Crypto hacking and North Korea: separating facts from fiction

The Democratic People’s Republic of Korea is widely recognized as a state sponsor behind hacking and crypto currency theft. While several US presidents have tried to stifle the development of nuclear energy in North Korea through a series of sanctions, cyber warfare is a new phenomenon that cannot be tackled by traditional means.

Unfortunately for the crypto sector, the DPRK has become attached to digital currencies and appears to have successfully stepped up operations related to the theft and laundering of cryptocurrency to bypass crippling economic sanctions that have plunged the pariah state into extreme poverty.

Evidence suggests that Pyongyang has amassed more than two billion US dollars through ransomware attacks, hacking and even stealing cryptos directly from the public through a range of highly sophisticated phishing scams. Several sources explain that the regime uses various tactics to convert stolen funds into cryptos, anonymize them, and then cash them through agents abroad. The US authorities have given a name to all these activities: „hidden cobra.

To accomplish all this, not only must the operations be supported by the state, but many highly qualified experts must be involved in the process to carry out the thefts successfully. So, does the DPRK really have the means and capabilities to launch a campaign of cyber attacks on a global scale, even though the country’s leadership openly admits that the nation is in a state of economic ruin?

Exactly how much did the hackers steal?

2020 continues the pattern of the many updates on the amounts that DPRK-supported hackers have allegedly stolen. A United Nations report published in 2019 states that North Korea has stolen about $2 billion from crypto exchanges and banks.

The most recent estimates seem to indicate that the amount is between $1.5 billion and $2.5 billion. These figures suggest that although exact figures are difficult to find, cyber attacks are on the rise and are yielding more funds each year. In addition, various reports on new ransomware, sophisticated hacks and innovative attack vectors support these conclusions.

Madeleine Kennedy, senior communications manager at crypto analysis firm Chainalysis, explained to Cointelegraph that the lower estimate is probably too low:

„We believe they have stolen more than $1.5 billion in crypto currency. It seems likely that DPRK is investing directly in this business, as they have been very successful campaigns“.

However, Rosa Smothers, senior vice president of IT security firm KnowBe4 and former CIA technical agent, told Cointelegraph that despite recent allegations by the US Department of Justice that North Korean hackers stole nearly $250 million from two cryptocurrency exchanges, the total figure may not be that high, she added:

„Considering Kim Jong-un’s recent public admission of the country’s dramatic economic situation, an estimate of $1.5 billion seems exaggerated“.

How do hacker groups operate?

It is not very clear how exactly these North Korean hacker groups are organized and where they are located, as none of the reports offer a definitive picture. Recently, the US Department of Homeland Security said that a new DPRK-sponsored hacker group called BeagleBoyz is now active on the international scene. The core is considered a separate entity affiliated to the well-known Lazarus group, which many believe is responsible for several high-profile cyber attacks. The DHS believes that BeagleBoyz has attempted to steal nearly $2 billion since 2015, targeting mainly banking infrastructures such as ATMs and the SWIFT system.

According to Ed Parsons, F-Secure’s general manager for the UK, „‚BeagleBoyz‘ seems to be the name given by the US government to a recent set of activities that targeted financial institutions in 2019/2020,“ adding that it is not possible to know whether the unit is actually new or „a new name linked to an initially anonymous campaign later linked to DPRK activities. He went on to explain to Cointelegraph that the malware samples were associated with „hidden cobra,“ the code name used by the US government to identify DPRK online activities.

The U.S. Cybersecurity and Infrastructure Security Agency states that activities related to hidden cobra were reported in 2009 and initially aimed to steal information or hinder processes. The main attack vectors are „DDoS botnets, keyloggers, remote access tools (RAT) and wiper malware,“ and target older versions of Microsoft Windows and Adobe software. In particular, hidden cobra hackers use a DDoS botnet infrastructure known as DeltaCharlie, associated with more than 600 IP addresses.

