Sign up to save your podcasts
Or
Share In 2021, North Korean cryptocurrency theft will total $400 million
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
In 2021, North Korean cryptocurrency theft will total $400 million
North Korean cybercriminals escalated their illicit campaigns throughout 2021, frequently conducting cryptocurrency exchange hacks to syphon hot-wallet funds, launder the gains, and cash out via decentralised exchanges. According to new data from the blockchain security firm Chainalysis, the regime's state-backed hackers stole nearly $400 million in cryptoassets last year, affecting investment firms and centralised exchanges.
According to the firm's new report, North Korean threat actors used phishing lures, code exploits, malware, and advanced social engineering to steal digital currencies from internet-connected "hot" wallets and route them to addresses controlled by the Democratic People's Republic of Korea. Chainalysis claims that once the tokens were in their possession, "they began a careful laundering process to cover up and cash out."
The firm warns that much of the activity was likely carried out by APT 38, also known as the Lazarus Group, which is linked to North Korea's primary intelligence agency, the Reconnaissance General Bureau, which is sanctioned by the US and the UN. Mandiant's profile on APT 38, which has previously been linked to the Sony Pictures and WannaCry cyberattacks, notes that the group is "a large, prolific operation with extensive resources" and "characterised by long planning and extended periods of access."
Crimes that Worked
North Korea-linked hackers have generally been successful in their activities for a variety of reasons, according to Erin Plante, senior director of investigations at Chainalysis.
She attributes the groups' sophisticated infiltration techniques, which typically involve phishing and social engineering; methodical laundering involving mixers and decentralised exchanges; and the ability to cash out at Asia-based exchanges lacking rigid know-your-customer standards.
Chainalysis cites an individual hack on the exchange KuCoin and another unnamed platform that netted more than $250 million as proof of the groups' intent to focus on crypto crime. According to the blockchain firm, the United Nations Security Council has also warned that the revenue generated by the hacks supports North Korea's weapons programmes.
Flow of Funds
According to the researchers, the number of known North Korean-linked hacks increased from four to seven between 2020 and 2021, and the value extracted from the hacks increased by 40%. They go on to say that Bitcoin now accounts for less than one-fourth (20%) of the tokens stolen by the regime. Ether accounted for the lion's share, accounting for 58% of the total.
According to Chainalysis, the state-sponsored theft of various types of cryptocurrencies has also increased the complexity of the regime's laundering operation. The following is how the company documents the process:
* Ethereum Request for Comment 20, or ERC-20, tokens and altcoins are exchanged for Ether via a decentralised exchange, or DEX.
* Ether is mixed and then exchanged for Bitcoin via the DEX.
* Bitcoin is mixed and consolidated into new wallets.
* Bitcoin is then sent to deposit addresses at Asia-based crypto-to-fiat exchanges that serve as cash-out points.
In addition, Chainalysis predicts a "massive increase" in North Korean hackers' use of mixers – software tools that pool and obfuscate tokens from thousands of addresses – in 2021. According to the report, 65 percent of the regime's stolen funds were routed through mixers, up from 42 percent in 2020. According to the researchers, it demonstrates an increasingly "cautious" cash-out strategy.
The report also emphasises the regime's reliance on decentralised finance, or DeFi, platforms because they "do not take custody of user funds, and many do not collect know-your-customer information, meaning that cybercriminals can use these platforms without having their assets frozen or their identities exposed."
"We've seen explosive growth in the DeFi ecosystem over the last two years, as well as these actors hacking DeFi platforms and leveraging them for money laundering." "I expect that trend to continue into 2022, and it's a warning to new platforms to invest in security early," Chainalysis' Plante tells ISMG.
Unlaundered Funds
The firm also discovered $170 million in unlaundered North Korean balances linked to 49 hacks between 2017 and 2021. In 2020 and 2021, $35 million is attributed to attacks, while $55 million is attributed to attacks in 2016.
