Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Financial Times
Financial Times
Business
Christian Davies in Seoul and Scott Chipolina in London

How North Korea became a mastermind of crypto cyber crime

© FT illlustration

Created by a Vietnamese gaming studio, Axie Infinity offers players the chance to breed, trade and fight Pokémon-like cartoon monsters to earn cryptocurrencies including the game’s own “Smooth Love Potion” digital token. At one stage, it had more than a million active players.

But earlier this year, the network of blockchains that underpin the game’s virtual world was raided by a North Korean hacking syndicate, which made off with roughly $620mn in the ether cryptocurrency.

The crypto heist, one of the largest of its kind in history, was confirmed by the FBI, which vowed to “continue to expose and combat [North Korea’s] use of illicit activities — including cyber crime and cryptocurrency theft — to generate revenue for the regime”.

The successful crypto heists illustrate North Korea’s growing sophistication as a malign cyber actor. Western security agencies and cyber security companies treat it is as one of the world’s four principal nation state-based cyber threats, alongside China, Russia, and Iran.

According to a UN panel of experts monitoring the implementation of international sanctions, money raised by North Korea’s criminal cyber operations are helping to fund the country’s illicit ballistic missile and nuclear programmes. Anne Neuberger, US deputy national security adviser for cyber security, said in July that North Korea “uses cyber to gain, we estimate, up to a third of their funds for their missile programme”.

Crypto analysis firm Chainalysis estimates that North Korea stole approximately $1bn in the first nine months of 2022 from decentralised crypto exchanges alone.

Anne Neuberger, the US deputy national security adviser for cyber security, said this year that a significant portion of North Korea’s funding for its missile programme came from cyber attacks © Drew Angerer/Getty Images

The rapid collapse last week of FTX, one of the biggest exchanges, has highlighted the opacity, erratic regulation and speculative frenzies that have been the central features of the market for digital assets. North Korea’s growing use of crypto heists has also served to demonstrate the absence of meaningful international regulation of the same markets.

Analysts say the scale and sophistication of the Axie Infinity hack exposed just how powerless the US and allied countries appear to be to prevent large-scale North Korean crypto theft.

Only about $30mn of the crypto loot has since been recovered. That was after an alliance of law enforcement agencies and crypto analysis companies traced some of the stolen funds through a series of decentralised exchanges and so-called “crypto mixers”, software tools that can shuffle the crypto holdings of different users so as to obfuscate their origins.

In one of the few law enforcement actions since the theft, in August the US sanctioned the Tornado Cash mixer, which the US Treasury said had been used by the hackers to launder more than $450mn of their Ethereum haul.

The US has since designated the crypto mixer, alleging the tool was used to support North Korean hackers who were in turn supporting the country’s weapons of mass destruction programme.

It also highlights the opportunities afforded by the unregulated world of crypto to many other rogue regimes and criminal actors around the world, with experts warning that the problem is likely only to get worse over the decade as crypto exchanges are increasingly decentralised and more goods and services — legal and illicit — are made available for purchase with cryptocurrency.

“We are not anywhere near where we need to be when it comes to regulating the cryptocurrency industry,” says Allison Owen, a research analyst at RUSI’s Centre for Financial Crime and Security Studies. “Countries are taking steps in the right direction, but North Korea will continue finding creative ways to evade sanctions.”

Office 39

Like some of the communist regimes upon which it once depended but which it has long since outlived, North Korea’s hereditary regime has a colourful history of engaging in criminal activity as a means to accumulate foreign currency.

In the 1970s North Korea’s then ruler Kim Il Sung, the grandfather of present ruler Kim Jong Un, tasked his son and successor Kim Jong Il with establishing a cell within the ruling Workers’ Party of Korea to raise money for the dictatorship’s founding family.

Called Office 39, it was one of several entities created by the regime to bring in billions of dollars a year from schemes ranging from producing and distributing counterfeit cigarettes and US dollar bills to selling illegal drugs, minerals, arms and even rare animal species.

North Korean officials, diplomats, spies and assorted operatives were all mobilised in support of this illicit shadow economy, which continues to operate through a complex network of shell companies, financial institutions, foreign brokers and organised crime groups that facilitate the country’s proliferation and sanctions evasion efforts.

Pyongyang has also spent recent decades building up its formidable cyber capabilities, a project that dates back to the late 1980s and early 1990s when the Kim regime sought to develop what was then a nascent nuclear weapons programme.

Regime defectors have described how Kim Jong Il saw the value of networked computers as an efficient means to direct regime officials while remaining in seclusion. He also saw them as a platform to underpin the country’s nuclear and conventional weapons development.

Under Kim Jong Un, who came to power after his father’s death in 2011, North Korea’s cyber capabilities and the threats they posed started to garner international attention © KCNA VIA KNS/AFP/Getty Images

Kim Jong Il is quoted in a book published by the North Korean army as having said that “if the internet is like a gun, cyber attacks are like atomic bombs.” But it was only under his son Kim Jong Un, who assumed power in 2011, that the country’s cyber capabilities started to garner international attention.

