In addition to stealing cryptocurrencies, North Korean hackers have also learned to mine cryptocurrencies.
Compilation: Carbon Chain Value
Recently, according to a report released by cybersecurity company Recorded Future, the Lazarus Group, a hacker group associated with North Korea, has stolen $3 billion in cryptocurrency over the past six years.
The report claims that in 2022 alone, the Lazarus Group looted $1.7 billion in cryptocurrency, likely funding North Korean projects.
Chainaanalysis, a blockchain data analysis company, said that $1.1 billion was stolen from DeFi platforms. The U.S. Department of Homeland Security released a report in September as part of its Analytical Exchange Program (AEP), which also highlighted Lazarus' exploitation of DeFi protocols.
The Lazarus Group's specialty is financial theft. In 2016, they hacked into the Bangladesh Central Bank and stole $81 million. In 2018, they attacked the Japanese cryptocurrency exchange Coincheck, stealing $530 million, and the Bank Negara Malaysia, stealing $390 million.
The highlights of the Carbon Chain Value Compilation Report are for your reference:
Since 2017, North Korea has targeted the crypto industry as a target of cyberattacks, stealing a total of more than $3 billion in cryptocurrency value. Prior to this, North Korea had hijacked the SWIFT network and stolen funds from financial institutions. This kind of activity has attracted close attention from international agencies. Financial institutions have thus invested in improving their own cybersecurity defences.
When cryptocurrencies began to gain popularity and become mainstream in 2017, North Korean hackers shifted their theft targets from traditional finance to this new type of digital finance, first targeting the South Korean crypto market and then expanding their influence globally.
In 2022 alone, North Korean hackers are accused of stealing approximately $1.7 billion worth of cryptocurrency, a figure equivalent to approximately 5% of the size of North Korea's domestic economy, or 45% of its military budget. This number is also almost 10 times the value of North Korea's exports in 2021. According to data from the OEC website, North Korea's exports that year were US$182 million.
The way North Korean hackers operate in the crypto industry to steal cryptocurrency is often similar to how traditional cybercrime operates using crypto mixers, cross-chain transactions, and fiat OTC. However, with the state behind it, theft can scale its operations. This kind of operation is impossible for traditional cybercriminal gangs.
According to data tracking, approximately 44% of stolen cryptocurrencies in 2022 were related to North Korean hacking.
The targets of North Korean hackers are not limited to exchanges. Individual users, venture capital firms, and other technologies and protocols have all been attacked by North Korean hackers. All of these institutions operating in the industry and the individuals working there could be potential targets for North Korean hackers, allowing the North Korean government to continue to operate and raise funds.
Any user, exchange operator, or startup founder working in the crypto industry should be aware of the possibility of being targeted by hackers.
Traditional financial institutions should also pay close attention to the activities of North Korean hacking groups. Once the cryptocurrency is stolen and converted into fiat currency, North Korean hackers move the funds between different accounts to conceal the source. Often, stolen identities and altered photos are used to bypass AML/KYC verification. The personally identifiable information (PII) of anyone who fell victim to an intrusion linked to a North Korean hacking team could be used to register accounts to complete the money laundering process of stealing cryptocurrency. Therefore, companies operating outside of the cryptocurrency and traditional financial industries should also be wary of North Korean hacker group activity and whether their data or infrastructure is used as a springboard for further intrusions.
Most intrusions by North Korean hacking groups begin with social engineering and phishing campaigns. Some organizations should train employees to monitor such activity and implement strong multi-factor authentication, such as FIDO2-compliant passwordless authentication.
North Korea clearly views the continued theft of cryptocurrencies as a major source of revenue to fund its military and weapons programs. While it is unclear how much of the stolen cryptocurrency was used directly to fund ballistic missile launches, it is clear that the amount of stolen cryptocurrency, as well as the number of missile launches, has increased significantly in recent years. Without stricter regulations, cybersecurity requirements, and investments in cryptocurrency companies’ cybersecurity, North Korea will almost certainly continue to rely on the cryptocurrency industry as a source of additional revenue to support the state.
On July 12, 2023, American enterprise software company JumpCloud announced that a North Korean-backed hacker had entered its network. Mandiant researchers later issued a report indicating that the group responsible for the attack was UNC4899, which likely corresponds to "Trader Traitor," a North Korean hacker group focused on cryptocurrency. As of August 22, 2023, the US Federal Bureau of Investigation (FBI) issued a notice stating that the North Korean hacker group involved Atomic Wallet, Alphapo and CoinsPaid in hacking attacks, stealing a total of US$197 million in cryptocurrency. The theft of these cryptocurrencies allows the North Korean government to continue operating under strict international sanctions and fund up to 50% of the cost of its ballistic missile program.
