The short-range ballistic missile that North Korea fired into the Sea of Japan on March 19 was the country’s fourth in a week. Three days earlier, the Hermit Kingdom test-fired an inter-continental ballistic missile, its second of the year.
This high rate of testing consumes a lot of funding, especially for a pariah nation that has long been sanctioned economically by the US and its allies for failing to stop developing and testing nuclear weapons.
But Kim Jong-un, North Korea’s supreme leader, has tapped a new wellspring of funds to finance his nuclear weapons programme — cryptocurrency heists.
All-purpose sword
North Korea calls crypto its “treasure sword,” said David Maxwell, senior fellow at the Foundation for the Defense of Democracies, a non-partisan think tank in Washington.
While the regime has long engaged in drug trafficking, counterfeiting, and other illicit activities to raise cash, the biggest money spinner now appears to be the “all-purpose sword”: its cyber operations.
NOW READ: Arbitrum DeFi protocol Sentiment loses $1m to a hacker, sets 10% recovery bounty
North Korea deploys its blade in various ways, said Maxwell, a retired US Army Special Forces colonel who specialises in North Korea and China: “To conduct espionage, to conduct cyber reconnaissance for future activities, and of course, most importantly, the cyber-hacking of crypto to really gain a lot of money.”
And it really is a lot of money. In 2022, North Korea stole a record $1.7 billion of crypto, according to a report released in February by the blockchain analysis firm Chainalysis. That is more than 12 times the $142m of exports that the country managed in 2020.
‘All the money [the North Korean hackers] cash out goes to fund their missile programme.’
— Erin Plante
“All the money [the North Korean hackers] cash out goes to fund their missile programme,” Erin Plante, vice-president of investigations at Chainalysis, told DL News.
North Korea’s cryptocurrency operations made headlines last August after the US Treasury Department sanctioned Tornado Cash, a so-called crypto mixer that anonymises transactions. Officials said the Lazarus Group, a state-sponsored hacking outfit, laundered $455 million in money stolen in the biggest crypto heist ever through Tornado Cash.
While the US has more than a billion internet protocol addresses, North Korea has little more than 1,000, a sign of how isolated the Asian nation is from a digitally-connected world.
How does its regime run the world’s most advanced crypto theft operation? What does this mean for individual crypto owners? And is it possible to break the all-purpose sword?
NOW READ: Waves founder’s role in lost $530m raises questions about who’s to blame
If you are born North Korean, you are born into one of three castes and 51 classes. It is a brutal system. If you are in one of the lowest classes, you will be condemned to a life of slave labour. The labourers probably form the bulk of North Korea’s uranium miners — another key component of the country’s nuclear programme.
But there are ways of making a better life for yourself. Perform well in school and the regime will take note. Those with an aptitude for sport might be trained as athletes, while those who shine intellectually might be identified as potential recruits for North Korea’s 7,000-strong army of hackers.
Every action monitored
These individuals’ intellectual capabilities allow them to live a somewhat better life: better rations, maybe even some luxury goods. But they are by no means treated like world-class athletes, Maxwell told DL News. Their every word and action is monitored.
“They are working for the Kim family machine and they are subject to the same oppression as all North Koreans,” said Maxwell.
The hackers are trained for six years at schools such as Kim Chaek University of Technology and Kim Il-Sung University.
The hackers are trained for six years at schools such as Kim Chaek University of Technology and Kim Il-Sung University.
Then they are put to work in what Plante said may be “a factory environment where you’re working for long hours and it’s difficult to leave.” The hackers are reported to work seven days a week, up to 20 hours a day.
Lazarus operatives
The pointy end of the “all-purpose sword” is the unit known to the North Korean government as 414 Liaison Office, but to the rest of the world as the Lazarus Group. It is believed to have two arms: one interferes with South Korea and the other, known as BlueNorOff, is tasked with raising money.
The money-raising attacks come in two parts, says Plante. First, there is “the technical part where you’re actually hacking in.” Lazarus targets crypto exchanges, DeFi protocols and cross-chain bridges, sometimes finding existing vulnerabilities, and sometimes using “social engineering.”
This refers to activity in which a human is duped into handing over key information or unwittingly downloading malware into the system. Lazarus is then able to gain access to private keys.
More elliptically, Lazarus operatives sometimes infiltrate businesses by applying for jobs and working for more than a year before initiating an attack. “They’re very patient and sophisticated in that way,” said Plante.
Jon Wu, head of growth at the web3 privacy layer company Aztec Network, has told the story of interviewing a job candidate giving himself away as a North Korean hacker.
The applicant did not turn his camera on, spoke stilted, over-formal English with a thick Korean accent, and sounded like he was in a cramped room full of other people talking loudly.
‘It’s sad to imagine this as a North Korean sweatshop, or worse, full of potentially innocent people forced into spam-interviewing crypto firms until they get an in.’
— Jon Wu
“I’ve had loads of friends, acquaintances, and industry peers come out not only saying they’re convinced they’ve interviewed North Korean workers but fallen victim to actually hiring them,” Wu told DL News. “It’s sad to imagine this as a North Korean sweatshop, or worse, full of potentially innocent people forced into spam-interviewing crypto firms until they get an in.”
After the infiltration comes the laundering. Immanuel Chavoya, of the cybersecurity company SonicWall, explains that Lazarus’ hackers take those illicit crypto gains and then blend them.
Mixers
“They distribute them to try to make it difficult for researchers to attribute the threat activity and follow it all the way back.” These blending services are also known as mixers.
Last March, Lazarus authored the biggest crypto hack of all time: a $625m raid on the bridge connecting Ronin Network, a blockchain that hosts games such as Axie Infinity, to the main Ethereum blockchain. The attack was the result of successful phishing, says Plante.
The attack, said Plante, was “a turning point event where suddenly the US National Security Council cared and wanted to hear about it.”
Plante herself briefed the NSC. Some of the money has been clawed back. A year on from the attack, “we’ve seen three major actions against mixers. We’ve seen many successful seizures of their funds. We’ve seen a lot of positive momentum to stop North Korea.”
Tides are turning
As for individual crypto investors, they should be aware of the risks of having their assets in these exchanges, said Chavoya. North Korean crypto hacking is so important to the Kim regime that it is going to continue scaling despite tighter restrictions, Chavoya said.
Plante thinks that the crackdown on mixers will contribute to North Korea finding it more difficult to cash out. “The people fighting Lazarus are getting much stronger. The tides are turning.”
If so, North Korea’s record crypto plunder of 2022 might not be matched in 2023, and those missile tests might become a little less frequent.
