What's behind North Korea's crypto hacks?

North Korea has been in crypto news quite a bit lately- and not for good reason.

The hermit kingdom has been accused of creating and using elite teams of hackers in order to steal cryptocurrency. This includes the infamous Lazarus Group, which, among other operations, has been accused of hacking Axie Infinity’s Ronin Bridge for US$650 million dollars in March 2022- a record breaking amount for the time.

This is far from the only operation that North Korea has launched. In more recent news, Atomic Wallet reported that its users were affected by a hack, and subsequent investigation pointed to the involvement of the Lazarus Group once more.

Lest we think that private companies or crypto infrastructure is the only thing that North Korea is interested in targeting, North Korea has also supposedly targeted the Bangladesh Central Bank, the Tien Phong Bank in Vietnam, and the Banco del Austro in Ecuador.

But what is North Korea trying to achieve from these attacks? Is there a goal behind these targets, and if so, what is it?

Understanding North Korea

First of all, we should explore North Korea’s position in the international system.

The country has few allies, and counts the US as one of its most steadfast enemies. The country is also a non-signatory of the Nuclear Non-Proliferation Treaty, and is actively developing and testing nuclear weapons.

As such, North Korea has very little trade with the outside world. There are a litany of sanctions against North Korea, including on investment and financial activities, trade in gold, precious metals, on the import of minerals, textiles, natural gas, food, and many others.

North Korea, therefore, is not only diplomatically isolated, it is also economically isolated.

The result is that North Korea has resulted in some rather unorthodox ways to try and gain access to foreign currency and foreign products- including hacking cryptocurrency companies, before laundering the money in order to obtain foreign currency.

But why? Apparently, it's to fund their nuclear weapons program.

The North Korean regime views nuclear weapons as an existential issue- in some ways, it is the main guarantee of its independence.

Professor Jonathan Pollack, professor of Asian and Pacific Studies at the Naval War College, argues that the atomic bombings of Hiroshima and Nagasaki during the Second World War taught the Kim regime that nuclear weapons could force even mighty empires into surrender.

It's also a way of keeping their seat at the bargaining table. While countries like Libya negotiated for sanctions removal and international support by giving up their nuclear weapons programs, North Korea has been far less willing to take the same deal, especially since they see how much nuclear weapons can force others to take them seriously.

But nuclear weapons are expensive- the US spends around US$60 billion a year on its nuclear program, and China spends around US$11.7 billion. Evidently, these amounts are staggering sums for a country that has only around US$21 billion a year in GDP.

In order to afford such expenditures, North Korea thus tries to obtain foreign fiat currencies, with which they use to fund their nuclear weapons program. And in recent years, this has taken the form of hacking and stealing cryptocurrency, which they then convert into fiat and use to fund their nuclear weapons program.

“Most experts agree the North Korean government is using its illicit cryptocurrency activities to fund its nuclear weapons programs. North Korea hacking groups have shown a pattern through these attacks – they typically steal, launder, and convert their crypto into fiat, which are then used for both political and economic motives such as nuclear weapons funding.”

-Erin Plante, Vice President of Investigations, Chainalysis

The evolving threat from North Korea

While many of us might see North Korea as a backward country, the truth is a bit more complicated than that.

North Korea has, over the years, actually embraced technological advancements as a means to further their goals. As everything moves online, North Korea has also been training elite hacking units to take advantage of this trend.

And Erin warns that North Korea’s methods will only improve with time. “Over the years, North Korean-affiliated hackers have become more sophisticated both in terms of laundering stolen funds. They’ve evolved to make use of phishing lures, code exploits, malware, and even advanced social engineering to siphon funds into addresses they control.”

These illicit funds are then laundered through obfuscation methods, such as cryptocurrency mixers, or chain hopping, which is the process of swapping between several different kinds of cryptocurrencies in a single transaction.

In addition, Erin also points out that the support that these hacking groups receive from the government makes them all the more dangerous.

