It is well known among the cyber intelligence community that North Korean-linked hackers largely rely on cyberattacks to finance its nuclear weapons program.
While security teams at traditional financial institutions have largely kept pace with their hacking tactics, these attackers are increasingly targeting cryptocurrency businesses, and with much success. North Korea-linked actors stole an estimated US$1.7 billion worth of cryptocurrency last year.
As their infiltration capabilities have become more sophisticated, their tactics to launder and cash out their stolen funds have evolved, too. At the same time, heightened geopolitical tensions have brought North Korea closer to its long-term allies, Russia and China.
Earlier this month, United States Secretary of State Antony Blinken expressed concerns over a growing “two-way street” between some of the world’s most isolated economies — Russia and the Democratic People’s Republic of Korea (DPRK).
From arms flow to technical support, Russian President Vladimir Putin and North Korean leader Kim Jong Un pledged to strengthen their military ties this past September.
Old alliances, new ties
In 2022, the DPRK earned a mere $1.59 billion in trade, a continued decline caused by Covid restrictions and ongoing UN sanctions. However, allies such as Russia and China circumvent existing sanctions entirely by exporting goods or providing over-the-counter brokerage services for money laundering to North Korea.
The relationship between the three countries has historical precedence, dating back to the earliest years of the Korean War. Over time, this relationship has deepened amid the DPRK’s growing penchant for crypto hacking.
In June 2022, $21.9 million in cryptocurrencies was stolen from Harmony Protocol and was recently transferred to a Russia-based exchange known for processing illicit transactions, although any ties to the Russian government are unknown.
This not only uncovers a deepening alliance between DPRK and Russian cybercriminal actors but also mirrors the very same challenges we see today in the non-digital world. Russia is notoriously uncooperative when attempting to seize stolen funds and remains a haven for crypto crime.
Identifying patterns
Tactics employed by DPRK hacking groups have equally grown in sophistication and in their damage, spanning phishing lures, code exploits, malware and even advanced social engineering to siphon funds into addresses they control.
Mixers such as Tornado Cash and Sinbad, which obfuscate the origin of a transaction by mixing it in a pool of funds and then generating a clean address, also make it more challenging to trace transactions.
In this regard, it’s more critical than ever for governments and law enforcement to have the tools and the capabilities required to effectively fight fire with fire.
Building internal capabilities while having access to advanced analytics would not only make it harder for DPRK hacking groups to cash out their funds but would also make traditional enforcement tactics more effective.
In recognition of its role as a preferred tool among DPRK-linked hackers, Tornado Cash was sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC) last August. Sinbad, too, was sanctioned by OFAC this past November and seized by the US Federal Bureau of Investigation and other multilateral agencies, effectively taking it offline for good.
Similarly, the success of North Korea’s IT-earnings-to-crypto schemes has equally been curtailed. In May, OFAC and South Korea’s Ministry of Foreign Affairs (MOFA) sanctioned several entities that enable North Korean IT professionals to find contract work overseas.
By tracing the related transactions, law enforcement identified that these proceeds had been sent back to North Korea-affiliated addresses to support the government’s weapons development programs.
Paramount partnerships
With resources to leverage from its neighbors, it’s becoming increasingly evident that the DPRK’s capabilities to conduct aggressive and even more devastating cyberattacks are growing.
With its close geographical proximity, other East Asian nations must strengthen their cybersecurity capabilities. This November, South Korea’s National Security Office pledged to strengthen trilateral cyber cooperation by establishing a high-level cyber consultative body along with the US and Japan in a bid to strengthen East Asia’s digital defenses.
Already, we’ve seen how international cooperation, combined with public-private partnerships, can make a difference. In September 2022, with the help of law enforcement and leading cryptocurrency organizations, more than $30 million worth of cryptocurrency stolen by DPRK-linked hackers was seized from the March 2022 theft of over $600 million from Ronin Network, a sidechain built for the play-to-earn game Axie Infinity.
What makes this possible is the fact that the use of cryptocurrencies for illicit purposes is a markedly flawed endeavor. With its inherent transparency and traceability on a public ledger, staying ahead of the threats, following the money and disrupting laundering activities is a matter of having the right tools.
On a public ledger, law enforcement always has a trail to follow, even years after the fact, which is invaluable as investigative techniques improve over time. While the DPRK’s tactics have advanced, so too will the capabilities of law enforcement.
Combined with the efforts of agencies such as OFAC, we can hope to see an increasingly shrinking ecosystem of platforms and services for illicit activities within the crypto ecosystem.
My hope is that these become far less reliable over time, all in the hopes of these hacks becoming harder to execute and less fruitful with each passing year.
Erin Plante is Vice President of Investigations at Chainalysis, Inc, a US-based blockchain analysis firm. The views and opinions expressed here are those of the author in her personal capacity and do not necessarily reflect the views of Chainalysis, Inc.
This material is for informational purposes only and is not intended to provide legal, tax, financial or investment advice. The author makes no representations as to the accuracy or completeness of the information herein.