Blockchain and cryptocurrency
Fraud and cybercrime management
Chainalysis: Pyongyang stole $1.7 billion in crypto, mostly from DeFi platforms
The wave of state-sponsored cryptocurrency thefts in North Korea continued last year as hackers in Pyongyang illegally recovered around $1.7 billion in digital assets – nearly half of the stolen global cryptocurrency in 2022, according to a new analysis.
See also: Live Webinar | Navigating OT Patching Difficulties
That $1.7 billion was probably a big chunk of North Korea’s economy and funded its nuclear weapons program, said blockchain analytics company Chainalysis. North Korea is the rare country whose state-sponsored hackers attack for their country’s financial gain. The hereditary totalitarian regime that has ruled the country since 1948 has long funded criminal activities in a quest for hard currency, given its autarky and self-imposed pariah status on the world stage.
Cybercriminals, including hackers linked to North Korea, use cryptocurrency for the same reasons people use it for legitimate purposes: it’s cross-border, liquid and instant, said Erin Plante, senior director investigations at Chainalysis, Information Security Media Group. “It’s particularly beneficial for countries that are cut off from the global economy,” she says.
North Korean hackers are “systematic and sophisticated” in hacking and laundering stolen funds and are backed by a nation that supports large-scale cryptocurrency-enabled crime, Plante says.
Decentralized finance presents a particularly attractive target for hackers of all stripes, and Pyongyang has taken advantage of it. DeFi protocols are open source, allowing hackers to study them to the point of nausea for exploits, Plante says. It’s possible that protocols’ incentives to reach market and scale quickly could lead to breaches of security best practices, she adds. Of the $3.8 billion recorded as stolen by hackers in 2022, theft on DeFi platforms accounts for $3.1 billion of that total.
North Korean hackers are using phishing lures, code exploits, malware and advanced social engineering to siphon funds from wallets they control, Plante says. They have a “calculated” laundering method and deploy obfuscation techniques such as mixing to create a disconnect between the cryptocurrency they deposit and withdraw. They also move stolen funds via chain hopping, which is the process of exchanging between several different types of cryptocurrency in a single transaction.
As long as the crypto assets held in DeFi services are valuable and vulnerable, bad actors will try to steal them. The only way to stop them is for the industry to tighten security and train crypto firms to identify threats, such as social engineering, which are widely used by groups such as Lazarus, she said.
Off-Ramp Stolen Funds
Cryptomixers are a “cornerstone” of North Korean money laundering, according to Chainalysis. “Funds from hacks by North Korean-linked hackers are being transferred to mixers at a much higher rate than funds stolen by other individuals or groups.”
Cryptomixer Tornado Cash was a favored platform for money laundering in 2021 and most of 2022, although the US put an end to it by sanctioning the service in August, crippling its use. Although still operational, mixers are less effective when fewer people use them, as the service relies on volume to hide the origin and destination of funds on its platform (see: North Korea Avoids Tornado Cash After US Imposes Sanctions).
Hackers linked to North Korea are unlikely to be deterred by the threat of US sanctions. But sanctions make it harder for threat actors to cash in on their ill-gotten gains, Plante says.
According to Chainalysis, criminals diversified their use of the mixer in the fourth quarter of 2022. They appear to have focused on Sinbad, a bitcoin mixer that began advertising its services two months after the federal government sanctioned Tornado. Cash. Investigators from the analytics firm observed the first transactions of North Korean hackers on the platform in December.
Between December 2022 and January 2023, hackers laundered $24.2 million from the mixer, Chainalysis concludes. This includes North Korea-linked Lazarus Group, which laundered “some” of the funds stolen in the $600 million hack of Axie Infinity via Sinbad.
Hackers are also increasingly using underground services that aren’t as well-known as standard mixers, accessible only through private messaging apps or the Tor browser, and usually only advertised on darknet forums, Plante tells ISMG.
She also sees an increase in services with brand names and custom infrastructure, with varying complexities. Some simply operate as networks of private wallets, while others are more like an instant exchanger or mixer, she says. “What connects them is their ability to move cryptocurrency to exchanges on behalf of cybercriminals, exchange it for fiat currency or clean crypto, and then send it back to cybercriminals.”
Law enforcement, says Plante, must continue to develop their ability to seize stolen cryptocurrency to the point that hacks are no longer worthwhile.
Last year, federal agents seized funds that North Korean hackers stole from the Axie Infinity Ronin Bridge hack by partnering with Web3 security companies and tracing the funds on the blockchain. The US FBI has also identified Lazarus as the culprit in the $100 million Harmony-run Horizon Bridge hack.
Similar actions will almost certainly occur in 2023, Plante says.
“When every transaction is recorded in a public ledger, it means law enforcement always has a lead to follow, even years after the fact, which is invaluable as investigative techniques improve with the times. time.”