top of page

How North Korea developed into a leader in crypto-cyber crime

Axie Infinity, developed by a Vietnamese gaming studio, allows users to breed, trade, and battle cartoon monsters similar to Pokémon in order to win cryptocurrencies, including the game's own "Smooth Love Potion" digital token. It used to have  more than a million gamers who were actively playing.

However, a North Korean hacking group hacked the network of blockchains supporting the game's virtual world earlier this year and made off with over $620 million worth of the ether cryptocurrency.

The FBI, which promised to "continue to expose and combat [North Korea's] use of illicit activities — including cyber crime and cryptocurrency theft — to generate revenue for the regime," verified the crypto heist, one of the largest of its kind in history.

The profitable crypto heists demonstrate North Korea's increasing sophistication as a malign cyber actor. Along with China, Russia, and Iran, it is considered one of the world's four main nation state-based cyber dangers by Western security agencies and cybersecurity firms.

A UN panel of experts tasked with keeping an eye on the enforcement of international sanctions claims that the money collected by North Korea's illegal cyber operations goes toward funding its ballistic missile and nuclear programs. North Korea "uses cyber to gain, we estimate, up to a third of their funds for their missile program," according to Anne Neuberger, US deputy national security adviser for cyber security.

According to the crypto analysis company Chainalysis, North Korea stole $1 billion from decentralized crypto exchanges in the first nine months of 2022.

The sudden demise of FTX, one of the largest exchanges, this week has brought to light the market for digital assets' key characteristics of opacity, inconsistent regulation, and speculative frenzy. The increased use of cryptocurrency heists by North Korea has also served to highlight the lack of substantive global regulation of the same markets.

According to analysts, the skill and scope of the Axie Infinity attack made clear how helpless the US and its allies seem to be to stop widespread North Korean cryptocurrency theft.

Of the stolen cryptocurrency, just roughly $30 million have been found so far. That came after a coalition of law enforcement agencies and crypto research firms tracked some of the stolen assets through a number of decentralized exchanges and so-called "crypto mixers," or software tools that can mix up different users' crypto holdings in order to conceal their sources.

The US imposed sanctions on the Tornado Cash mixer in August, one of the rare law enforcement steps since the theft, according to the US Treasury, who claimed that the hackers had used it to launder more than $450 million of their stolen Ethereum.

Since then, the US has designated the crypto mixer on the grounds that it was allegedly used to enable North Korean hackers who in turn supported the regime's development of weapons of mass devastation.

Experts warn that the issue is likely to only get worse over the next decade as crypto exchanges become more decentralized and more goods and services — both legal and illegal — are made available for purchase with cryptocurrency. It also highlights the opportunities provided by the unregulated world of cryptocurrencies to many other rogue regimes and criminal actors around the world.

Allison Owen, a research analyst at RUSI's Centre for Financial Crime and Security Studies, argues, "We are not anywhere near where we need to be when it comes to regulating the cryptocurrency industry."

"Countries are taking steps in the right direction, but North Korea will continue finding creative ways to evade sanctions."

North Korea's hereditary dynasty has a colorful history of using illicit activity to amass foreign currency, much like some of the communist regimes it formerly depended on but has since outlived.

The current North Korean leader Kim Jong Un's grandfather, Kim Il Sung, gave Kim Jong Il the responsibility of establishing a cell within the ruling Workers' Party of Korea in order to earn money for the dictatorship's founding family.

One of many entities established by the regime to generate billions of dollars annually via schemes ranging from manufacturing and distributing fake cigarettes and US dollar bills to selling illicit drugs, minerals, weaponry, and even endangered animal species was known as Office 39.

In order to support this illegal shadow economy, which continues to function through a convoluted network of shell companies, financial institutions, foreign brokers, and organized crime groups that aid the country's proliferation and sanctions evasion efforts, North Korean officials, diplomats, spies, and other assorted operatives were all mobilized.

As part of the Kim regime's efforts to advance its then nascent nuclear weapons program in the late 1980s and early 1990s, Pyongyang has also spent the last few decades bolstering its strong cyber capabilities.

Kim Jong Il viewed the importance of networked computers as an effective way to manage government officials while remaining in isolation, according to regime defectors. Additionally, he considered them as a foundation for the country's development of conventional and nuclear weapons.

According to a remark by Kim Jong Il found in a book produced by the North Korean army, "if the internet is like a gun, cyber attacks are like atomic bombs." But the nation's cyber capabilities did not start to draw attention from abroad until his son Kim Jong Un came to power in 2011.