In 2017, North Korean hackers invaded South Korean exchanges Bithumb, Youbit and Yapizon, stealing cryptocurrency worth approximately $82.7 million at the time. There are also reports that cryptocurrency users were also targeted after Bithumb users’ customer personally identifiable information was leaked in July 2017.
In addition to stealing cryptocurrencies, North Korean hackers have also learned to mine cryptocurrencies. In April 2017, Kaspersky Lab researchers discovered a Monero mining software installed in an APT38 intrusion.
In January 2018, researchers from South Korea's Financial Security Institute announced that North Korea's Andariel organization invaded an undisclosed company's server in the summer of 2017 and used it to mine approximately 70 Monero coins worth approximately $25,000 at the time.
In 2020, security researchers continued to report new cyberattacks by North Korean hackers targeting the cryptocurrency industry. The North Korean hacking group APT38 targets cryptocurrency exchanges in the United States, Europe, Japan, Russia and Israel, using Linkedin as the initial method of contacting targets.
2021 has been North Korea's most prolific year for the cryptocurrency industry, with North Korean hackers hacking at least seven cryptocurrency institutions and stealing $400 million worth of cryptocurrency. In addition, North Korean hackers have begun to target Altcoin, including ERC-20 tokens, and NFTs.
In January 2022, Chainalysis researchers confirmed that $170 million worth of cryptocurrency remained to be redeemed since 2017.
Notable attacks attributed to APT38 in 2022 include the Ronin Network cross-chain bridge (loss of $600 million), the Harmony bridge (loss of $100 million), the Qubit Finance bridge (loss of $80 million), and the Nomad bridge (loss of $190 million). These four attacks specifically targeted the cross-chain bridges of these platforms. Cross-chain bridges connect 2 blockchains, allowing users to send one cryptocurrency from one blockchain to another containing a different cryptocurrency.
In October 2022, the Japanese National Police Agency announced that the Lazarus Group had carried out attacks against companies operating in the cryptocurrency industry in Japan. While no specific details were provided, the statement noted that some companies had been successfully compromised and cryptocurrency stolen.
Between January and August 2023, APT38 allegedly stole $200 million from Atomic Wallet (2 attacks totaling $100 million in losses), AlphaPo (2 attacks totaling $60 million in losses), and CoinsPaid (37 million in losses) . Also in January, the US FBI confirmed that APT38 had lost $100 million in stealing Harmony's Horizon Bridge virtual currency.
In the July 2023 CoinsPaid attack, APT38 operators may have posed as recruiters and sent recruitment emails and LinkedIn messages specifically targeting CoinsPaid employees. CoinsPaid said APT38 spent six months trying to gain access to its network.
Mitigation measures
- Here are the recommendations from Insikt Group to prevent North Korean cyberattacks targeting cryptocurrency users and companies:
- Enable Multi-Factor Authentication (MFA): Use hardware devices such as YubiKey for wallets and transactions for enhanced security.
- Enable any available MFA settings for your cryptocurrency exchange to maximize account protection from unauthorized logins or theft.
- Verify verified social media accounts by checking if usernames contain special characters or numbers replacing letters.
- Make sure the requested transaction is legitimate and verify any airdrops or other free cryptocurrency or NFT promotions.
- When receiving airdrops or other content like Uniswap or other large platforms, always check the official source.
- Always check the URL and watch for redirects after clicking on the link to make sure the website is official and not a phishing site.
Here are some tips for defending against social media scams:
- Use extreme caution when trading cryptocurrencies. Cryptocurrency assets do not have any institutional safeguards to mitigate “traditional” fraud.
- Use a hardware wallet. Hardware wallets may be more secure than "hot wallets" like MetaMask, which are always connected to the Internet. For hardware wallets connected to MetaMask, all transactions must be approved by the hardware wallet, providing an additional layer of security.
- Only use trusted dApps (decentralized applications) and verify smart contract addresses to confirm their authenticity and integrity. True NFT minting interactions rely on smart contracts that may be part of a larger dApp. Contract addresses can be verified using MetaMask, a blockchain explorer such as Etherscan, or sometimes directly within the dApp.
- Double-check the URL of the official website to avoid imitations. Some cryptocurrency stealing phishing pages may rely on domain name misspellings to trick unsuspecting users.
- Be skeptical of offers that seem too good to be true. Cryptocurrency stealing phishing pages lure victims with favorable cryptocurrency exchange rates or low gas fees for NFT minting interactions.
