1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

How N. Korean hackers keep the regime afloat

September 2, 2022

As international sanctions increasingly isolate North Korea from global sources of finance, Pyongyang's army of hackers is ramping up attacks on vulnerable cryptocurrency accounts around the world.

https://p.dw.com/p/4GLre
Back view of young hacker pointing at glowing Bitcoin sign on blurry city background
Kim Jong Un's regime is reportedly using its hackers to access other people's moneyImage: peshkova/imago images

A report released in mid-August by the US-based blockchain analysis company Chainalysis suggests that hackers stole $1.9 billion (€1.9 billion) in the first seven months of this year, up significantly from the $1.2 billion in cryptocurrencies such as Bitcoin, Ethereum, or Litecoin that was taken in the same period last year.

And from the digital fingerprints left in the hackers' wake, the company estimates that more than $1 billion of the total was stolen by "bad actors affiliated with North Korea, especially elite hacking units like Lazarus Group."

The hackers have a number of approaches to access cryptocurrency accounts, with North Korea's state-sponsored units presently focusing on exploiting decentralized finance protocols, it said. Also known as DeFi, this is an emerging technology in the sector that permits users to privately exchange cryptocurrencies without the need to go through an intermediary or involving public blockchains.

The problem with DeFi protocols, analysts point out, is that they use open source code that can be studied for weaknesses and then exploited by cybercriminals.

Hacks in a variety of guises take place on a daily basis, the experts agree, with criminals recently exploiting a vulnerability in General Bytes Bitcoin ATM servers to syphon off cryptocurrency during transactions and crypto start-up Nomad resorting to offering bounties for anyone who helps the company to trace $190 million in digital currency that was seized in a hacking attack in early August.

Sanctions loophole

"Crypto hacks have been getting bigger year on year simply because the TVL [total value locked] in DeFi has been growing consistently," a South Korea-based analyst for a digital asset investment firm told DW.

'Preying on South Korean users'

"North Korean hackers have been extremely successful since the early 2000s, preying on South Korean users with voice phishing attacks and on local banking services, which is why Korean banks are so over the top with security in comparison with Western banks," said the analyst, who declined to be identified for security reasons.

South Korea's concerns first began to be realized in a series of incidents two decades ago in which hackers were able to carry out denial-of-service attacks on the South's infrastructure, from banks to power plants, hospitals and government ministries and agencies. Those attacks soon went further afield, with North Korea linked to the 2019 hacking attack on a nuclear power plant in India and the WannaCry ransomware attack that caused chaos in hospitals and other critical facilities around the world.

With sanctions on Pyongyang tightening as Kim Jong Un refused to bow to increasing international pressure over his nuclear and ICBM programs, the regime has been using its hackers to access other people's money. Some $81 million was taken in a 2016 robbery that is commonly known as the Bangladesh Bank cyber heist, but the emergence and rapid growth in relatively unregulated cryptocurrency has been an opportunity for North Korea.

There are broadly two methods that hackers employ, according to Aditya Das, an analyst at cryptocurrency research firm Brave New Coin in Auckland, New Zealand.

"As well as taking advantage of DeFi vulnerabilities — which the North Koreans have become very good at — another frequent tactic is spearfishing, or using social media sites under an assumed name to contact people who are in the cryptocurrency sector, opening a conversation with them, building a friendship and then asking about the technology they are working on," Das told DW.

Kim Jong Un and military officials survey a Hwasong-17 ICBM
Kim Jong Un has refused to bow to increasing international pressure over his nuclear and missile programsImage: KCNA /AP Photo/picture alliance

"In many cases, they will then make an offer of a very well-paid job but ask for some evidence of the technology that the person is working on," he said. "As soon as they have some inside information or direct access, they can send a file with malware attached and access a system."

Das admits that unknown individuals reach out to him numerous times a day and that his spam file "is full of these approaches."

"Part of the problem is that the crypto space is not regulated or registered as these companies favor revenue over security," he added.

Once the cryptocurrency has been taken, it can often be very difficult to trace, although the authorities are getting more adept.

US sanctions hackers

On May 6, the US Department of the Treasury sanctioned virtual currency mixer Blender.io for supporting the "malicious cyber activities and money-laundering of stolen virtual currency" by North Korea. The agency identified the Lazarus Group as being behind a series of heists and providing the funds to the North Korean government "for its unlawful weapons of mass destruction (WMD) and ballistic missile programs."

The most lucrative hacking attack to date took place in March, when Ronin Network, a critical bridge chain, was attacked. The theft was put down to a "social engineering attack combined with human error" — suggesting that someone let down their guard and opened an infected attachment to an e-mail — and the hackers made off with more than $620 million.

North Korea's hunger for currency is not diminishing and Kim Jong Un has an army of skilled hackers at his disposal, so the experts fear more similar cases are inevitable.

"The DeFi community has a strong network of 'white hat' hackers who actively seek to combat this and assist," said the South Korea-based analyst. "But there is only so much they can do."

Edited by: Shamil Shams

Julian Ryall
Julian Ryall Journalist based in Tokyo, focusing on political, economic and social issues in Japan and Korea