Potential members of North Korea's army of about 7,000 hackers are discovered while still in school, despite the fact that less than 1% of the country's population is thought to have restricted and tightly watched internet access. Then, in prestigious government institutions, they are trained and nurtured. Some of them even receive training and further experience abroad, in China and other nations.

According to Erin Plante, vice-president of investigations at Chainalysis, "They train people who show early indications of being strong in cyber and they send them to other places around the world and embed them into organisations, embed them into the society and culture. You have these hacking cells based all around the Asia-Pacific region merging in with the rest of the tech community."

Prior to the publication of The Interview, a Hollywood movie about a fictitious assassination attempt on Kim Jong Un, North Korean hackers attacked Sony Pictures in 2014. The computer network of the production studio was compromised, and then executives were threatened with the leaking of private and embarrassing internal documents.

In 2016, a raid on Bangladesh's central bank came after that. The same group that carried out the Axie Infinity breach, the Lazarus Group, infiltrated the bank's computer network and lingered there for a year before giving the Federal Reserve Bank in New York the order to withdraw $951 million in Bangladeshi reserves.

The funds were moved to a bank in the Philippines, and it was not until one of the orders contained a word that was also the name of an Iranian ship that US authorities became aware of the transaction. Less than 10% of the stolen data was ultimately recovered by the hackers.

Additionally, North Korean hackers have shown off their offensive prowess by utilizing ransomware assaults to wreak havoc throughout the globe. The devastating WannaCry virus, which affected at least 200,000 computers at hospitals, oil firms, banks, and other organizations worldwide in 2017, was unleashed by the Lazarus Group.

The Ronin Network, a supposedly highly secure "cross-chain bridge" that connects various blockchains, supported the transactions on the Axie Infinity game. Five out of nine private keys—digital compartments that hold vital data and enable hackers to authorise withdrawals in their favor—were compromised by hackers.

The Axie Infinity hack reveals how North Korean hackers can now "exploit new vulnerabilities in the latest blockchain technologies almost as quickly as they arise," said Nils Weisensee of the Seoul-based information agency NK Pro.

According to Weisensee, "just a few years ago, North Korean hackers were specialising in distributed denial-of-service attacks, which is a relatively crude method of flooding your victims’ servers with internet traffic. But if a DDOS attack is the cyber equivalent of beating someone with a baseball bat, then the successful raids on cross-chain bridges like Ronin and Horizon are the equivalent of stealing someone’s wallet through a hole in their pocket they didn’t even know existed."

The Bangladesh Bank theft is used by analysts as an illustration of how much more labor and time-intensive it is to attack traditional financial institutions.

Before carrying out the robbery, the North Korean hackers who broke into the bank's computer network prowled around in the system for a year. The money was transported through a number of banks to casinos in Manila, where agents had to spend a number of laborious weeks playing baccarat with the stolen funds in order to exchange them for clean currency. After being delivered to Macau, the clean money was probably sent on to North Korea.

Additionally, cryptocurrency presents potential money-launderers with a brand-new possibility. Hackers employ a technique known as a "peel chain," which involves setting up a lengthy chain of addresses and "peeling off" little sums of virtual money with each transfer, to avoid setting off alerts on cryptocurrency exchanges by making huge deposits all at once. A US Treasury indictment from 2020 claims that two Chinese nationals used this technique to transfer $67 million in bitcoin on behalf of North Korean hackers, carrying out 146 distinct transactions between them.

According to Weisensee, "because blockchain technology is a child of the internet, everything you need to know about its vulnerabilities can also be found on the internet. All you need is smart people, and the North Koreans have that."

Researchers at the Belfer Center for Science and International Affairs at Harvard University claim that North Korea has also been building up its digital currency holdings by operating its own crypto-mining operations, which are fueled by large coal reserves that Pyongyang is unable to export due to UN sanctions.

The researchers point out that while adopting a "proof of stake" mechanism for the Ethereum blockchain is less harmful to the environment, it may allow North Korea, which struggles with energy shortages, to boost the amount of money it can afford to make from cryptocurrency mining.

Non-fungible tokens, or NFTs, have grown in popularity, and North Korea has been able to take advantage of this, either by artificially inflating their value using a method known as "wash trading," by utilizing NFTs to launder stolen money, or by outright stealing through spear-phishing assaults.

