North Korea has industrialized the theft of cryptocurrency to finance its nuclear weapons program and its state-sponsored hackers are getting better at emptying digital wallets. But global law enforcement agents are in hot pursuit, and cashing in crypto is harder than ever.
The threat on the screen was clear and simple enough: I've encrypted your files — and if you don't pay me within a week, you'll never be able to recover them.
At noon on May 12, 2017, a red alert page popped up on the computer screens of more than 300,000 Windows users worldwide, asking them to transfer approximately $300 worth of Bitcoin to recover their files.
The virus was later named "WannaCry." Victims thought it was an ordinary cryptocurrency ransomware incident, but the U.S. government later said that Lazarus, a hacking group owned by the North Korean government, was behind the worst-ever cryptocurrency ransomware cyberattack, which eventually swept through more than 150 countries.
In North Korea, less than 1% of the population has access to the country's Intranet service, which is called Kwangmyong, but the country's government has still produced some of the best hackers in the world, on par with superpowers like the U.S, China and Russia.
In recent years, the Pyongyang government has taken advantage of the decentralized nature of cryptocurrencies and has used its two-decade-old cyberwarfare capabilities to raise money to fund nuclear weapons research through large-scale financial extortion like WannaCry — and it has been very successful.
Bangladesh bank hack
The international community first truly recognized North Korea's cyber warfare capability during the Bangladesh Bank hack in Jan. 2015. At the time, several employees of the bank received what appeared to be a standard job application email. But the attached resume and cover letter contained a virus that, when downloaded, connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network.
Posing as the Central Bank of Bangladesh, the virus sent multiple instructions to illegally transfer $1 billion in funds from the Federal Reserve Bank of New York through the SWIFT system. Fortunately, one of the instructions attempted to transfer funds to a bank branch located on Jupiter Street in Manila, Philippines, and the word "Jupiter" happened to be the name of a sanctioned Iranian vessel, which drew the FBI's attention to the request and led to the suspicious transaction being put on hold. Five transactions still went through, and the hackers got away with $81 million in stolen funds.
The attack showed that North Korea had clearly developed a much more sophisticated strategy than previous attacks. In this case, hackers lurked in the banking system for a year, gathering information and buying time before taking action.
The West realized that North Korea's cyber forces were more powerful than imagined.
The hackers took advantage of the weekend in Bangladesh, the time difference in New York and the Filipino Lunar New Year holiday to get more time to send the money. After receiving the funds, they chose to transfer the money to a bank account in Manila, the capital of the Philippines, then transferred most of the amount to a casino, where they laundered the money at the gaming tables before transferring it back to North Korea.
This Bangladesh bank heist forced the West to realize that North Korea's cyber forces are more powerful than imagined. And the heist also strengthened North Korea's resolve to steal cryptocurrencies: although North Korea got away with $81 million, this was just one-tenth of the targeted $1 billion.
At the same time, North Korea went through an elaborate money laundering process that wrote off another 90 percent of the targeted funds. After this operation, North Korea learned how labor-intensive and time-consuming the requirements of traditional financial institutions can be.
But with the rise of cryptocurrencies, North Korea saw the decentralized technology – an open financial system without the need to go through banks or government-regulated financial institutions – as a way to bypass sanctions, skip the money laundering process and put the proceeds directly into its nuclear weapons program.
Image of North Korean soldier working on a nuclear weapon.
North Korea's cyber history
The Pyongyang government's ambitions for cyber attacks date back to the 1990s. In the Gulf War, which began in 1990, the U.S.-led coalition used electronic equipment in addition to conventional weapons to assist in taking down Iraq. The Chinese Communist Party at the time saw the potential of electronic warfare and set up a research group dedicated to exploring "electronic intelligence warfare."
According to a book published by the Korean People's Army (KPA), after then-Supreme Leader Kim Jong Il saw the report, he said "If the Internet is like a gun, a cyber attack is like an atomic bomb," before directing KPA General Staff to develop an "information warfare" capability in order to support its nuclear weapons program.
As early as 2008, the North Korean government established Bureau 121, also known as the Electronic Reconnaissance Department or Cyber Warfare Guidance Department, within the Reconnaissance Bureau of the KPA General Staff. It was tasked with conducting cyber attacks and cyber espionage and collecting intelligence on overseas politics, economy and society.
In 2009, North Korea merged all of its intelligence and internal security services into the Reconnaissance General Bureau (RGB) of the General Staff of the Korean People's Army, which includes Bureau 121.