John Jefferies, chief financial analyst at CipherTrace, a blockchain analysis firm, explained to Cointelegraph that there are several important groups of hackers, and it is extremely difficult to distinguish one from the other. Anastasiya Tikhonova, head of APT Research at Group-IB, an IT security company, echoed the comment by adding that, regardless of the name of the related group, the attack vectors are very similar:

„They gain initial access to targeted financial organisations using spear phishing techniques, via email with a malicious document disguised as a job offer or through personal messages on social media from a person pretending to be an entrepreneur. Once opened, the malicious file downloads the NetLoader“.

In addition, several experts have identified JS-sniffers as an increasingly popular tool, usually linked to the Lazarus group. JS-sniffers consist of malicious code designed to steal payment data from small online shops, an attack in which personal information of all parties involved in the transaction is revealed.

All in all, hacker groups seem to have perfected the use of a particularly specific set of phishing-focused tools, whereby unsuspecting employees of the affected company install the infected software, which then spreads throughout the company’s system focusing on core functions. The most notable examples of suspicious activity are the 2014 hack against Sony Pictures and the spread of WannaCry malware in 2017.

According to various sources, most cyber attacks are carried out to high standards, with obvious signs of long preparation. The latest examples in 2020 include a fake trading bot website created to attract employees of the DragonEX crypto currency exchange, which managed to subtract a total of $7 million in crypto.

At the end of June, a report warned that the Lazarus Group will attempt to launch a specific cyber attack on COVID-19, in which hackers will pretend to be government offices in countries distributing economic subsidies to counter the effects of the pandemic, trying to bring reckless email recipients to a malicious website that will collect financial information and demand crypto-currency payments. In addition, according to a recent report, jobseekers in the crypto sector also appear to be at risk. Hackers are using emails similar to those sent by LinkedIn to distribute fake job offers containing an infected MS Word file.

More relevant are attacks against crypto currency exchanges. Although the exact amount of funds stolen from trading platforms is unknown, several reports published by cyber security companies and various government agencies place the estimated figure well over one billion dollars. However, only a few of these hacks see the DPRK as the main suspect, with a handful of cases traced back to the regime. The best-known example is the cyber attack on the Japanese exchange Coincheck, in which $534 million in NEM tokens were stolen.

At the end of August 2020, a statement by the US Department of Justice outlined the details of an operation to launder stolen funds using cryptocurrency, dating back to 2019. The North Korean-backed hackers are believed to have initiated the heist with the support of a Chinese money-laundering organisation. The two Chinese citizens in question used the peel chain method to launder $250 million through 280 different digital wallets in an attempt to hide the origin of the funds.

According to Kennedy, DPRK-related hacker groups are indeed becoming increasingly sophisticated in cyber attacks and money laundering: „In particular, these cases have highlighted their use of ‚chain hopping,‘ i.e. exchanging in other cryptocurrencies such as stablecoins. Subsequently, they convert the laundered funds into Bitcoins“. Chain hopping refers to a method in which traceable cryptocurrencies are converted into privacy coins such as Monero or Zcash.

Commenting on the apparent success of the hackers, Parsons said:

„The reduced IP space/access to the internet in the DPRK, together with its less global/online nature, gives the country an asymmetric advantage in terms of IT operations.“

In an interview with Cointelegraph, Alejandro Cao de Benos, a special delegate of the DPRK’s Committee for Cultural Relations with Foreign Countries rejected allegations that the country is behind crypto cyber attacks, stating that this is a „major propaganda campaign“ against the government:

„Usually the DPRK is described in the media as a backward country without internet access or even electricity. But at the same time they always accuse it of having superior capacity, faster connectivity, better computers and experts than major US banks or government agencies. It doesn’t make any sense from an elementary logical and technological point of view“.

What is the size of the hacker group, and where is it located?

Another figure that various reports and studies fail to agree on is the size of the hacker group allegedly supported by the North Korean government. Recently, the U.S. military report „North Korean Tactics“ stated that the number is 6,000 agents, scattered mainly in Belarus, China, India, Malaysia, Russia and several other countries, all united under the leadership of a cyber-warfare unit called „Bureau 121.

