North Korean hackers have allegedly stolen billions of dollars worth of cryptocurrency to fund the nation’s missile program. Reports suggest the country trains criminals to pose as tech workers and employers, resulting in an estimated haul of $3 billion.
Per the Wall Street Journal, last year, an engineer employed at blockchain gaming company Sky Mavis found himself anticipating a potential job opportunity with a higher salary. Through LinkedIn, a recruiter contacted him, and following a conversation, the recruiter provided the engineer with a document to review as part of the interview procedure.
Unbeknownst to the engineer, the recruiter turned out to be a cog in a vast North Korean operation strategically devised to generate funds for the financially-strained dictatorship.
Concealed within the offer document was a Trojan Horse, a malicious code that granted North Korean hackers entry into the engineer’s computer, ultimately leading to a breach in Sky Mavis’s security. The heist amounted to over $600 million, primarily siphoned from Axie Infinity, Sky Mavis’s digital pets game participants.
According to the blockchain analytics firm Chainalysis, the recent breach marked the largest achievement in North Korea’s five-year spree of digital heists, accumulating over $3 billion.
As reported by U.S. officials, this amount is believed to finance approximately 50 percent of the country’s ballistic missile program, which has been intricately intertwined with its nuclear weapons development.
Notably, defense claims a significant share of North Korea’s overall expenditure. The U.S. State Department estimated that in 2019 Pyongyang allocated approximately $4 billion toward defense endeavors. This amount accounted for 26 percent of its entire economy.
Sky Mavis faced a threat when it fell victim to the cyberattack. Chief operating officer Aleksander Larsen acknowledged that the incident jeopardized the company’s existence. The company has since managed to repay the victims of the attack.
Update: A new largest victim was found on Tron with 7.95M USDT stolen,
The five biggest losses account for $17M.
My graph has now surpassed $35M in total stolen. pic.twitter.com/eqfXkm9vlL
— ZachXBT (@zachxbt) June 4, 2023
“When you look at the amount of funds stolen, [it] would look like an existential threat to what you are building,” he said.
The gravity of the incident and a series of other North Korean cryptocurrency attacks in 2022 has not gone unnoticed by the White House. These persistent cyberattacks have sparked serious concerns within the highest echelons of power.
“The real surge in the last year has been against central crypto infrastructure around the world that hold large sums, like Sky Mavis, leading to more large-scale heists,” said Anne Neuberger, the Joe Biden administration’s deputy national security advisor for cyber and emerging technology. “That has driven us to intensely focus on countering this activity.”
North Korea’s foray into major cryptocurrency attacks commenced in 2018. Subsequently, there has been a noticeable surge in the regime’s missile launch attempts and achievements, with the James Martin Center for Nonproliferation Studies recording over 42 successful launches in 2022 alone.
U.S. officials highlighted the limited knowledge of North Korea’s funding sources amid U.S. sanctions. Consequently, it remains challenging to ascertain the exact impact of crypto theft on the heightened frequency of missile tests.
Similarly, according to Neuberger, approximately 50 percent of North Korea’s foreign currency funding for procuring foreign components essential to its ballistic missile program now stems from the regime’s cyber operations. This represents a significant surge compared to previous estimates, placing the figure at one-third of the total funding for these programs.
We have received reports of wallets being compromised. We are doing all we can to investigate and analyse the situation. As we have more information, we will share it accordingly.
For any questions and concerns, contact [email protected]
— Atomic – Crypto Wallet (@AtomicWallet) June 3, 2023
Geopolitical ambitions and cyber theft
According to U.S. officials, North Korea has established a clandestine workforce comprised of thousands of IT professionals stationed in various countries worldwide, including Russia and China.
These individuals engage in seemingly ordinary technology tasks, earning substantial incomes exceeding $300,000 annually. However, investigators assert that this workforce is frequently interconnected with the regime’s cybercriminal operations.
These individuals have adopted various deceptive personas, assuming roles such as Canadian IT professionals, government officials and independent Japanese blockchain developers.
Their modus operandi includes engaging in video interviews to secure employment opportunities. Additionally, as illustrated by the case of Sky Mavis, they also impersonate prospective employers.
In their quest to secure positions at cryptocurrency companies, scammers employ a specific strategy. They recruit Western “front people” who essentially act as decoys during job interviews. These decoys are used to conceal the fact that the actual individuals being hired are North Koreans.
Once successfully employed, the scammers occasionally introduce minor modifications to products. These modifications are designed to create vulnerabilities within the systems. As a result, they can carry out hacking activities.
Around two years ago, hackers associated with North Korea initiated a campaign targeting U.S. hospitals, unleashing ransomware attacks. This cyberattack involves encrypting the victim company’s files and demanding payment in exchange for their release.
“It seems like a modern-day pirate state,” said Nick Carlsen, a former FBI analyst currently employed at the blockchain tracing firm TRM Labs. He further elaborated, saying, “They’re just out there raiding.”
Carlsen emphasized that eliminating these fraudulent IT workers remains an ongoing challenge.
A huge shoutout goes to @buffalu__ @brian_smith_0 for helping us successfully rescue $1m from the Atomic Wallet hacker for one of the victims.
— ZachXBT (@zachxbt) June 4, 2023
North Korean hacking over the years
A United Nations report from 2020 highlighted the regime’s revenue-generating hacking activities, describing them as “low-risk, high-reward,” challenging to identify, and marked by increasing levels of sophistication that often impede accurate attribution.
Over the years, the U.S. and other Western governments have consistently attributed a series of cyberattacks to North Korea, encompassing incidents like the 2014 Sony Pictures hack and a widespread global ransomware attack in 2017.
However, recent developments indicate that North Korea has shifted its focus towards utilizing cyberattacks as a means to generate substantial financial gains.
Simultaneously, North Korea has made significant strides in enhancing its technical capabilities, allowing the execution of large-scale thefts with greater finesse, as affirmed by U.S. officials and security experts.
“Most nation-state cyber programs are focused on espionage or attack capabilities for traditional geopolitical purposes,” Neuberger said. “The North Koreans are focused on theft, on hard currency to get around the rigor of international sanctions.”
Back in 2016, hackers associated with North Korea orchestrated a brazen cyberattack that resulted in the theft of $81 million from the central bank of Bangladesh. This act was part of an elaborate scheme to execute a $1 billion cyberheist, which was thwarted by the intervention of the Federal Reserve Bank of New York.
