individuals moving tens of millions of dollars through the US financial system to accounts in China, Singapore, Cambodia and elsewhere. These individuals are often employed directly by North Korea's Reconnaisance General Bureau (RGB). The regime also makes use of cryptocurrency mixers to clean and anonymize stolen cryptocurrency.
Only last week, the US Department of the Treasury's Office of Foreign Assets Control - along with international partners including Australia - sanctioned eight DPRK agents for their activities related to cryptocurrency crime, procurement of missile-related technology and weapons sales. Along with the individuals, it also sanctioned the Kimsuky threat group for their intelligence-gathering activities on behalf of the RGB.
Insikt Group, Crypto Country: North Korea's Targeting of Cryptocurrency, threat analysis report, 30 November 2023. Available online at https://go.recordedfuture.com/hubfs/reports/cta-2023-1130.pdf.
US Department of the Treasury, Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group, press release, 30 November 2023. Available online at https://home.treasury.gov/news/press-releases/jy1938.
Upcoming Courses
- SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
- SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
About this Blog
I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.
These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.