BitCoins To Bombs: North Korea Funds Military With Billions In Stolen Cryptocurrency

Residents of Japan who wonder how North Korea has the wherewithal to loft ballistic missiles into their airspace might want to check their BitCoin wallets.

A new report from the firm Recorded Future finds that billions of dollars in gains from cryptocurrency heists are funding close to half of the country’s military budget and 5% of the reclusive Communist, authoritarian state’s overall economy.

The report, Crypto Country: North Korea’s Targeting of Cryptocurrency was prepared by Recorded Future’s Insikt research team and released on Thursday. It estimates that the North Korean government has stolen over $3 billion in cryptocurrency since 2017, more than half of that ($1.7 billion) in 2022 alone. Close to half of all the cryptocurrency stolen that year (44%) was traceable to North Korean state actors, Recorded Future said.

The DPRK’s forays into cryptocurrency North Korea first took shape in 2017 when it targeted South Korean crypto exchanges Bitthumb, Youbit and Yapizon, raking in around $83 million in profits. The focus on cryptocurrency has only intensified since then, with North Korean state-sponsored hacking groups such as APT 38 (aka “Lazarus”) targeting cryptocurrency exchanges in the US, Russia, Israel, Japan and the EU.

Those attacks involved spear phishing attacks against executives and other privileged users at cryptocurrency exchanges, with North Korean hackers often posing as job seekers or abusing the brands of fintech and venture capital firms or other cryptocurrency companies to fool their victims. Email and LinkedIn are often used to send malicious attachments and links to their targets that give attackers privileged access to sensitive networks and assets. North Korean actors like Lazarus Group have also been observed using what’s described as a “strategic web compromise” to gain initial access, as well as distributing trojanized “De-Fi” (decentralized finance) applications that contain backdoors that give North Korean actors access to the contents of individual crypto wallets.

To harvest the fruits of its criminal efforts, North Korea has developed an extensive money-laundering network to facilitate the movement of billions of dollars worth of stolen cryptocurrency and convert it from the stolen cryptocurrency to a fiat currency or used to purchase goods and services for the regime, Recorded Future said.

In 2023, the overall take attributed to North Korean state actors is down from 2022. However, crypto heists continue to be very profitable for the regime. Between January and August, 2023, the North Korean state sponsored group APT 38 allegedly stole $200 million from Atomic Wallet, AlphaPo and CoinsPaid. The FBI said in January that North Korea was also behind a $100 million heist from Harmony’s Horizon Bridge, a cross-chain bridge for Ethereum, in June, 2022. North Korea is also believed to be behind the July hack of JumpCloud, a provider to numerous cryptocurrency firms. The attack on voice over IP vendor 3CX was also linked to the North Korean APT group Labyrinth Chollima, with follow-on attacks on 3CX customers concentrated on those in the crypto currency industry.

North Korean threat actors’ cybercrime operations and money laundering mirror those of other traditional cybercriminal groups; however, state backing allows North Korean threat actors to scale their operations beyond what is possible for conventional cybercriminals.

Those laundering efforts include the use of victims’ stolen identity documents and personal information to bypass anti money laundering and “Know Your Customer” systems developed to prevent unauthorized money transfers, Recorded Future said.

Individuals and businesses operating in the cryptocurrency industry need to be aware of- and prepared for persistent attacks by North Korean state actors, Recorded Future said. In the case of the attack on CoinsPaid, for example, North Korean state actors posed as recruiters sending job offers to CoinsPaid employees in an effort to compromise employee accounts. The company said it believed the campaign went on for more than 6 months, continuously.

Crypto firms and platforms serving cryptocurrency owners need better defenses against phishing attacks and strong, multi-factor authentication. The cryptocurrency industry also needs to be more closely regulated and pushed to invest more in cybersecurity protections if it hopes to keep sophisticated hacking groups like Lazarus at bay, Recorded Future said.