The past year experienced one breathtaking increase in the value of cryptocurrencies such as Bitcoin and Ethereum, where Bitcoin will gain 60 percent in value in 2021, and Ethereum increased by 80 percent. So perhaps it is no surprise that the relentless North Korean hackers who live off the booming crypto economy also had a very good year.
North Korean hackers stole a total of $ 395 million of cryptocurrencies last year across seven intrusions into cryptocurrency exchanges and investment companies, according to blockchain analysis firm Chainalysis. The nine-figure amount represents an increase of almost $ 100 million over the previous year’s thefts from North Korean hacker groups, and it brings their total pull over the last five years to $ 1.5 billion in cryptocurrency alone – not including the countless hundreds of millions more in the country have stolen from the traditional financial system. This crowd of stolen cryptocurrencies is now making a significant contribution to the coffers of Kim Jong-un’s totalitarian regime as it seeks to finance itself – and its weapons programs– despite the country’s heavily sanctioned, isolated and ailing economy.
“They have had great success,” said Erin Plante, senior director of research at Chainalysis, whose report calls 2021 a “banner year” for North Korean cryptocurrency thefts. The results show that North Korea’s global, serial robbery has accelerated even in the midst of an attempt at law enforcement; the U.S. Department of Justice, e.g. indicted three North Koreans in absentia in February last year, accusing them of stealing at least $ 121 million from cryptocurrency companies along with a number of other economic crimes. An indictment was also filed against a Canadian man who had allegedly helped launder the funds. But these efforts have not stopped the bleeding of cryptocurrency. “We were excited to see actions against North Korea from law enforcement,” Plante said, “but the threat continues to grow.”
The chainalysis figures, based on exchange rates at the time the money was stolen, do not merely point to an increase in the value of the cryptocurrency. The growth in stolen funds also follows the number of thefts last year; the seven breaches Chainalysis tracked in 2021 are three more than in 2020, though fewer than the 10 successful attacks that North Korean hackers carried out in 2018 when they stole record-high $ 522 million.
For the first time since Chainalysis began tracking North Korean cryptocurrency thefts, Bitcoin no longer represents near the majority of the country’s consumption, accounting for only about 20 percent of the stolen funds. As much as 58 percent of the groups’ cryptocurrency gains came instead in the form of stolen ether, the currency unit of the Ethereum network. A further 11 percent, about $ 40 million, came from stolen ERC-20 tokens, a form of cryptocurrency used to create smart contracts on the Ethereum blockchain.
Chainalysis’ Plant attributes the increased focus on Ethereum-based cryptocurrencies – $ 272 million in total thefts last year against $ 161 million in 2020 – to the skyrocketing price of assets in the Ethereum economy, combined with the start-ups that growth has promoted. “Some of these exchanges and trading platforms are just newer and potentially more vulnerable to these types of intrusions,” she says. “They trade a lot with ether and ERC-20 tokens, and they’re just easier targets.”
While Chainalysis declined to identify most of the victims of the hacker thefts, as it tracked down last year, the report blames North Korean hackers for theft of about $ 97 million in cryptocurrencies from the Japanese stock exchange Liquid.com in August, including $ 45 million in Ethereum tokens. (Liquid.com did not respond to WIRED’s request for comment on its hacker breach in August.) Chainalysis says it linked all seven 2021 cryptocurrency hacks to North Korea based on malware samples, hacking infrastructure and tracked the stolen money into clusters of blockchain addresses it has identified as controlled by the North Korean hackers.
Chainalysis says the thefts were all carried out by Lazarus, a loose group of hackers who are all believed to be working in the service of the North Korean government. But other hacker tracking companies have pointed out that Lazarus includes many different groups. Security firm Mandiant nonetheless reiterates Chainalysis’ conclusions that cryptocurrency theft has become a priority for virtually all of the North Korean groups it tracks, in addition to the other missions they may pursue.
Last year, for example, two North Korean groups Mandiant calls TEMP. Hermit and Kimsuky both appeared to be tasked with targeting biomedical and pharmaceutical organizations that are likely to steal information related to COVID-19, says Fred Plan, a senior analyst at Mandiant. Nevertheless, both groups continued to target cryptocurrency holders throughout the year. “The connection between financially motivated operations and campaigns continues to be the undercurrent of all these other activities that they had to carry out in the past year,” says Plan.
Even the group calls Mandiant APT38 – which has previously focused on more traditional financial intrusions, such as. theft of $ 110 million from Mexican financial firm Bancomext and $ 81 million from Bangladesh’s central bank– now it seems to have focused on cryptocurrency targets. “Almost all of the North Korean groups we track have a finger in the game of cryptocurrency in some way,” Plan says.
One reason hackers have focused on cryptocurrency over other forms of economic crime is undoubtedly the relative ease of money laundering digital cash. After APT38’s bank robbery in Bangladesh, for example, the North Koreans had to get Chinese money launderers to play its tens of thousands of millions at a casino in Manila to prevent investigators from tracking down the stolen funds. In contrast, Chainalysis found that groups have plenty of opportunities to launder their stolen cryptocurrency. They have paid out their winnings through exchanges – largely exploiting those based in Asia and exchanging their cryptocurrency for Chinese renminbi – which have less than strict compliance with “know-your-customer” rules. The groups have often used “mixing services” to obscure the origin of the money. And in many cases, they have used decentralized exchanges designed to directly connect cryptocurrency brokers without intermediaries, often with little in the way of anti-money laundering rules.
Chainalysis found that North Koreans have been remarkably patient in paying out their stolen crypto, often holding on to the funds for years before embarking on the money laundering process. The hackers actually appear to be holding on to $ 170 million in unwashed cryptocurrency from previous years’ thefts, which they will undoubtedly pay out over time.
All of these hundreds of millions, says Mandiant’s Peace Plan, will end up in the accounts of a heavily militarized rogue state that has spent years under severe sanctions. “The North Korean regime has found that they have no other option. They have no other real way to engage with the world or with the economy. But they have this pretty amazing cyber capability,” Plan said. “And they’re able to use that to bring money into the country.”
Until the cryptocurrency industry finds out how to protect itself against these hackers – or to prevent their coins from being laundered and turned into pure banknotes – the Kim regime’s illegal, ethereal revenue stream will only continue to grow.
This story originally appeared on wired.com.