While less than 1 per cent of the North Korean population is estimated to have restricted and closely monitored access to the internet, potential members of the country’s army of approximately 7,000 hackers are identified while still at school. They are then trained and groomed at elite government institutions, with some also receiving training and additional experience in China and other foreign countries.

“They train people who show early indications of being strong in cyber and they send them to other places around the world and embed them into organisations, embed them into the society and culture,” says Erin Plante, vice-president of investigations at Chainalysis. “You have these hacking cells based all around the Asia-Pacific region merging in with the rest of the tech community.” 

In 2014, North Korean hackers launched an attack on Sony Pictures ahead of its release of The Interview, a Hollywood comedy about a fictional assassination attempt on Kim Jong Un. The hack shut down the production studio’s computer network before threatening executives with the release of sensitive and embarrassing internal documents.

That was followed in 2016 by a raid on Bangladesh’s central bank. Members of the Lazarus Group, the same syndicate that was behind the Axie Infinity hack, broke into the bank’s computer network and lurked inside it for a year before issuing instructions to the Federal Reserve Bank in New York to drain $951mn of Bangladeshi reserves.

The money was transferred to a bank in the Philippines and was only identified because one of the orders happened to contain a word that was also the name of a sanctioned Iranian ship, alerting US authorities. The hackers ended up getting away with less than 10 per cent of their haul.

The Interview, a 2014 Hollywood comedy about a fictional assassination attempt on Kim Jong Un, prompted a cyber attack from North Korea on Sony Pictures © Damian Dovarganes/AP

North Korean hackers have also demonstrated their offensive capabilities, causing widespread chaos through ransomware attacks. In 2017, the Lazarus Group unleashed the devastating WannaCry virus, which infected at least 200,000 computers at hospitals, oil companies, banks and other organisations around the world.

The transactions on the Axie Infinity game were supported by Ronin Network, a so-called “cross-chain bridge” that links different blockchains, that is supposed to have a high level of security. Hackers gained access to five of nine private keys, digital compartments that contain key information allowing hackers to approve withdrawals in their favour.

According to Nils Weisensee, a cyber security expert with Seoul-based information service NK Pro, the Axie Infinity hack demonstrates how North Korean hackers can now “exploit new vulnerabilities in the latest blockchain technologies almost as quickly as they arise”.

“Just a few years ago, North Korean hackers were specialising in distributed denial-of-service attacks, which is a relatively crude method of flooding your victims’ servers with internet traffic,” says Weisensee. “But if a DDOS attack is the cyber equivalent of beating someone with a baseball bat, then the successful raids on cross-chain bridges like Ronin and Horizon are the equivalent of stealing someone’s wallet through a hole in their pocket they didn’t even know existed.”

Analysts cite the Bangladesh Bank heist as an example of just how much more labour intensive and time consuming it is to target traditional financial institutions.

Axie Infinity, a cartoon game in which players earn cryptocurrency, was meant to be secure but exposed how powerless many countries appear to be to prevent North Korean crypto theft

The North Korean hackers who infiltrated the bank’s computer network had lurked in the system for a year before executing the theft. The proceeds were transferred through several banks to casinos in Manila, where operatives then had to spend several painstaking weeks playing baccarat with the stolen money so as to swap it with unsullied cash. The clean cash was then sent to Macau, and most likely onwards to North Korea.

Cryptocurrency also opens a fresh opportunity for would-be money launderers. To avoid triggering alerts on crypto exchanges by making large deposits in one go, hackers use a so-called “peel chain” — setting up a long chain of addresses and “peeling off” small amounts of digital currency with each transfer. According to a US Treasury indictment from 2020, two Chinese nationals successfully transferred $67mn in bitcoin on behalf of North Korean hackers using this method, making 146 separate transactions between them.

“Because blockchain technology is a child of the internet, everything you need to know about its vulnerabilities can also be found on the internet,” says Weisensee. “All you need is smart people, and the North Koreans have that.”

According to researchers at Harvard University’s Belfer Center for Science and International Affairs, North Korea has also been accumulating digital currencies through running its own crypto-mining operations, powered by abundant coal reserves that Pyongyang is unable to export due to UN sanctions.

The researchers note that the Ethereum blockchain’s move to a much less energy intensive “proof of stake” mechanism, while less damaging for the environment, could give energy-starved North Korea the opportunity to increase the amount of revenue it can afford to generate through crypto mining.

North Korea has also been able to exploit the rise in popularity of non-fungible tokens, or NFTs — either by artificially inflating their value using a technique known as “wash trading”, or by using NFTs to launder stolen funds, or through outright theft using spear-phishing attacks.