Parsons is convinced that the figure was probably derived from previous estimates obtained by a defector who escaped from the DPRK in 2004: „the figure may have been generated by U.S. domestic intelligence not publicly attributable“. Tikhonova agreed that it is difficult to assess the size of the organization: „several reports may provide clues about the regime’s ‚recruitment‘ strategy,“ he explained. He went on to say:

„North Koreans would attract students from universities. In addition, some North Korean hackers were recruited while working for IT companies in other countries. For example, Park Jin Hyok, an alleged Lazarus APT member wanted by the FBI, worked for the Chosun Expo company based in Dalian, China.

Smothers expressed more scepticism about the report’s findings, but commented that: „It is in line with information from the South Korean Ministry of Defence, which a few years ago put the number at 3,000,“ adding that if anyone has such information, it is South Korea. When asked how the cybercriminal group was organized and where it is based, she also acknowledged that most hackers should be scattered around the world „given the limited bandwidth in North Korea.

Jefferies also believes that „North Korean hackers are scattered around the world, a privilege reserved for very few in the country,“ adding that in most cases attacks attributed to North Korea are not carried out by hackers on commission. Tikhonova provided a possible reason behind both statements, explaining:

„It is unlikely that they would have given someone access to their list of potential targets or their data considering the sensitivity of the operations, so they are carried out independently by North Koreans.

What can be done to stop hackers?

It seems that, so far, identifying money movements or some of the third parties is the only thing that has been successfully done, at least publicly. A report released by BAE Systems and SWIFT even outlined how the funds stolen by the Lazarus Group are being processed by East Asian brokers, circumventing the anti-money laundering procedures of some crypto exchanges.

Jefferies is convinced that more needs to be done in this regard

„Authorities must implement and enforce anti-money laundering laws for cryptocurrency and Travel Rule regulations to ensure that suspicious transactions are reported“.

He also stressed the importance of the guarantees offered by the authorities to ensure that service providers on virtual assets implement appropriate Know Your Customer measures:

„A known tactic used by professional money launderers supported by North Korea was the use of false documents to create accounts on several exchanges. Exchanges with KYC control measures have been shown to better detect these fraudulent accounts and prevent abuse of their payment networks“.

According to information revealed by the US DOJ, money launderers target exchanges with weaker KYC requirements. Although no platform is named, they are probably smaller exchanges active exclusively in the Asian market. Another problem in this context is the inability of some authorities to intervene when companies outside their jurisdiction are involved, as Smothers points out:

„The global nature of these exchanges, as well as Chinese over-the-counter (OTC) traders, limits the ability of our Department of Justice to intervene quickly. For example, the DOJ filed a civil lawsuit in March, but Chinese OTC traders withdrew all funds from their target accounts a few hours after the DOJ release.

However, as reported in a report published in 2019 by Chainalysis, what complicates matters even more is the fact that money launderers could take months, if not years, to complete the process. According to the authors, the attacks were for financial purposes, as the stolen crypto could remain untouched in wallets for up to 18 months before being transferred for fear of being identified.

Researchers believe that, since 2019, the tactics employed by criminals have changed to allow faster withdrawals through the extensive use of crypto currency mixers to hide the source of funds. Kennedy has gone deeper:

„We cannot describe with certainty the reasons behind these techniques, but we have noticed that these entities often circulate money from one hack, then stop to focus on moving funds from another hack, and so on. Cryptocurrency exchanges have played a decisive role in the investigation, and the public and private sectors are working together to address the threats posed by these hackers“.

How serious is the situation?

Discussing the DPRK, it is difficult to avoid the issues of human rights violations and the nuclear programme that the country is allegedly continuing to pursue, despite the tightening of economic sanctions.

In this sense, the dynastic government led by Supreme Leader Kim Jong-un is considered a major threat to the world, although for now this position is due to the regime’s nuclear aspirations. Although cyber attacks have in most cases no direct negative consequences for human life, these operations provide a constant source of income with which the state can continue to consolidate its ideals and objectives.

However, it is perhaps even more worrying that, according to various commentators quoted in this article, hacker groups allegedly supported by the North Korean regime continue to expand and expand their operations, as the methods used are proving extremely valuable. According to Jefferies:

„Not surprisingly, they continue to develop and invest in their IT capabilities.“