Will Hack For Nukes: Inside North Korea’s Cryptocurrency Extortion Ring

Will Hack For Nukes: Inside North Korea’s Cryptocurrency Extortion Ring

In order to fund its nuclear weapons program, North Korea has industrialized bitcoin theft, and its state-sponsored hackers are becoming more adept at stealing money. But with international law enforcement officials closing in, it’s more difficult than ever to cash in on cryptocurrencies.

I’ve encrypted your files, and if you don’t pay me within a week, you’ll never be able to recover them, was the threat that appeared on the computer.

On May 12, 2017, at noon, a red alert page appeared on the screens of more than 300,000 Windows users throughout the world, requesting that they send roughly $300 worth of Bitcoin in order to recover their files.

The worst-ever cryptocurrency ransomware cyberattack, later dubbed “WannaCry,” was carried out by Lazarus, a hacking group controlled by the North Korean government, according to the U.S. government. Victims initially believed it to be a standard cryptocurrency ransomware incident.

Less than 1% of North Korea’s population has access to the Kwangmyong Intranet service, but the government there has nonetheless developed some of the greatest hackers in the world, on par with superpowers like the United States, China, and Russia.

In recent years, the Pyongyang government has successfully raised money for nuclear weapons research through large-scale financial extortion schemes like WannaCry by utilizing the decentralized nature of cryptocurrencies and its two-decade-old cyberwarfare capabilities.

Bangladesh bank hack

North Korea’s capacity for cyberwarfare was first genuinely acknowledged by the world community during the Bangladesh Bank breach in January 2015. Several bank employees at the time received what seemed to be a typical email for a job application. However, the resume and cover letter that were included were infected with a virus that, when it was downloaded, connected to the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network.

The malware transmitted many orders to fraudulently transfer $1 billion in funds from the Federal Reserve Bank of New York through the SWIFT system while posing as the Central Bank of Bangladesh. The FBI was alerted to the request and the suspicious transaction was stopped thanks to one of the instructions that attempted to transfer money to a bank branch in Manila, Philippines, on Jupiter Street. Fortunately, the word “Jupiter” was the name of a sanctioned Iranian vessel. Still, five transactions were completed, and the hackers made off with the $81 million in stolen money.

The assault demonstrated that North Korea had unquestionably refined its approach from earlier assaults. Hackers in this instance skulked in the banking system for a year, gathering data and buying themselves time before acting.

The West came to understand that North Korea’s cyber forces were more potent than previously thought.

The weekend in Bangladesh, the time difference between Bangladesh and New York, and the Lunar New Year holiday in the Philippines were all utilized by the hackers to extend the time for sending the money. They made the decision to transfer the proceeds to a bank account in Manila, the Philippine capital, and then to a casino, where they used the gaming tables to launder the money before sending it back to North Korea.

The West was made to understand that North Korea’s cyber weapons are more potent than previously thought because to this bank fraud in Bangladesh. North Korea’s determination to steal cryptocurrencies was apparently boosted by the robbery, even if it only made off with $81 million out of the intended $1 billion haul.

Another 90% of the targeted funds were written off at the same time that North Korea underwent a complex process of money laundering. North Korea discovered after this operation just how labor- and time-intensive the requirements of conventional financial institutions can be.

However, with the emergence of cryptocurrencies, North Korea saw the decentralized technology – an open financial system without the need to go through banks or government-regulated financial institutions – as a means of evading sanctions, skipping the process of money laundering, and putting the proceeds directly into its nuclear weapons program.

North Korea’s cyber history

The Pyongyang government’s ambitions for cyber attacks date back to the 1990s. In the Gulf War, which began in 1990, the U.S.-led coalition used electronic equipment in addition to conventional weapons to assist in taking down Iraq. The Chinese Communist Party at the time saw the potential of electronic warfare and set up a research group dedicated to exploring “electronic intelligence warfare.”

According to a book published by the Korean People’s Army (KPA), after then-Supreme Leader Kim Jong Il saw the report, he said “If the Internet is like a gun, a cyber attack is like an atomic bomb,” before directing KPA General Staff to develop an “information warfare” capability in order to support its nuclear weapons program.

As early as 2008, the North Korean government established Bureau 121, also known as the Electronic Reconnaissance Department or Cyber Warfare Guidance Department, within the Reconnaissance Bureau of the KPA General Staff. It was tasked with conducting cyber attacks and cyber espionage and collecting intelligence on overseas politics, economy, and society.

In 2009, North Korea merged all of its intelligence and internal security services into the Reconnaissance General Bureau (RGB) of the General Staff of the Korean People’s Army, which includes Bureau 121.

