Falling cryptocurrency markets have wiped out millions of dollars in funds stolen by North Korean hackers, four digital investigators say, threatening a key funding source for the sanctions-hit country and its weapons programs.
North Korea has invested resources in cryptocurrency theft in recent years, making it a potent hacking threat and leading to one of the largest cryptocurrency thefts on record in March, during of which nearly US$615 million (S$853 million) was stolen, according to the United States. Treasury.
The sudden drop in crypto stocks, which began in May amid a broader economic downturn, complicates Pyongyang’s ability to profit from this and other heists, and could affect how it plans to fund its programs. weapons, two South Korean government sources said. The sources declined to be named due to the sensitivity of the issue.
It comes as North Korea tests a record number of missiles – which the Korea Institute for Defense Analysis in Seoul estimates have cost up to $620 million this year – and prepares to resume nuclear testing in a context of economic crisis.
Former unlaundered North Korean crypto assets monitored by New York-based blockchain analytics firm Chainalysis, which include funds stolen in 49 hacks from 2017 to 2021, have shrunk in value from $170 million to 65 million year-to-date, the company said Reuters.
One of North Korea’s cryptocurrency caches from a 2021 heist that was worth tens of millions of dollars has lost 80-85% of its value in recent weeks and is now worth less than $10 million, said Nick Carlsen, an analyst at TRM Labs, another US-based blockchain analytics firm.
A person who answered the phone at the North Korean embassy in London said they could not comment on the accident because the cryptocurrency hacking allegations are “totally false”.
“We didn’t do anything,” said the person, who only identified himself as an embassy diplomat. The North Korean Foreign Ministry called the allegations US propaganda.
The March $615 million attack on the Ronin blockchain project, which powers the popular online game Axie Infinity, was the work of a North Korean hacking operation dubbed the Lazarus Group, according to US authorities.
carlsen said Reuters that the interconnected price movements of the various assets involved in the hack made it difficult to estimate how much North Korea managed to avoid this heist.
If the same attack happened today, the stolen Ether currency would be worth just over $230 million, but North Korea swapped almost all of that for Bitcoin, which saw distinct price moves, did he declare.
“Needless to say, the North Koreans have lost a lot of value, on paper,” Carlsen said. “But even at depressed prices, it’s still a huge booty.”
The United States claims that Lazarus is controlled by the Reconnaissance General Bureau, North Korea’s main intelligence office.
He has been accused of involvement in the “WannaCry” ransomware attacks, the hacking of international banks and customer accounts, and the 2014 cyberattacks on Sony Pictures Entertainment.
Analysts are hesitant to provide details about the types of cryptocurrency held by North Korea, which could reveal investigative methods.
Chainalysis said Ether, a common cryptocurrency tied to open-source blockchain platform Ethereum, accounted for 58%, or around $230 million, of the $400 million stolen in 2021.
Chainalysis and TRM Labs use publicly available blockchain data to track transactions and identify potential crimes.
Such work has been cited by sanctions screeners, and according to government procurement records, both companies work with US government agencies, including the IRS, FBI and DEA.
North Korea is under widespread international sanctions for its nuclear program, giving it limited access to global trade or other sources of revenue and making crypto heists attractive, investigators say.
Although cryptocurrencies are believed to make up only a small part of North Korea’s finances, Eric Penton-Voak, coordinator of the UN panel of experts that monitors sanctions, said during a briefing. an event in April in Washington, DC, that cyberattacks have become “absolutely fundamental” to Pyongyang’s ability to evade sanctions and raise funds for its nuclear and missile programs.
In 2019, sanctions watchers reported that North Korea generated around US$2 billion for its weapons of mass destruction programs using cyberattacks.
An estimate by the Geneva-based International Campaign to Abolish Nuclear Weapons indicates that North Korea spends about $640 million a year on its nuclear arsenal.
The country’s gross domestic product was estimated in 2020 at around $27.4 billion, according to South Korea’s central bank.
Pyongyang’s official sources of revenue are more limited than ever due to self-imposed border closures to fight Covid-19. China – its biggest trading partner – said in 2021 it had imported just over $58 million worth of goods from North Korea, amid one of the lowest levels of official bilateral trade in decades . Official figures do not include smuggling.
North Korea already receives only a fraction of what it steals because it has to rely on brokers willing to convert or buy cryptocurrencies no questions asked, Aaron Arnold of think tank RUSI told London.
A February report by the Center for a New American Security (CNAS) estimated that in some deals, North Korea gets only a third of the value of the currency it stole.
After obtaining cryptocurrency in a heist, North Korea sometimes converts it to Bitcoin and then finds brokers who will buy it at a discount in exchange for cash, often held outside the country.
“Just like selling a stolen Van Gogh, you won’t get fair market value,” Arnold said.
The CNAS report found that the North Korean hackers show only “moderate” concern about concealing their role, compared to many other attackers.
This allows investigators to sometimes follow digital leads and attribute attacks to North Korea, but rarely in time to recover stolen funds.
According to Chainalysis, North Korea has turned to sophisticated ways of laundering stolen cryptocurrency, increasing its use of software tools that bundle and scramble cryptocurrencies from thousands of email addresses – an indicator for a digital storage location.
The contents of a given address are often publicly visible, allowing companies such as Chainalysis or TRM to monitor any investigations related to North Korea.
Attackers tricked people into giving them access or hacking security to siphon digital funds from internet-connected wallets to addresses controlled by North Korea, Chainalysis said in a report this year.
The sheer size of recent hacks has strained North Korea’s ability to convert cryptocurrency to cash as quickly as in the past, Carlsen said. This means that some funds have been blocked even though their value is falling.
Bitcoin has lost around 54% of its value this year and smaller coins have also been hit hard, reflecting a decline in share prices on investor concerns about rising interest rates and the growing likelihood of a recession. world.
“Cash conversion remains a key requirement for North Korea if it wants to use the stolen funds,” said Carlsen, who has investigated North Korea as an FBI analyst.
“Most of the commodities or products that North Koreans want to buy are only traded in USD or other fiat currencies, not cryptocurrencies.”
Pyongyang has other larger sources of funding it can rely on, Arnold said. UN sanctions monitors said as recently as December 2021 that North Korea continues to smuggle coal – usually to China – and other major exports banned by Security Council resolutions. .
North Korean hackers sometimes seem to wait for rapid drops in value or exchange rates before converting to cash, said Jason Bartlett, the CNAS report’s author.
“This sometimes backfires as there is little certainty in predicting when a coin’s value will rise rapidly and there are several cases of highly depreciated crypto funds just sitting in North Korea-related wallets. “, did he declare.
Sectrio, the cybersecurity division of Indian software firm Subex, said there were signs that North Korea had resumed stepping up attacks on conventional banks rather than cryptocurrencies in recent months.
The company’s banking-focused ‘honeypots’ – decoy computer systems meant to lure cyberattacks – have seen an increase in ‘abnormal activity’ since the crypto crash, as well as an increase in e “Phishing” emails, which attempt to trick recipients into giving away security information, Sectrio said in a report last week.
But Chainalysis said there is no major change in North Korea’s crypto behavior yet, and few analysts expect North Korea to abandon digital currency theft.
“Pyongyang has added cryptocurrency into its sanctions evasion and money laundering calculus and it will likely remain an ongoing target,” Bartlett said.