North Korean Crypto Theft Totals $400 Million in 2021Chainalysis: Much of the Activity Linked to Regime-Backed Lazarus Group
North Korean cybercriminals escalated their illicit campaigns throughout 2021, frequently carrying out cryptocurrency exchange hacks to siphon hot-wallet funds, launder the gains and cash out via decentralized exchanges. New data from the blockchain security firm Chainalysis says the regime's state-backed hackers lifted nearly $400 million in cryptoassets last year - hitting investment firms and centralized exchanges.
In its new report, the firm says North Korean threat actors made use of phishing lures, code exploits, malware and advanced social engineering to steal digital currencies from internet-connected "hot" wallets and route them to addresses controlled by the Democratic People's Republic of Korea. Once in possession of the tokens, Chainalysis says, "they began a careful laundering process to cover up and cash out."
The firm warns that much of the activity was likely carried out by APT 38, known as Lazarus Group, which is tied to North Korea's primary intelligence agency, the Reconnaissance General Bureau, an entity sanctioned by the U.S. and the United Nations. A profile on APT 38 - previously linked to the Sony Pictures and WannaCry cyberattacks - from the security firm Mandiant - notes that the group is "a large, prolific operation with extensive resources" and "characterized by long planning [and] extended periods of access."
North Korea-linked hackers generally have proven successful in their activities for several reasons, Erin Plante, senior director of investigations at Chainalysis, tells ISMG.
She credits the groups with sophisticated infiltration techniques, generally involving phishing and social engineering; methodical laundering involving mixers and decentralized exchanges; and an ability to cash out at Asia-based exchanges lacking rigid know-your-customer standards.
As proof of the groups' intent focus on crypto crime, Chainalysis cites an individual hack on the exchange KuCoin and another unnamed platform that each netted more than $250 million. The United Nations' Security Council has also warned that revenue generated from the hacks supports North Korea's weapons programs, the blockchain firm says.
Flow of Funds
The researchers say the number of known North Korea-linked hacks jumped from four to seven cases between 2020 and 2021, and the value extracted from the hacks grew by 40%. They add that Bitcoin now accounts for less than one-fourth (20%) of the tokens stolen by the regime. Ether accounted for the majority, at 58%.
The state-backed theft of several types of cryptocurrencies has also increased the complexity of the regime's laundering operation, Chainalysis says. The firm documents the process as follows:
- Ethereum Request for Comment 20, or ERC-20, tokens and altcoins are swapped for Ether via a decentralized exchange, or DEX;
- Ether is mixed and then swapped for Bitcoin via the DEX;
- The Bitcoin is mixed and consolidated into new wallets;
- Bitcoin is then sent to deposit addresses at Asia-based crypto-to-fiat exchanges serving as cash-out points.
Chainalysis also cites a "massive increase" in North Korean hackers' use of mixers - software tools that pool and obfuscate tokens from thousands of addresses - in 2021. It says 65% of the regime's stolen funds were sent through mixers, which is up from 42% in 2020. The researchers suggest it demonstrates an increasingly "cautious" cash-out approach.
The report also stresses the regime's reliance on decentralized finance, or DeFi, platforms, since they "don't take custody of user funds, and many do not collect know-your-customer information, meaning that cybercriminals can use these platforms without having their assets frozen or their identities exposed."
"We've seen explosive growth in the DeFi ecosystem over the past two years, and have in tandem seen these actors hack DeFi platforms and leverage them for laundering funds. I expect that trend to continue into 2022, and it's a warning to new platforms to invest in security early," Chainalysis' Plante tells ISMG.
The firm also identified $170 million in North Korean balances, related to 49 hacks between 2017 and 2021, that remains unlaundered. In 2020 and 2021, $35 million stemmed from attacks, while $55 million links back to attacks from 2016.
"This suggests that DPRK-linked hackers aren't always quick to move stolen cryptocurrencies through the laundering process," Chainalysis researchers say. "It's unclear why the hackers would still be sitting on these funds, but it could be that they are hoping law enforcement interest in the cases will die down, so they can cash out without being watched."
The researchers say that at the final stages of the regime-linked hacks, the threat actors moved obfuscated Bitcoin to Asia-based exchanges, where it was then swapped for fiat currency, such as China's renminbi.
These actions, the researchers state, "paint a portrait of a nation that supports cryptocurrency-enabled crime on a massive scale. Systematic and sophisticated, North Korea's government … has cemented itself as an advanced persistent threat to the cryptocurrency industry."
Some security experts say the hackers' Ethereum-based campaigns are no doubt cause for concern.
"It is interesting that North Korea and other nation-state cybercriminals are zeroing in on tokens based on Ethereum," Karl Steinkamp, director of delivery digital transformation and automation at the firm Coalfire, tells ISMG. "This path has and continues to be fraught with cybersecurity vulnerabilities in one or more components of the token's smart contracts, which are being leveraged to rapidly empty individual and admin digital wallets.
"I would expect this trend to continue until the Ethereum-based tokens market takes the purposeful step to build more proactive security within each of the products."
Hank Schless, senior manager of security solutions for the firm Lookout, tells ISMG, "Crypto platform providers need to ensure that their employees are protected and don't become conduits for cybercriminals to make their way into the infrastructure. Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal a backstage pass to the company's infrastructure."
The new data on Lazarus Group and other RGP-linked activity comes on the heels of another warning from the cybersecurity and antivirus firm Kaspersky, which this week said the North Korea-backed gang BlueNoroff is now targeting small and mid-sized cryptocurrency startups in a campaign called "SnatchCrypto" (see: North Korean APTs Target Cryptocurrency Startups).
Kaspersky says the gang has ties to Lazarus Group and has been tracked impersonating phony crypto-related companies or major venture capital firms to spear-phish crypto platforms and subsequently breach their networks to seize cryptoassets.