Bureau 121 now has an estimated 3,000 to 6,000 employees in various countries, including China, India, Malaysia, and Russia. Its sections include “APT 37” and “Kimsuky,” which specialize in political cyber espionage, while “Lazarus,” which launched the WannaCry attack, focuses on financial blackmail.

The first cyber attack coincided with the country’s second nuclear test.
In 2012, Kim Jong-un came to power and inherited his father’s ambition to develop cyber warfare. The year after he came to power, Kim Jong-un publicly declared that cyber warfare, nuclear weapons and missiles are all the same: “an all-purpose sword” with their “ruthless targeting capability,” North Korea’s military can be invincible. This declaration set the stage for North Korea’s cyber attack-centric strategy to date.

North Korea’s earliest documented cyber attack was Operation Troy, against South Korea in 2009. In the early days of discovering the power of cyber warfare, the Pyongyang government aimed to demonstrate its cyber capabilities on the international stage. The attack also coincided with the country’s second nuclear test, when North Korea took an uncompromising stance on military policy and cyber strategy, with no fear of retaliation.

Between 2013 and 2016, North Korea’s cyber activities increasingly aimed to gather information, and the country repeatedly launched distributed denial-of-service attacks (DDoS) on its main enemies, South Korea and the U.S., which briefly disrupted or even paralyzed the operations of government agencies, electrical infrastructure, military systems and more. Cyber espionage was also common during this period, with at least six major espionage attacks against South Korea alone.

North Korean hackers gradually improved their skills, and gradually the attacks were no longer limited to South Korea and the U.S., nor were the means limited to DDoS. After 2015, North Korea shifted away from attacking traditional banks and financial institutions to stealing decentralized cryptocurrencies, which it used to continue funding major nuclear tests.

Blockchain data

North Korea’s rapid nuclear development is due to the Kim Jong-un government’s use of the “all-purpose sword” of cyberattacks – a year-long focus on training a cyber army of hackers to steal large sums of money through cyberattacks targeting government agencies, financial institutions, and even the general public.

Kim Jong-un ordered an increase in weapons-grade nuclear material to boost the country’s nuclear arsenal, and North Korea launched a record number of at least 90 missiles in 2022 alone. The U.S. and South Korean governments believe preparations for a seventh nuclear weapons test have been completed.

U.S. Deputy National Security Advisor Anne Neuberger estimates that about one-third of the cryptocurrency stolen by North Korea was used for its weapons program. The UN report also said the cryptocurrency stolen by North Korea through cyberattacks is an “important source of revenue” for Pyongyang’s nuclear and ballistic missile programs.

Citing a UN report that is nor publicly available, Reuters reported that North Korea stole a record haul of cryptocurrencies in 2022 — $1.7 billion, according to an analysis of publicly available transaction data by blockchain analysis firm Chainalysis. Compared to North Korea’s total exports of just $142 million in 2020, it is clear that cryptocurrency hacking has become a major source of revenue for the North Korean treasury.

Decentralized Finance

In the traditional financial industry, fiat currencies such as the U.S. dollar and the Hong Kong dollar are issued by centralized institutions and rely on financial institutions to make money transactions, such as withdrawing and depositing fiat currency through banks. In contrast, cryptocurrencies are built on block-refining technology, are not issued by any central authority and can be used to create “wallets” to receive and send funds anonymously, without relying on banks to verify transactions.

When users transfer cryptocurrency funds, the transactions are recorded in a “distributed ledger technology” (DLT), which is not held by a single institution but is distributed on a peer-to-peer (P2P) network, where each individual copies and stores an identical public copy of the ledger.

The “anonymity” and “decentralized” nature of cryptocurrencies means that the theft of cryptocurrencies would not mimic the Bangladesh Bank incident – that is, there would be no Federal Reserve to prevent them from withdrawing $851 million.

The WannaCry attack successfully stole $625 million in cryptocurrency, making Lazarus even more determined to shift the focus of its attacks to cryptocurrency targets. Initially, their targets were primarily cryptocurrency exchanges. Although the hackers are no longer targeting traditional financial institutions, the tactics remain similar: phishing or social engineering to insert virus-infected files into a target company’s computers and gain access to information systems in order to transfer money from their digital wallets. When funds are moved to an address controlled by North Korea, the hackers begin the money laundering process.

With the rise of cryptocurrencies, a number of Centralized Exchanges (CEX) have emerged around the world to facilitate the purchase of cryptocurrencies using currencies such as the U.S. dollar. The exchange of one form of cryptocurrency for another, and the replacement of cryptocurrencies with fiat currencies.

