North Korea is in a unique position due to the dictatorial rule within the country, restricting trade and travel. As the country’s government focuses on improving military capabilities rather than conditions within the country, it is widely sanctioned.

Instead, North Korea has cultivated its technological knowledge, developing teams of hackers. In addition to hacking into Sony as a response to a satirical movie that killed off their leader, they are also involved in stealing money and cryptocurrency.

“With economic sanctions in place, cryptocurrencies are currently the best way to earn foreign currency in North Korea’s situation,” Mun Chong-hyun, chief analyst at South Korean cybersecurity firm ESTsecurity told Global News.

“It is hard to trace and can be laundered several times.

–Mun Chong-hyun, ESTsecurity

North Korea is believed to be behind the Lazarus group which was behind the attempted KuCoin heist of $275 million in cryptocurrency. All in all, the Lazarus group is responsible for stealing more than $1.75 billion. In 2019, the United States Treasury issued sanctions targeting three prominent state-sponsored North Korean hacking groups, the Lazarus Group, Bluenoroff, and Andariel.

Cryptocurrency transactions cannot be reversed and the companies behind the biggest exchanges have been until recently, poorly secured and regulated.  In addition, cryptocurrency also allows these groups to launder money, transferring large sums between multiple addresses and cashing them out further down the pipeline.

Let’s be clear, these cybercrimes aren’t perpetrated by North Korea as a whole, but rather by a select group of hackers under the direction of the country’s dictator. Starting from ransomware attacks in 2017, the country’s hackers have escalated their cybercrimes.

 

The WannaCry Ransomware Attacks

In May of 2017, many hospital staff in the UK experienced a rude awakening when they arrived at work. Their entire network was down, instead of flashing a ransom message; if they ever wanted their files and infrastructure returned, they would need to forward hundreds of Bitcoin to a specific address. This is called a ransomware attack because it threatens to wipe out all of the data on a computer unless the victim pays up.

This ransomware attack was attributed to the WannaCry software, affecting more than 250 000 Windows machines at their peak. The computers in many UK hospitals lacked critical security and hardware updates making them vulnerable. According to some security experts, paying the ransom didn’t necessarily even mean that files would be decrypted.

The attack itself was estimated to cost the National Health Service more than £92 million, delaying more than 19 000 appointments and requiring many hard drives to be wiped. This destabilizing attack was later attributed to hackers from North Korea.

 

Bankrupting A South Korean Exchange

It should come as no surprise that an ambitious North Korean crypto heist would target its nearest neighbor, South Korea. In December of 2017, the South Korean Youbit exchange was hacked resulting in the loss of 17% of their total assets.

This wasn’t even the first time that year that hackers from North Korea attempted to steal the company’s assets. In part, the novelty of cryptocurrency exchanges made startup exchanges an appealing target. After all, there weren’t any crypto industry standards for security. However, this hack proved costly as Youbit would later file for bankruptcy.

 

Zombie Mining

Do you know what every single program on your computer is doing? Would you know if something was running in the background, sapping off energy and computational power to generate cryptocurrency for North Korea?

Mining is an incredibly energy intensive procedure, where computers running specialized hardware solve complex mathematical problems to validate transactions. In return, miners are rewarded with Bitcoin; but there are more malicious methods to receive this reward without paying for any of the energy or equipment.

According to security experts, zombie crypto-mining exists; some reports have pinpointed North Korean software getting into the thick of it. It is unclear however how often this tactic has been used.

 

The Singapore KuCoin Hack

In September of 2020, a group of ambitious cyberattacks attempted to siphon millions of dollars in cryptocurrency from the Seychelles-based exchange, KuCoin. More than $275 million in various cryptocurrencies were stolen including more than 1000 BTC and $147 million in ERC-20 tokens.

Ethereum and other tokens built upon the Ethereum blockchain, like ERC-20 tokens, make use of smart contracts. These computer algorithms automate many different types of transactions by adhering to a set of rules. While this allowed decentralized finance (DeFi) to boom through various liquidity pools, yield farming and lending, it also proved to be a vulnerability.

The KuCoin hack took advantage of DeFi protocols and decentralized applications to execute several financial transactions, allowing for efficient laundering of these tokens. After stealing ERC-20 tokens, they were moved to a non-custodial wallet and would then go through a decentralized exchange such as UniSwap, converting these tokens into Ethereum.

However, only about $13 million in ERC-20 tokens were sold before developers caught on, freezing the rest of the smart contracts on these exchanges. By forking, Ethereum could reverse some of these transactions. It is the equivalent of Superman flying really fast to reverse time and save Lois Lane, resetting several future events.

That means if I paid for something in Ethereum, or transferred it to a friend on September 26th, this might have been reversed through forking. By October, the exchange had recovered more than 80% of the stolen currency in part due to these forks and other exchanges that froze funds of associated accounts. The rest was recovered through law enforcement and insurance, meaning that no one on the exchange actually lost any money.

According to CEO Johnny Lyu:

“With the efforts of all parties in the industry, we cooperated with exchange and project partners to recovered $222 million (78%), and through further cooperation with law enforcement and security institutions, we recovered another $17.45 million (6%). KuCoin and our insurance fund covered the remainder of around $45.55 million (16%).”

 

Takeaways

According to US intelligence, there are currently more than 6000 North Korean hackers in operation orchestrating these state-sponsored attacks. They are spotted and trained early on for cyber initiatives within the country and have proven themselves a formidable threat. In addition to ransomware attacks, zombie mining and hacking into exchanges, North Korea has also attacked large financial institutions in Bangladesh, almost stealing $1 billion.

The country also hosts blockchain conferences. In 2019, an Ethereum developer named Virgil Griffith gave a talk during one such conference.  as a speaker. He was later arrested upon return to the United States and recently plead guilty to conspiracy charges.

In the meantime, it is wise to make sure you are using exchanges with a long and credible reputation such as Coinbase or Gemini. Regularly update your computer to patch any potential vulnerabilities and backup all of your data in case you are hit with a ransomware attack.

Bitcoin and cryptocurrency will remain an appealing option for the North Korean regime. By finding vulnerabilities in cryptocurrency exchanges, hackers can siphon off a lot of money. Before you know it, the crypto can be divided across multiple intermediary wallets and again obfuscated through various DeFi transactions.

As the cryptocurrency space expands, it will become more and more difficult to cover all of these bases and freeze these fraudulent funds.