“We do know that North Korea hackers are state-sponsored, and the North Korean regime has built an army of cyber criminals. As a result of state-sponsorship, North Korea hacking groups have have access to all the education, resources and support needed, making them especially dangerous.”

North Koreans are apparently sent to China for training, and learn to deploy malware into computers, networks, and servers.

How is the rest of the world responding to this new threat?

Fortunately, stealing cryptocurrency is not as straightforward as one might think. As we have seen, getting control of the cryptocurrency itself is rarely the final step. Cybercriminals like the Lazarus Group still have to launder the funds, often through non-compliant crypto exchanges before the money can be used.

And the blockchain’s transparency is often a great help in tracking where money is going.

Recent years have seen law enforcement agencies and cryptocurrency investigators not only track where stolen crypto has gone, but also recover some of the stolen money.

“Despite their sophistication, law enforcement agencies’ capabilities to trace, recover and stop North Korean hackers from withdrawing their funds have strengthened through blockchain analysis. This makes it harder for North Korean hackers to get away with these types of attacks.

With the help of law enforcement and leading organizations in the cryptocurrency industry, more than $30 million worth of cryptocurrency stolen by North Korean-linked hackers from the Axie Infinity hack has been seized.

More recently, we also saw South Korean law enforcement track and seize approximately $1 million dollars in stolen funds by North Korea hackers from the Harmony Bridge hack. We expect more such stories in the coming years, largely due to the transparency of the blockchain.”

-Erin Plante, Vice President of Investigations, Chainalysis

That being said, Erin also points out that not every operation is guaranteed to bring back stolen funds. Factors like speed can be decisive in whether hackers get away with stolen funds.

As such, Erin advises businesses to engage crypto incident response services before an incident happens, rather than reaching out only when incidents occur.

“Onboarding processes for any crypto incident response service takes time, and this time is better spent before a crisis, rather than after. Success for investigators depends heavily on the speed of response, so it’s imperative that the investigation starts right away to maximise the chances of recovery.

Hackers typically try to move stolen funds to other platforms like exchanges so that they can cash it out in fiat or swap them for other assets to obfuscate the source of funds. So the longer the investigation takes to start, the bigger the lead time for the criminals, and the lower the odds of recovery.”

South Korea, as a prominent target for North Korea, has also been actively trying to protect itself from hackers. In June, the country announced that it had engaged Chainalysis in order to counter the rising threat of crypto crime.

The US has also set up a new unit tasked with countering cyber threats, including from North Korean hackers.

Evidently, countries are beefing up their cybersecurity measures as the threat from North Korea evolves as well, and are not willing to simply keel over to North Korean hackers.

But how effective will these measures be in stymying North Korean goals? At present, North Korea is estimated to make around half of its foreign-currency from cyber attacks. This is a significant proportion of their income. It means that if organisations can reduce the amount of money lost to North Korean hackers by half, it could cut North Korean income by around 25 per cent.

Yet, we should understand that these hacks are merely a means to an end, not the end to itself. North Korea’s goals lie beyond simply getting funds. The funds are used to pursue other ends, such as to develop nuclear weapons and maintain the country’s sovereignty.

This also means that crypto crime is not necessarily a necessity for North Korea- if its interests can be guaranteed through other means, then it is possible that these cyber attacks may cease because they are no longer necessary.

Securing assets is important in making crypto crime less viable- but at the same time, making it politically and economically unnecessary is also another strategy that is theoretically possible.

This, however, would almost certainly mean a drastic improvement in relations between North Korea and the rest of the world- South Korea and the US in particular. But given how intractable the problem has proven, at least through the past three generations of the Kim regime, this outcome seems unlikely.

Even if the US, a power in decline, falls from its dominant position in the international system, it remains to be seen if the rest of the world, or any new powers that rise, are willing to accept North Korea as a nuclear state.

Of course, this is not exactly impossible- Pakistan, Israel, and India also possess nuclear weapons, and not all of these countries have been branded rogue states. North Korea may well try and join this group of countries once they no longer see the international system as an existential threat- and we may see an end to North Korea’s illicit activities once it turns from revisionist state to a supporter of the status quo.