How North Korea used crypto to hack its way through the pandemic
By Choe Sang-Hun and David Yaffe-Bellany, The New York Times Company
SEOUL, South Korea — North Korea’s economy has been ravaged by United Nations sanctions and the coronavirus pandemic. The government has warned of a severe food shortage. An unidentified intestinal disease began spreading among citizens in June.
And yet the country has conducted more missile tests this year than in any previous year. The government is giving new luxury homes to party elites. Kim Jong Un, North Korea’s leader, has promised to develop advanced technology for the nation’s growing weapons arsenal. A new nuclear test — the country’s seventh — is expected to happen any moment.
Where has the money come from?
In April, the United States identified a key part of the puzzle when it publicly accused North Korean hackers of stealing $620 million in cryptocurrency from the video game Axie Infinity. The theft, one of the largest of its kind, provided the strongest evidence that cryptocurrency heists have become a highly lucrative yet relatively risk-free way for North Korea to raise funds to buttress the regime during the pandemic and to finance its weapons development.
Poor, isolated and heavily sanctioned, North Korea has long resorted to illicit activities to gin up badly needed cash. It has trafficked in weapons, illegal drugs and counterfeit U.S. $100 bills. Its workers have dug tunnels for the Myanmar military and built statues and monuments for African dictators. It has unleashed hackers to disrupt foreign websites and steal from corporations and banks.
More recently, with its borders shut because of the pandemic and traditional banks strengthening their firewalls against hackers, cryptocurrency theft has become an increasingly vital source of foreign currency for the regime. Its hackers are accused of stealing $571 million from cryptocurrency exchanges between January 2017 and September 2018 and $316 million from 2019 to November 2020.
North Korean hackers may have walked away with nearly $400 million in cryptocurrency last year, according to the crypto data firm Chainalysis. This year, North Korea’s haul is up to a little under $1 billion. To put those figures into context, the country earned only $89 million in official exports in 2020, according to South Korea’s government-run statistical agency.
Cryptocurrencies are hardly a stable source of funding. Over the last two months, the market has crashed spectacularly, erasing hundreds of billions of dollars in investments and sending the price of Bitcoin below $20,000 for the first time since late 2020. North Korea had crypto holdings worth $170 million at the end of last year, according to Chainalysis — funds that the country had stolen but not converted into cash. That stash was worth only $65 million as of last week.
But at a time when North Korea has locked itself down for fear of the pandemic, hacking crypto exchanges has allowed it to generate income in ways that are both COVID-safe and harder to trace in an industry subject to limited government oversight.
As its hackers roam cyberspace launching devastating attacks, North Korea runs little risk of being targeted itself because most of the country is offline. “For North Korea, it’s a low-cost, low-risk but high-return criminal enterprise,” said Yoo Dong-ryul, a former chief anti-terrorism analyst at the South Korean national police agency.
North Korea barely has enough electricity to run elevators in the capital city, Pyongyang, and most people do not have computers, much less access to the internet. Yet the country has long been home to many of the world’s savviest and most aggressive hackers.
North Korean students have rivaled their peers from the world’s top universities in international computer programming competitions. By 2013, Kim called his hackers “an all-purpose sword” parallel to his nuclear weapons and missiles in their “ruthless targeting capabilities,” according to South Korea’s National Intelligence Service.
“They are unique in that they are trained and deployed and operate under a government program,” Yoo said. By one South Korean estimate, North Korea runs an army of about 6,800 cyberwarriors — 1,700 hackers in seven different units and 5,100 technical support personnel.
Talented students are carefully screened and groomed from an early age. The best of them join the hacker training programs at the Moranbong University, run by the Reconnaissance General Bureau, North Korea’s main spy agency, or at the military-run Mirim College, according to South Korean officials. After graduation, most are assigned to the Reconnaissance General Bureau’s cyberwarfare arm, Department 121.