Bureau 121 now has an estimated 3,000 to 6,000 employees in various countries, including China, India, Malaysia and Russia. Its sections include "APT 37" and "Kimsuky," which specialize in political cyber espionage, while "Lazarus," which launched the WannaCry attack, focuses on financial blackmail.
The first cyberattack coincided with the country's second nuclear test.
In 2012, Kim Jong-un came to power and inherited his father's ambition to develop cyber warfare. The year after he came to power, Kim Jong-un publicly declared that cyber warfare, nuclear weapons and missiles are all the same: "an all-purpose sword" with their "ruthless targeting capability," North Korea's military can be invincible. This declaration set the stage for North Korea's cyber attack-centric strategy to date.
North Korea's earliest documented cyber attack was Operation Troy, against South Korea in 2009. In the early days of discovering the power of cyber warfare, the Pyongyang government aimed to demonstrate its cyber capabilities on the international stage. The attack also coincided with the country's second nuclear test, when North Korea took an uncompromising stance on military policy and cyber strategy, with no fear of retaliation.
Between 2013 and 2016, North Korea's cyber activities increasingly aimed to gather information, and the country repeatedly launched distributed denial-of-service attacks (DDoS) on its main enemies, South Korea and the U.S., which briefly disrupted or even paralyzed the operations of government agencies, electrical infrastructure, military systems and more. Cyber espionage was also common during this period, with at least six major espionage attacks against South Korea alone.
North Korean hackers gradually improved their skills, and gradually the attacks were no longer limited to South Korea and the U.S., nor were the means limited to DDoS. After 2015, North Korea shifted away from attacking traditional banks and financial institutions to stealing decentralized cryptocurrencies, which it used to continue funding major nuclear tests.
North Korea's rapid nuclear development is due to the Kim Jong-un government's use of the "all-purpose sword" of cyberattacks – a year-long focus on training a cyber army of hackers to steal large sums of money through cyberattacks targeting government agencies, financial institutions and even the general public.
Kim Jong-un ordered an increase in weapons-grade nuclear material to boost the country's nuclear arsenal, and North Korea launched a record number of at least 90 missiles in 2022 alone. The U.S. and South Korean governments believe preparations for a seventh nuclear weapons test have been completed.
U.S. Deputy National Security Advisor Anne Neuberger estimates that about one-third of the cryptocurrency stolen by North Korea was used for its weapons program. The UN report also said the cryptocurrency stolen by North Korea through cyberattacks is an "important source of revenue" for Pyongyang's nuclear and ballistic missile programs.
Citing a UN report that is nor publicly available, Reuters reported that North Korea stole a record haul of cryptocurrencies in 2022 — $1.7 billion, according to an analysis of publicly available transaction data by blockchain analysis firm Chainalysis. Compared to North Korea's total exports of just $142 million in 2020, it is clear that cryptocurrency hacking has become a major source of revenue for the North Korean treasury.
In the traditional financial industry, fiat currencies such as the U.S. dollar and the Hong Kong dollar are issued by centralized institutions and rely on financial institutions to make money transactions, such as withdrawing and depositing fiat currency through banks. In contrast, cryptocurrencies are built on block-refining technology, are not issued by any central authority and can be used to create “wallets” to receive and send funds anonymously, without relying on banks to verify transactions.
When users transfer cryptocurrency funds, the transactions are recorded in a "distributed ledger technology" (DLT), which is not held by a single institution but is distributed on a peer-to-peer (P2P) network, where each individual copies and stores an identical public copy of the ledger.
The "anonymity" and "decentralized" nature of cryptocurrencies means that the theft of cryptocurrencies would not mimic the Bangladesh Bank incident – that is, there would be no Federal Reserve to prevent them from withdrawing $851 million.
The WannaCry attack successfully stole $625 million in cryptocurrency, making Lazarus even more determined to shift the focus of its attacks to cryptocurrency targets. Initially, their targets were primarily cryptocurrency exchanges. Although the hackers are no longer targeting traditional financial institutions, the tactics remain similar: phishing or social engineering to insert virus-infected files into a target company's computers and gain access to information systems in order to transfer money from their digital wallets. When funds are moved to an address controlled by North Korea, the hackers begin the money laundering process.
With the rise of cryptocurrencies, a number of Centralized Exchanges (CEX) have emerged around the world to facilitate the purchase of cryptocurrencies using currencies such as the U.S. dollar. The exchange of one form of cryptocurrency for another, and the replacement of cryptocurrencies with fiat currencies.
North Korea still needs to devote resources to money laundering.