North Korean hackers reportedly carried out an illegal initial coin offering for a phony blockchain that promised investors digital tokens in exchange for ownership of tiny stakes in its shipping fleet, according to a US justice department indictment that was unveiled in 2021.

Weisensee claims that North Korean hackers have ongoing opportunity to innovate due to the rapid growth of blockchain technology.

"If you look at the vulnerability they exploited in the Swift financial messaging service for the Bangladesh Bank heist, that is something that could be fixed relatively easily — it would be a hard operation to repeat,” he says. “But crypto is evolving so quickly, and the North Koreans are so adept at tracking these developments, that they are regularly one step ahead of those who are trying to stop them."

It is challenging to pinpoint and follow the techniques used by North Korean hackers. It is even more difficult to stop them.

In 2018, US prosecutors charged a North Korean hacker named Park Jin Hyok with orchestrating numerous assaults, including those on Sony, Bangladesh Bank, and WannaCry, on behalf of the Kim dictatorship.

At the time, John Demers, an assistant attorney general in the national security section of the Department of Justice, stated that these acts "run afoul of acceptable norms of behavior in cyber space and the international community must address them. Working for a foreign government does not immunise criminal conduct."

Analysts point out that no North Korean individual, including Park, nor two additional North Korean hackers who were identified by the US in 2021 as being part of the country's military intelligence branch, have ever been prosecuted for their involvement in hacking or cyber theft operations.

In its efforts to find foreign nationals allegedly helping North Korea, the US has had better success.

As a result of his participation in a blockchain conference in Pyongyang in 2019, American crypto researcher Virgil Griffith was given a five-year prison sentence by a New York court in April. British crypto expert Christopher Emms, who the US accused of helping to organize the conference, fled after being first detained in Saudi Arabia earlier this year.

This month, a US court handed down an 11-year term to Nigerian influencer Ray Hushpuppi for collaborating with North Korean hackers to launder money taken from a Maltese bank in 2019.

However, experts claim that while Washington has taken action against a few organizations, such as banks, exchanges, and cryptocurrency mixers, nothing it has done appears to have significantly impeded North Korea's use of the widespread use of digital currencies around the world.

This is due in part to the character of North Korea itself. North Korea is the only nation that has the ability or willingness to mobilize its full state machinery in support of its international criminal operations. Demers referred to these nations as America's four "principal adversaries in cyber space."

According to Plante of Chainalysis, "If any of the larger nations that have stronger cyber capabilities decided that they were going to use those capabilities to steal cryptocurrency, they would be far more successful than North Korea. But they can’t do so without damaging their ability to function in the legitimate global ecosystem."

According to Weisensee, "Unlike China, Russia and Iran, North Korea has no stake in the global financial system, and economically speaking they have almost nothing to lose."

South Korea participated in the annual multilateral cyber exercise run by US Cyber Command for the first time last month, strengthening their cooperation in the face of cyberattacks from North Korea. Analysts also point out that it is challenging to respond to North Korean cyber operations considering how little of the country's infrastructure and society are linked to or reliant on the internet.

Desmond Dennis, a cyber expert and former special agent with the FBI and the US Defence Intelligence Agency, claims that North Korea "poses a potential danger to our critical infrastructure, but it is hard to see how we can retaliate short of a total cyber war. That would likely be interpreted by Pyongyang as amounting to a conventional act of war, and against a state that possesses nuclear weapons."

But if the cybercrimes have revealed anything about North Korea, it is that there is no real worldwide regulation of the cryptocurrency industry.

According to Rohan Massey, partner at the US law firm Ropes & Gray, "If we look back on sanctions in every other area of economics, they are highly matured markets that have clear regulation. But crypto is a totally new asset. A lack of any real global understanding and jurisdictional regulation can be utilised quite easily."

Additionally, observers have noticed unsettling market trends that could benefit North Korea. They include the rise of new cryptocurrencies like monero, whose use is considerably harder to trace than bitcoin, and the prevalence of decentralized exchanges, which are tougher for law enforcement agencies to target.

Despite the unrest in the cryptocurrency markets, some analysts think that more and more products and services will be available for purchase with cryptocurrencies. If that occurs, according to Weisensee, North Korea would be increasingly able to completely avoid the traditional financial system, reducing the "choke points" through which the US and other countries would be able to use their leverage.

According to him, "It’s very possible that technological advances will allow us to gain greater insight into North Korea’s operations — but stopping them is a different thing altogether. You could already use crypto to buy missile parts on the dark web years ago — so imagine what you could buy a few years from now."



bottom of page