"This suggests that DPRK-linked hackers aren't always quick to move stolen cryptocurrencies through the laundering process," the Chainalysis researchers write. "It's unclear why the hackers would still be sitting on these funds, but it's possible they're hoping law enforcement interest in the cases will die down so they can cash out without being watched."
According to the researchers, in the final stages of the regime-linked hacks, the threat actors moved obfuscated Bitcoin to Asian exchanges, where it was then exchanged for fiat currency, such as China's renminbi.
According to the researchers, these actions "paint a portrait of a nation that supports cryptocurrency-enabled crime on a massive scale." Systematic and sophisticated, North Korea's government... has established itself as an advanced persistent threat to the cryptocurrency industry."
Strengthening Security
According to some security experts, the hackers' Ethereum-based campaigns are unquestionably concerning.
"It's interesting that North Korea and other nation-state cybercriminals are focusing on tokens based on Ethereum," Karl Steinkamp, director of delivery digital transformation and automation at Coalfire, tells ISMG. "This path has been and continues to be fraught with cybersecurity vulnerabilities in one or more components of the token's smart contracts, which are being exploited to rapidly empty individual and admin digital wallets."
"I expect this trend to continue until the Ethereum-based tokens market takes the deliberate step of building more proactive security into each of the products."
"Crypto platform providers must ensure that their employees are protected and do not become conduits for cybercriminals to make their way into the infrastructure," says Hank Schless, senior manager of security solutions at Lookout. Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal access to the company's infrastructure."
BlueNoroff
The new data on Lazarus Group and other RGP-related activity comes on the heels of another warning from cybersecurity and antivirus firm Kaspersky, which said this week that the North Korean-backed gang BlueNoroff is now targeting small and mid-sized cryptocurrency startups in a campaign called "SnatchCrypto" (see: North Korean APTs Target Cryptocurrency Startups).
According to Kaspersky, the gang has ties to the Lazarus Group and has been tracked impersonating phoney crypto-related companies or major venture capital firms to spear-phish crypto platforms and then breach their networks to seize cryptoassets.
Support us!
View all episodes
By Crypto PiratesNorth Korean cybercriminals escalated their illicit campaigns throughout 2021, frequently conducting cryptocurrency exchange hacks to syphon hot-wallet funds, launder the gains, and cash out via decentralised exchanges. According to new data from the blockchain security firm Chainalysis, the regime's state-backed hackers stole nearly $400 million in cryptoassets last year, affecting investment firms and centralised exchanges.
According to the firm's new report, North Korean threat actors used phishing lures, code exploits, malware, and advanced social engineering to steal digital currencies from internet-connected "hot" wallets and route them to addresses controlled by the Democratic People's Republic of Korea. Chainalysis claims that once the tokens were in their possession, "they began a careful laundering process to cover up and cash out."
The firm warns that much of the activity was likely carried out by APT 38, also known as the Lazarus Group, which is linked to North Korea's primary intelligence agency, the Reconnaissance General Bureau, which is sanctioned by the US and the UN. Mandiant's profile on APT 38, which has previously been linked to the Sony Pictures and WannaCry cyberattacks, notes that the group is "a large, prolific operation with extensive resources" and "characterised by long planning and extended periods of access."
Crimes that Worked
North Korea-linked hackers have generally been successful in their activities for a variety of reasons, according to Erin Plante, senior director of investigations at Chainalysis.
She attributes the groups' sophisticated infiltration techniques, which typically involve phishing and social engineering; methodical laundering involving mixers and decentralised exchanges; and the ability to cash out at Asia-based exchanges lacking rigid know-your-customer standards.
Chainalysis cites an individual hack on the exchange KuCoin and another unnamed platform that netted more than $250 million as proof of the groups' intent to focus on crypto crime. According to the blockchain firm, the United Nations Security Council has also warned that the revenue generated by the hacks supports North Korea's weapons programmes.
