Home Security News Inside the Multi-Billion Dollar Cryptocurrency Theft Operation by North Korean Hackers: How They Did It and What's Being Done to Stop Them

Inside the Multi-Billion Dollar Cryptocurrency Theft Operation by North Korean Hackers: How They Did It and What's Being Done to Stop Them

Posted: December 16, 2023

turned-on MacBook Pro

North Korean Hackers' Cryptocurrency Theft

Recorded Future's report on North Korean threat actors stealing over $3 billion in cryptocurrency

North Korean state-sponsored threat actors are believed to have stolen over $3 billion in cryptocurrency, according to a report by threat intelligence firm Recorded Future. This theft is believed to have occurred over several instances and increased significantly over time, with the most prolific year being 2023. North Korean hackers, known as the Lazarus group, were the main perpetrators behind these cyberattacks.

The involvement of the Lazarus Group in cryptocurrency-related intrusions

The Lazarus Group, directly tied to North Korea, specializes in cryptocurrency-related intrusions. This group has a long history of launching attacks on various targets worldwide, focusing on financial and banking organizations. The group has been known for using various techniques to infiltrate target systems and gain unauthorized network access. The ultimate goal is to steal cryptocurrencies.

Common hacking techniques used, including spear-phishing emails and malicious scripts

The popular methods used by North Korean hackers, primarily the Lazarus Group, for these intrusions include spear-phishing emails and malicious scripts. The attackers trick victims into opening these spear-phishing emails downloading malware onto their systems. In several instances, these malicious scripts were designed to steal information related to cryptocurrencies or directly gain unauthorized access to cryptocurrency wallets. At the beginning of 2022, new methods were added to their arsenal, such as strategic web compromise, trojanized DeFi applications, a fake cryptocurrency application for Android, and supply chain compromise.

Increased instances of hacking in 2021 and 2022, involving targeting the cross-chain bridges and validator keys of cryptocurrency platforms

In 2021, there was an upsurge in the attacks launched by North Korean hackers. These included targeting the cross-chain bridges of cryptocurrency platforms and compromising validator keys used to sign transactions. The Lazarus group was particularly active in 2022, reportedly siphoning over $1.7 billion. The attack mode involved infiltrating systems, gaining unauthorized access, and stealing cryptocurrencies from various platforms.

Major attacks launched on Ronin Network Harmony, Qubit Finance, and Nomad

In 2022, significant attacks were spearheaded by North Korean hackers on numerous prominent cryptocurrency platforms, including Ronin Network Harmony ($100 million), Qubit Finance ($80 million), and Nomad ($190 million). This escalation in the scale of attacks and subsequent theft marks a significant shift in the strategies and capabilities of the Lazarus group. These significant heists have resulted in extensive financial losses and a disruption in the operations of these platforms.

Money Laundering Operations

Extensive money-laundering network developed by hackers to move the stolen assets

North Korea-linked hackers have developed a sophisticated and extensive money-laundering network to navigate the flow of stolen cryptocurrency assets. This structure mostly consists of multiple layers of transactions flowing through several intermediaries, making tracking and identifying these transactions challenging. The establishment of this massive network reflects the depth and the scale of operations conducted by these cybercriminals, particularly given the large sum of ill-gotten assets involved in these processes.

Use of cryptocurrency mixers and money mules

North Korean hackers extensively use cryptocurrency mixers and money mules to mask their illicit activities and the origin of the stolen funds. Cryptocurrency mixers provide a means to mix one's funds with other users' cryptocurrency, making it challenging to trace back to the original source. On the other hand, money mules are individuals who transfer money acquired illegally on behalf of others. These methods are adopted to obscure the trail of the original transactions and make it more difficult to link illicit activities to their real orchestrators.

Sanctions by the US government against three mixers and multiple individuals involved in laundering for the North Korean regime

The US government, aware of these illicit activities, has sanctioned three cryptocurrency mixers - Blender, Tornado, and Sinbad - which are believed to have been crucial components in money laundering operations linked to the North Korean regime. Dozens of individuals believed to be involved in these operations have also been penalized. These actions by the US authorities underscore their commitment to counter cybercriminal activities originating from North Korea and prevent the use of the global financial system for illegal activities.

Half of the laundered money is believed to fund North Korea's ballistic missile program

Experts estimate that roughly half of the money laundered through these networks is used to fund North Korea's ballistic missile program. This indicates that these cyber thefts and subsequent money laundering operations are not just unlawful acts of financial feat but represent a significant source of funding for North Korea's strategic and military ambitions, thereby posing a potential threat to international security.

Impact of Thefts on Various Platforms

Affected parties, including Atomic Wallet, Alphapo, CoinEx, CoinsPaid, and Stake.com

Several cryptocurrency platforms and companies bore the brunt of these cyberattacks in 2023. Prominent names among those affected included Atomic Wallet, Alphapo, CoinEx, CoinsPaid, and Stake.com. These companies were victims of high-profile heists, resulting in significant financial loss and also disrupting their regular operations. The repeated instances of hacks also raised questions over the security measures undertaken by these platforms, considering the increasing sophistication of attacks by groups like the Lazarus group.

Lazarus Group's cyberattack on US-based software company JumpCloud possibly aimed at its cryptocurrency clients

The North Korean Lazarus Group's cybercriminal activities were not restricted to direct attacks on cryptocurrency platforms. The group also targeted other connected entities, like the US-based software company JumpCloud, an Active Directory replacement service provider. The motive behind this attack is believed to have been setting up a base for future attacks on the company's cryptocurrency clients. This indicates the meticulously planned and calculated approach of the Lazarus Group, which appears ready to exploit every possible vulnerability and link in the chain that can lead them to their primary objective - stealing cryptocurrencies.

Measures to Counteract the Hacks and Theft

Role of the FBI in identifying Bitcoin in Crypto Wallets linked to North Korean hackers

The Federal Bureau of Investigation (FBI) has been actively involved in countering the cyber threats posed by North Korean hackers. In one such effort, the Bureau confirmed the links between North Korea-affiliated Lazarus Group and a $100 million crypto heist on a blockchain network known as Horizon Bridge. The FBI has also worked on identifying cryptocurrencies, particularly Bitcoin, in wallets linked to these North Korean hackers. These steps help track the flow of stolen assets and provide critical leads in tracking the cybercriminals involved in these acts.

The US offering a reward of $10 million for information on North Korean hackers

In an attempt to gather intelligence and information related to North Korean hackers, the US government has offered a substantial reward of $10 million. This incentive is likely to encourage informants with credible information regarding these hackers' activities, identities, and operations to come forward. This strategy underscores the US government's commitment to cracking down on the threats posed by these cyber criminals and safeguarding the interests of individuals and organizations that heavily rely on digital financial platforms.

Patching of 94 vulnerabilities in Android to enhance security against such hacks in the Future

Ensuring robust security in the digital space is critical to prevent exploitation by threat actors. One such measure has been the patching of 94 vulnerabilities in Android as part of its December 2023 Security Updates. These patches can help fortify the Android operating system against potential compromises by disabling the flaws and bugs threat actors could exploit. Through such continuous updates and upgrades, technological platforms can ensure better protection for users against criminal hackers' increasing sophistication and creativity.