The nosedive in cryptocurrency markets has wiped out millions of dollars in funds stolen by North Korean hackers, four digital investigators say, threatening a key source of funding for the sanctions-stricken country and its weapons programmes.
North Korea has poured resources into stealing cryptocurrencies in recent years, making it a potent hacking threat and leading to one of the largest cryptocurrency heists on record in March, in which almost US$615 million was stolen, according to the US Treasury.
The sudden plunge in crypto values, which started in May amid a broader economic slowdown, complicates Pyongyang’s ability to cash in on that and other heists, and may affect how it plans to fund its weapons programmes, two South Korean government sources said. The sources declined to be named because of the sensitivity of the matter.
It comes as North Korea tests a record number of missiles – which the Korea Institute for Defense Analyses in Seoul estimates have cost as much as US$620 million so far this year – and prepares to resume nuclear testing amid an economic crisis.
Old, unlaundered North Korean crypto holdings monitored by the New York-based blockchain analytics firm Chainalysis, which include funds stolen in 49 hacks from 2017 to 2021, have decreased in value from US$170 million to US$65 million since the beginning of the year, the company told Reuters.
One of North Korea’s cryptocurrency caches from a 2021 heist, which had been worth tens of millions of dollars, has lost 80% to 85% of its value in the last few weeks and is now worth less than US$10 million, said Nick Carlsen, an analyst with TRM Labs, another US-based blockchain analysis firm.
A person who answered the phone at the North Korean embassy in London said he could not comment on the crash because allegations of cryptocurrency hacking are “totally fake news.”
“We didn’t do anything,” said the person, who would only identify himself as an embassy diplomat. North Korea’s foreign ministry has called such allegations US propaganda.
The US$615 million March attack on blockchain project Ronin, which powers the popular online game Axie Infinity, was the work of a North Korean hacking operation dubbed the Lazarus Group, US authorities say.
Carlsen told Reuters that the interconnected price movements of different assets involved in the hack made it difficult to estimate how much North Korea managed to keep from that heist.
If the same attack happened today, the Ether currency stolen would be worth a bit more than US$230 million, but North Korea swapped nearly all of that for Bitcoin, which has had separate price movements, he said.
“Needless to say, the North Koreans have lost a lot of value, on paper,” Carlsen said. “But even at depressed prices, this is still a huge haul.”
The US says Lazarus is controlled by the Reconnaissance General Bureau, North Korea’s primary intelligence bureau. It has been accused of involvement in the “WannaCry” ransomware attacks, hacking of international banks and customer accounts, and the 2014 cyber-attacks on Sony Pictures Entertainment.
Analysts are reluctant to provide details about what types of cryptocurrency North Korea holds, which might give away investigation methods. Chainalysis said that Ether, a common cryptocurrency linked to the open-source blockchain platform Ethereum, was 58%, or about US$230 million, of the US$400 million stolen in 2021.
Chainalysis and TRM Labs use publicly available blockchain data to trace transactions and identify potential crimes. Such work has been cited by sanctions monitors, and according to public contracting records, both firms work with US government agencies, including the IRS, FBI and DEA.
North Korea is under widespread international sanctions over its nuclear programme, giving it limited access to global trade or other sources of income and making crypto heists attractive, the investigators say.
‘Fundamental’ to nuclear programme
Although cryptocurrencies are estimated to be only a small portion of North Korea’s finances, Eric Penton-Voak, a coordinator of the United Nations panel of experts that monitors sanctions, said at an event in April in Washington, DC, that cyberattacks have become “absolutely fundamental” to Pyongyang’s ability to evade sanctions and raise money for its nuclear and missile programmes.
In 2019, sanctions monitors reported that North Korea had generated an estimated US$2 billion for its weapons of mass destruction programmes using cyberattacks.
One estimate from the Geneva-based International Campaign to Abolish Nuclear Weapons says North Korea spends about US$640 million per year on its nuclear arsenal. The country’s gross domestic product was estimated in 2020 to be around US$27.4 billion, according to South Korea’s central bank.
Official sources of revenue for Pyongyang are more limited than ever under self-imposed border lockdowns to combat Covid-19. China – its biggest commercial partner – said in 2021 that it had imported just over US$58 million in goods from North Korea, amid some of the lowest level of official bilateral trade in decades. Official numbers do not include smuggling.
North Korea already only gets a fraction of what it steals because it must use brokers willing to convert or buy cryptocurrencies with no questions asked, said Aaron Arnold of the RUSI think-tank in London. A February report by the Center for a New American Security (CNAS) estimated that in some transactions, North Korea only gets one-third of the value of the currency it has stolen.
After obtaining cryptocurrency in a heist, North Korea sometimes converts it to Bitcoin, then finds brokers who will buy it at a discount in exchange for cash, which is often held outside the country.
“Much like selling a stolen Van Gogh, you’re not going to get fair market value,” Arnold said.
Converting to cash
The CNAS report found that North Korean hackers exhibit only “moderate” concern over hiding their role, compared to many other attackers. That allows investigators to sometimes follow digital trails and attribute attacks to North Korea, though rarely in time to recover the stolen funds.
According to Chainalysis, North Korea has turned to sophisticated ways of laundering stolen cryptocurrency, increasing its use of software tools that pool and scramble cryptocurrencies from thousands of electronic addresses – a designator for a digital storage location.
The contents of a given address are often publicly viewable, allowing firms such as Chainalysis or TRM to monitor any that investigations have linked to North Korea.
Attackers have tricked people into giving access or hacked around security to siphon digital funds out of internet-connected wallets into North Korea-controlled addresses, Chainalysis said in a report this year.
The sheer size of recent hacks has strained North Korea’s capacity to convert cryptocurrency to cash as quickly as in the past, Carlsen said. That means some funds have been stuck even as their value drops.
Bitcoin has lost about 54% of its value this year and smaller coins have also been hit hard, mirroring a slide in equities prices linked to investor concerns about rising interest rates and the growing likelihood of a global recession.
“Converting to cash remains a key requirement for North Korea if they want to use the stolen funds,” said Carlsen, who investigated North Korea as an analyst at the FBI. “Most of the commodities or products the North Koreans want to buy are only traded in USD or other fiat, not cryptocurrencies.”
Pyongyang has other, larger sources of funding that it can rely on, Arnold said. UN sanctions monitors have said as recently as December 2021 that North Korea continues to smuggle coal – usually to China – and other major exports banned under Security Council resolutions.
North Korean hackers sometimes appear to wait out rapid dips in the value or exchange rates before converting to cash, said Jason Bartlett, the author of the CNAS report.
“This sometimes backfires as there is little certainty in predicting when the value of a coin will rapidly increase and there are several cases of highly depreciated crypto funds just sitting in North Korea-linked wallets,” he said.
Sectrio, the cybersecurity division of Indian software firm Subex, said there are signs North Korea has begun ramping up attacks on conventional banks again rather than cryptocurrencies in recent months.
The firm’s banking sector-focused “honeypots” – decoy computer systems intended to attract cyberattacks – have seen an increase in “anomalous activities” since the crypto crash, as well as an increase in “phishing” emails, which try to fool recipients into giving away security information, Sectrio said in a report last week.
But Chainalysis said it had yet to see a major change in North Korea’s crypto behaviour, and few analysts expect North Korea to give up on digital currency heists.
“Pyongyang has added cryptocurrency into its sanctions evasion and money laundering calculus and this will likely remain a permanent target,” Bartlett said.