This also means that the centralized exchange, like a traditional bank, requires the customer to provide real name verification and the exchange holds all records of the money movement. So no matter how easy it is to steal cryptocurrencies, North Korea still needs to devote resources to money laundering.
It is not difficult to hack a cryptocurrency exchange; the real challenge is in converting the cryptocurrency into cash to purchase nuclear weapons material.
What warrants international attention and concern is not who is the target of North Korea's attack, but rather North Korea's increasingly sophisticated money laundering methods – how to hide as much of the record of money flow on the block refinery as possible before converting it to legal tender, making it impossible for investigators to trace the source of these funds.
In the first few attacks, Lazarus laundered money by writing automated scripts to execute peel chains. A "peel chain" refers to the transfer of large amounts of stolen money to different cryptocurrency addresses in small transactions, avoiding the attention of the trading platform. At the same time, hackers have also started using mixers. The purpose of a cryptocurrency mixer is to reduce the likelihood of a third party discovering the source of a transaction by mixing a cryptocurrency transaction with another transaction.
However, there are still loopholes in the money laundering process, as North Korea has repeatedly used the same coin mixer, making it easier for investigators to deduce the organization's money laundering patterns. In addition, former U.S. President Donald Trump expanded the scope of unilateral U.S. sanctions in 2017, freezing the assets of any person or company with business ties to North Korea in the United States.
Fearing the loss of access to the U.S. market, companies from various countries were inclined to stop trading with North Korea, effectively cutting off North Korea's access to the global financial system and leaving the government in Pyongyang with the option of using "over-the-counter brokers" to move cash in stolen cryptocurrency funds into fiat currency.
In this attack, two Chinese nationals, Tian Yinyin and Li Jiadong, were sanctioned by the U.S. Treasury Department for assisting in the conversion of stolen cryptocurrency into fiat currency. Their assets in the U.S. were frozen, and Americans were banned from doing business with them.
In Sept. 2020, hackers stole more than $280 million from Singaporean cryptocurrency exchange KuCoin, which was equal to more than half of all cryptocurrencies stolen in 2020.
Cryptocurrency regulations tighten
Despite North Korea's continued improvements in money laundering and programming techniques, its cryptocurrency nuclear agenda remains unpredictable.
As North Korea has improved its cryptocurrency capabilities, law enforcement's ability to track funds to crypto address networks has increased, and one by one, they have begun to recover stolen funds.
There is no time limit on tracing where the money goes.
Norwegian police seized $5.8 million worth of cryptocurrency stolen by North Korea from the Ronin Network attack in 2023. The FBI, in conjunction with cryptocurrency organizations, also investigated and traced the location of North Korea's attempt to convert stolen funds into legal tender, and worked with law enforcement and industry sources to freeze more than $30 million in cryptocurrency.
Because every crypto transaction is recorded in a public ledger, there is no time limit on tracing where the money goes, and it can be recovered years after the crime. This, combined with efforts by agencies like the U.S. Office of Foreign Assets Control (OFAC) to cut off the preferred money laundering services of hackers from the rest of the cryptocurrency ecosystem, suggests that these hacks will become increasingly difficult and fruitless over time.
This increased scrutiny may make it more difficult for North Korea to convert stolen currency into cash. The U.S. Treasury Department, for example, has expanded the targeting of sanctions from the government of Pyongyang to include coin blenders. In 2022, the U.S. Treasury Department ordered the freezing of assets of Tornado Cash and Blender.io, common North Korean blenders, and banned U.S. citizens from using the platforms.
The uncertainty of cryptocurrency prices has also created uncertainty for North Korea's nuclear weapons plans, with the value of cryptocurrencies suddenly plummeting in mid-2022 and the cryptocurrency industry becoming more unpredictable with the demise of exchange FTX, which declared bankruptcy in 2022.
According to Chainalysis, a blockchain analysis firm, the value of unwashed cryptocurrencies among the funds stolen by North Korea in 49 hacks between 2017 and 2021 has dropped from $170 million to $65 million since the beginning of 2022.
Chainalysis has also seen an increase in attacks on non-cryptocurrency platforms by North Korean hackers, most likely due to tightening sanctions and seizures of stolen funds.
Still, Luke McNamara, chief analyst at Google's Cyber Security, says that North Korea's cryptocurrency attacks will likely continue: "Despite the huge volatility of the cryptocurrency market, there are business opportunities and there are investors. North Korea is seeing this as the soft underbelly behind the various project systems. So as long as new block-refining projects continue to emerge in the market, cryptocurrencies will remain very attractive to North Korea."