North Korean hackers launched at least seven attacks in 2021 on cryptocurrency platforms, extracting nearly $400 million worth of digital assets, according to a report by the software company Chainalysis.
“These attacks primarily targeted investment firms and centralized exchanges, and used phishing lures, code exploits, malware, and advanced social engineering to divert funds from these organizations’ internet-connected ‘hot’ wallets to addresses controlled by South Korea. North”, reads the report, which ensures that once North Korea gained custody of the funds, it began a careful laundering process to cover up and withdraw money.
These complex tactics and techniques have led many security researchers to characterize cyber actors from the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs).
This is especially true for APT 38, also known asLazarus Group, which is run by the DPRK’s main intelligence agency, the US-UN sanctioned Reconnaissance General Office. “While we will refer to the attackers as North Korea-linked hackers in general, many of these attacks were probably carried out by the Lazarus Group in particular”, clarify the researchers.
Lazarus Group first gained notoriety with its cyberattacks on Sony Pictures and WannaCry, but has since concentrated his efforts on cryptocurrency crime, a strategy that has proven immensely profitable.
As of 2018, the group has stolen and laundered massive amounts of virtual currency each year, typically more than $200 million.
In 2021, North Korea’s hacking activity increased again. From 2020 to 2021, the number of hacks linked to North Korea increased from four to seven, and the value extracted from these hacks grew by 40%.
“Interestingly, in dollar value terms, Bitcoin now accounts for less than a quarter of the cryptocurrencies stolen by the DPRK. In 2021, only 20% of the stolen funds were Bitcoin, while 22% were ERC-20 tokens or altcoins. And for the first time in history, Ether accounted for the majority of stolen funds at 58%”, states the report.
“Once North Korea gained custody of the funds, they began a careful laundering process to cover up and withdraw money,” Chainalysis reports.
However, the hackers seemed slow to launder all the cryptocurrency they stole. The company’s analysis found approximately $170 million in unlaundered cryptocurrency holdings, with around $35 million coming from attacks carried out in 2020 and 2021.
According to the researchers, “these behaviors, taken together, paint a portrait of a nation that supports cryptocurrency-enabled crime on a massive scale.”. Systematic and sophisticated, the North Korean government, whether through the Lazarus Group or its other criminal syndicates, has established itself as an advanced persistent threat to the cryptocurrency industry in 2021.”
Nonetheless, the inherent transparency of many cryptocurrencies presents a way forward. “With blockchain analytics tools, compliance teams, criminal investigators, and hack victims can track the movement of stolen funds, take advantage of opportunities to freeze or seize assets and hold criminals accountable for their crimes”, the report ends.