Flow of Funds
According to the researchers, the number of known North Korean-linked hacks increased from four to seven between 2020 and 2021, and the value extracted from the hacks increased by 40%. They go on to say that Bitcoin now accounts for less than one-fourth (20%) of the tokens stolen by the regime. Ether accounted for the lion's share, accounting for 58% of the total.
According to Chainalysis, the state-sponsored theft of various types of cryptocurrencies has also increased the complexity of the regime's laundering operation. The following is how the company documents the process:
* Ethereum Request for Comment 20, or ERC-20, tokens and altcoins are exchanged for Ether via a decentralised exchange, or DEX.
* Ether is mixed and then exchanged for Bitcoin via the DEX.
* Bitcoin is mixed and consolidated into new wallets.
* Bitcoin is then sent to deposit addresses at Asia-based crypto-to-fiat exchanges that serve as cash-out points.
In addition, Chainalysis predicts a "massive increase" in North Korean hackers' use of mixers – software tools that pool and obfuscate tokens from thousands of addresses – in 2021. According to the report, 65 percent of the regime's stolen funds were routed through mixers, up from 42 percent in 2020. According to the researchers, it demonstrates an increasingly "cautious" cash-out strategy.
The report also emphasises the regime's reliance on decentralised finance, or DeFi, platforms because they "do not take custody of user funds, and many do not collect know-your-customer information, meaning that cybercriminals can use these platforms without having their assets frozen or their identities exposed."
"We've seen explosive growth in the DeFi ecosystem over the last two years, as well as these actors hacking DeFi platforms and leveraging them for money laundering." "I expect that trend to continue into 2022, and it's a warning to new platforms to invest in security early," Chainalysis' Plante tells ISMG.
Unlaundered Funds
The firm also discovered $170 million in unlaundered North Korean balances linked to 49 hacks between 2017 and 2021. In 2020 and 2021, $35 million is attributed to attacks, while $55 million is attributed to attacks in 2016.
"This suggests that DPRK-linked hackers aren't always quick to move stolen cryptocurrencies through the laundering process," the Chainalysis researchers write. "It's unclear why the hackers would still be sitting on these funds, but it's possible they're hoping law enforcement interest in the cases will die down so they can cash out without being watched."
According to the researchers, in the final stages of the regime-linked hacks, the threat actors moved obfuscated Bitcoin to Asian exchanges, where it was then exchanged for fiat currency, such as China's renminbi.
According to the researchers, these actions "paint a portrait of a nation that supports cryptocurrency-enabled crime on a massive scale." Systematic and sophisticated, North Korea's government... has established itself as an advanced persistent threat to the cryptocurrency industry."
Strengthening Security
According to some security experts, the hackers' Ethereum-based campaigns are unquestionably concerning.
"It's interesting that North Korea and other nation-state cybercriminals are focusing on tokens based on Ethereum," Karl Steinkamp, director of delivery digital transformation and automation at Coalfire, tells ISMG. "This path has been and continues to be fraught with cybersecurity vulnerabilities in one or more components of the token's smart contracts, which are being exploited to rapidly empty individual and admin digital wallets."
"I expect this trend to continue until the Ethereum-based tokens market takes the deliberate step of building more proactive security into each of the products."
"Crypto platform providers must ensure that their employees are protected and do not become conduits for cybercriminals to make their way into the infrastructure," says Hank Schless, senior manager of security solutions at Lookout. Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal access to the company's infrastructure."
BlueNoroff
The new data on Lazarus Group and other RGP-related activity comes on the heels of another warning from cybersecurity and antivirus firm Kaspersky, which said this week that the North Korean-backed gang BlueNoroff is now targeting small and mid-sized cryptocurrency startups in a campaign called "SnatchCrypto" (see: North Korean APTs Target Cryptocurrency Startups).
According to Kaspersky, the gang has ties to the Lazarus Group and has been tracked impersonating phoney crypto-related companies or major venture capital firms to spear-phish crypto platforms and then breach their networks to seize cryptoassets.
Support us!