North Korea still needs to devote resources to money laundering.
This also means that the centralized exchange, like a traditional bank, requires the customer to provide real name verification and the exchange holds all records of the money movement. So no matter how easy it is to steal cryptocurrencies, North Korea still needs to devote resources to money laundering.

It is not difficult to hack a cryptocurrency exchange; the real challenge is in converting the cryptocurrency into cash to purchase nuclear weapons material.

What warrants international attention and concern is not who is the target of North Korea’s attack, but rather North Korea’s increasingly sophisticated money laundering methods – how to hide as much of the record of money flow on the block refinery as possible before converting it to legal tender, making it impossible for investigators to trace the source of these funds.

In the first few attacks, Lazarus laundered money by writing automated scripts to execute peel chains. A “peel chain” refers to the transfer of large amounts of stolen money to different cryptocurrency addresses in small transactions, avoiding the attention of the trading platform. At the same time, hackers have also started using mixers. The purpose of a cryptocurrency mixer is to reduce the likelihood of a third party discovering the source of a transaction by mixing a cryptocurrency transaction with another transaction.

However, there are still loopholes in the money laundering process, as North Korea has repeatedly used the same coin mixer, making it easier for investigators to deduce the organization’s money laundering patterns. In addition, former U.S. President Donald Trump expanded the scope of unilateral U.S. sanctions in 2017, freezing the assets of any person or company with business ties to North Korea in the United States.

Fearing the loss of access to the U.S. market, companies from various countries were inclined to stop trading with North Korea, effectively cutting off North Korea’s access to the global financial system and leaving the government in Pyongyang with the option of using “over-the-counter brokers” to move cash in stolen cryptocurrency funds into fiat currency.

In this attack, two Chinese nationals, Tian Yinyin, and Li Jiadong, were sanctioned by the U.S. Treasury Department for assisting in the conversion of stolen cryptocurrency into fiat currency. Their assets in the U.S. were frozen, and Americans were banned from doing business with them.

In Sept. 2020, hackers stole more than $280 million from Singaporean cryptocurrency exchange KuCoin, which was equal to more than half of all cryptocurrencies stolen in 2020.

Cryptocurrency regulations tighten

Despite North Korea’s continued improvements in money laundering and programming techniques, its cryptocurrency nuclear agenda remains unpredictable.

As North Korea has improved its cryptocurrency capabilities, law enforcement’s ability to track funds to crypto address networks has increased, and one by one, they have begun to recover stolen funds.

There is no time limit on tracing where the money goes.
Norwegian police seized $5.8 million worth of cryptocurrency stolen by North Korea from the Ronin Network attack in 2023. The FBI, in conjunction with cryptocurrency organizations, also investigated and traced the location of North Korea’s attempt to convert stolen funds into legal tender, and worked with law enforcement and industry sources to freeze more than $30 million in cryptocurrency.

Because every crypto transaction is recorded in a public ledger, there is no time limit on tracing where the money goes, and it can be recovered years after the crime. This, combined with efforts by agencies like the U.S. Office of Foreign Assets Control (OFAC) to cut off the preferred money laundering services of hackers from the rest of the cryptocurrency ecosystem, suggests that these hacks will become increasingly difficult and fruitless over time.

This increased scrutiny may make it more difficult for North Korea to convert stolen currency into cash. The U.S. Treasury Department, for example, has expanded the targeting of sanctions from the government of Pyongyang to include coin blenders. In 2022, the U.S. Treasury Department ordered the freezing of assets of Tornado Cash and Blender.io, common North Korean blenders, and banned U.S. citizens from using the platforms.

The uncertainty of cryptocurrency prices has also created uncertainty for North Korea’s nuclear weapons plans, with the value of cryptocurrencies suddenly plummeting in mid-2022 and the cryptocurrency industry becoming more unpredictable with the demise of exchange FTX, which declared bankruptcy in 2022.

According to Chainalysis, a blockchain analysis firm, the value of unwashed cryptocurrencies among the funds stolen by North Korea in 49 hacks between 2017 and 2021 has dropped from $170 million to $65 million since the beginning of 2022.

Chainalysis has also seen an increase in attacks on non-cryptocurrency platforms by North Korean hackers, most likely due to tightening sanctions and seizures of stolen funds.

Still, Luke McNamara, chief analyst at Google’s Cyber Security, says that North Korea’s cryptocurrency attacks will likely continue: “Despite the huge volatility of the cryptocurrency market, there are business opportunities and there are investors. North Korea is seeing this as the soft underbelly behind the various project systems. So as long as new block-refining projects continue to emerge in the market, cryptocurrencies will remain very attractive to North Korea.”

 

Other Interesting:
Macau to launch 5-year plan for economic diversification

See other website:
Oriental Game