According to a US justice department indictment unsealed in 2021, North Korean hackers also carried out an illegal initial coin offering for a fraudulent blockchain that offered investors digital tokens in exchange for ownership of micro stakes in its shipping fleet.

Kim Jong Il, the late father of North Korea’s present ruler, is quoted as having said that “if the internet is like a gun, cyber attacks are like atomic bombs” © KCNA VIA KNS/AFP/Getty Images

Weisensee says that the dizzying pace of development of blockchain technology affords North Korean hackers constant opportunities to innovate.

“If you look at the vulnerability they exploited in the Swift financial messaging service for the Bangladesh Bank heist, that is something that could be fixed relatively easily — it would be a hard operation to repeat,” he says. “But crypto is evolving so quickly, and the North Koreans are so adept at tracking these developments, that they are regularly one step ahead of those who are trying to stop them.”

Catch me if you can

Identifying and tracking the methods deployed by North Korean hackers is difficult. Stopping them is even harder.

In 2018, US prosecutors accused a North Korean hacker, Park Jin Hyok, of carrying out the Sony, Bangladesh Bank and WannaCry attacks, among many other operations, on behalf of the Kim regime.

“These activities run afoul of acceptable norms of behaviour in cyber space and the international community must address them,” John Demers, then assistant attorney-general in the Department of Justice’s national security division, said at the time. “Working for a foreign government does not immunise criminal conduct.”

But analysts note that neither Park, nor two more North Korean hackers identified by the US in 2021 as members of North Korea’s military intelligence agency, nor any other North Korean citizens have ever been brought to justice for their role in hacking or cyber theft operations.

The US has had more success in pursuing foreign nationals accused of assisting North Korea’s efforts.

In April, a New York court sentenced American crypto researcher Virgil Griffith to five years in prison for helping North Korea evade sanctions amid his participation in a blockchain conference in Pyongyang in 2019, while British crypto expert Christopher Emms, accused by the US of helping to organise the conference, fled after he was initially detained in Saudi Arabia earlier this year.

A Nigerian influencer known as Ray Hushpuppi received an 11-year sentence from a US court this month for conspiring to launder funds stolen by North Korean hackers from a Maltese bank in 2019.

But experts say that while Washington has taken action against a handful of entities including banks, exchanges, and crypto mixers, nothing it has done appears to have meaningfully hindered North Korea’s exploitation of the global proliferation of digital currencies.

In part, this is because of the nature of North Korea itself. Of what Demers described as America’s four “principal adversaries in cyber space”, North Korea is the only country able or willing to mobilise its entire state apparatus in support of its global criminal operations.

“If any of the larger nations that have stronger cyber capabilities decided that they were going to use those capabilities to steal cryptocurrency, they would be far more successful than North Korea,” says Plante of Chainalysis. “But they can’t do so without damaging their ability to function in the legitimate global ecosystem.”

“Unlike China, Russia and Iran, North Korea has no stake in the global financial system, and economically speaking they have almost nothing to lose,” says Weisensee.

Last month, South Korea joined US Cyber Command’s annual multilateral cyber exercise for the first time, intensifying their co-operation in the face of North Korean cyber attacks. However analysts also note the difficulty in retaliating against North Korean cyber operations, given how little of North Korean society and infrastructure is connected to or dependent on the internet.

“North Korea poses a potential danger to our critical infrastructure, but it is hard to see how we can retaliate short of a total cyber war,” says Desmond Dennis, a cyber expert and former special agent with the FBI and the US Defence Intelligence Agency. “That would likely be interpreted by Pyongyang as amounting to a conventional act of war, and against a state that possesses nuclear weapons.”

But if the crypto heists have revealed something about the nature of North Korea, they have also exposed the lack of any meaningful global regulation of crypto itself.

“If we look back on sanctions in every other area of economics, they are highly matured markets that have clear regulation,” says Rohan Massey, partner at US law firm Ropes and Gray. “But crypto is a totally new asset. A lack of any real global understanding and jurisdictional regulation can be utilised quite easily.”

Observers also note worrying trends in the industry that are likely to play into the hands of the North Koreans. They include the increasing prevalence of decentralised exchanges, which are harder for law enforcement agencies to target, and the rise of new cryptocurrencies such as monero, the use of which is much harder to track than bitcoin.

Even with the turmoil in crypto markets, some analysts believe that an increasing number of goods and services will be purchasable using cryptocurrency. If that happens, says Weisensee, it would allow North Korea increasingly to avoid the traditional financial system altogether, reducing the “choke points” through which the US and others can exercise their leverage.

“It’s very possible that technological advances will allow us to gain greater insight into North Korea’s operations — but stopping them is a different thing altogether,” he says. “You could already use crypto to buy missile parts on the dark web years ago — so imagine what you could buy a few years from now.”

The ongoing battle to beat crypto thieves | FT Tech
Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.