In North Korea, only a small number of workers whose loyalty is vetted by the regime are allowed to work abroad. Hackers are among them, operating in China, Russia, Belarus and Southeastern Asian countries like Singapore, the Philippines and Malaysia, often posing as freelance computer engineers.
Like other North Korean workers abroad, the hackers operate under the watchful eyes of their political minders sent from Pyongyang.
“You are mistaken if you think they will have moral compunction for attacking somebody else’s network,” Jang Se-iul, a graduate of Mirim College who served as an officer in the North Korean military before defecting to South Korea in 2008, said in an interview. “To them, cyberspace is a battlefield and they are fighting enemies out there hurting their country.”
Jang said North Korea first began building its electronic warfare capability for defensive purposes but soon realized that it could be an effective offensive weapon against its digital enemies.
Around the time Jang arrived in Seoul, South Korea, websites in South Korea and the United States were under a wave of cyberattacks. Going by names like Lazarus, Kimsuky and BeagleBoyz, North Korean hackers used increasingly sophisticated tools to infiltrate military, government, corporate and defense industry networks around the world to conduct cyberespionage and steal sensitive data to aid its weapons development.
“Make no mistake: DPRK hackers are really good,” said Eric Penton-Voak, a coordinator at the U.N. panel of experts, during a webinar in April, using the acronym of North Korea’s official name, the Democratic People’s Republic of Korea. “They look at really interesting and very gray, new areas of cryptocurrency because actually, A, no one really understands them, and B, they can exploit weakness.”
Usually, North Korean hackers breach foreign crypto wallets through phishing attacks, luring victims with fake LinkedIn recruiting pages or other bait, according to Chainaysis. Then the hackers use a complex set of financial instruments to transfer the stolen funds, moving the loot through cryptocurrency “mixers” that combine multiple streams of digital assets, making it harder to track the movement of one particular batch of cryptocurrency.
“They’re very methodical in how they launder them,” said Erin Plante, senior director of investigations for Chainalysis. “They’re very methodical in small amounts moving over long periods of time to ultimately try to evade investigators.”
The final step is turning the crypto into cash. Generally, North Korea uses offshore exchanges, converting the stolen cryptocurrency into renminbi. “They’ve cashed out a large percentage of the funds they’ve stolen,” Plante said. “It’s a really powerful tool for them in evading sanctions.”
Axie Infinity, the video game targeted in the cryptocurrency heist this spring, was created by Sky Mavis, a company founded in Vietnam in 2018. The game allows participants to accumulate cryptocurrency the more they play. By last year, it had more than 2.5 million daily users. The game’s popularity made the company a target: Employees at Sky Mavis were under constant advanced spear-phishing attacks on various social channels.
The company was hacked after an employee downloaded a Word document, said Aleksander Leonard Larsen, a founder of Sky Mavis. The employee no longer works at the company, he said.
“The entire industry is going to have to face the music here sooner or later,” Larsen said, adding that the attack on his company by North Korean hackers should serve as “a wake-up call” for the industry as it contends with mounting security threats.
The U.S. government has tried to crack down on the theft and punish those who would seek to enable the hackers. In April, Virgil Griffith, an American cryptocurrency expert, was sentenced to 63 months in prison on charges of making an unauthorized trip to attend a conference in Pyongyang in 2019 and teach North Koreans about cryptocurrency and the technology behind it.
The United States has also indicted three North Korean hackers on charges of participating in “a wide-ranging criminal conspiracy,” including the theft of more than $1.3 billion from banks and cryptocurrency companies. One of the hackers, Park Jin Hyok, did information technology work in China under Chosun Expo, which U.S. officials have
Last week, Harmony, a popular crypto platform, announced that it had lost $100 million in digital currency to a thief. Chainalysis tracked the flow of funds, which were channeled into a cryptocurrency mixer. The transfers followed a familiar playbook, Chainalysis said Monday. The apparent culprit: North Korea.
This article originally appeared in The New York Times.