 |
| An White House official said about half of North Korea's missile program has been funded by its cryptocurrency theft. gettyimages |
This is the first in a two-part series of interviews with global experts in cryptocurrency investigations and cybersecurity as North Korea's illicit cyber activities represent an alarming new threat for Washington and its two most important East Asian allies, Seoul and Tokyo, amid Pyongyang's development of its nuclear weapons program. _ ED.
'NK's hackers use services located in China and Russia for ill-gotten gains'
By Kim Yoo-chul
Over the last few years, a secret group of hackers has been launching campaigns apparently aimed at stealing classified data from think tanks, financial institutions, government agencies and academics in South Korea and the U.S., while laundering cryptocurrencies on the side.
That group, widely known as APT43, was believed to be a proxy for North Korean intelligence services, according to researchers at Mandiant, a part of Google Cloud. The revelation was not surprising to leading policymakers in Washington and its two East Asian allies, Seoul and Tokyo.
Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, assessed that about half of North Korea's missile program has been funded by the regime's cryptocurrency theft. Cryptocurrencies are the tools for evading any economic sanctions because transactions are done through encrypted transfers and are not processed within mainstream banking systems.
In short, APT43 and other groups including the brazen Lazarus Group are the latest face of North Korea's hacking prowess as cryptocurrency theft is the most favored financing option for the regime.
And as global financing rapidly embraces sophisticated digital technology, crypto-related crimes are now becoming a bigger threat.
Speaking to The Korea Times, an executive at the New York-based blockchain analysis company, Chainalysis, which also helped the U.S. Department of Justice and South Korea's National Intelligence Service track illicit gains made by North Korean hacking attacks, said hackers linked to the regime shattered their own record for theft in 2022.
 |
| Erin Plante, vice president of investigations at Chainalysis / Courtesy of Chainalysis |
Plante, who is also vice president of investigations at Chainalysis, added that about $1.1 billion of the cryptocurrency was stolen by hacking into decentralized finance (DeFi) protocols, making North Korea one of the driving forces behind the hacking trend that intensified last year. DeFi does not rely on intermediaries such as brokerages, exchanges or banks by using smart contracts on a blockchain.
DeFi hacks are a kind of "smart contract exploit," which involves flaws in the codes of smart contracts executed by the DeFi protocol. This feature has some risk factors as hackers could be able to easily manipulate the DeFi protocol's behavior, helping them steal users' properties.
Chainalysis' key customers include the U.S. Federal Bureau of Investigation (FBI), Drug Enforcement Agency (DEA) and the Internal Revenue Service (IRS) Criminal Investigation, as well as the United Kingdom's National Crime Agency.
"North Korea's shift to DeFi hacks could be due to the bear market of 2022 and the exponential growth in the DeFi space. DeFi's protocols are publicly viewable by default, but that same transparency is also what makes DeFi so vulnerable ― hackers can scan DeFi codes for vulnerabilities and strike at the perfect time to maximize their theft," the executive elaborated.
Regarding its findings about North Korean hackers' patterns on how to convert their cryptocurrencies into real cash, the executive said North Korean-affiliated hackers typically steal, launder and convert their cryptocurrencies into fiat currencies through the following five steps.
According to her, the process starts with "chainhop" between different blockchains and assets to try and evade investigators, followed by moves to convert all assets to bitcoins, including ethereum (since the sanctioning of Tornado Cash, there are no effective ethereum mixers available), to splitting bitcoins and holding them in thousands of intermediary wallets, to mixing bitcoins in a variety of mixers and finally cash withdrawal through crypto-to-cash conversion services.
Asked about the specifics of Lazarus Group, which has been designated as being responsible for the recent supply chain attack on 3CX and was also behind low-profile hacks such as the attack on Sony Pictures back in 2014 and the spread of the WannaCry ransomware in 2017, Plante said North Korean-affiliated hackers are sophisticated both in terms of hacking and laundering stolen funds.
 |
| A representation of the cryptocurrency is seen in front of Binance logo in this illustration taken, March 4, 2022. Reuters-Yonhap |
"In order to steal funds, they make use of phishing lures, code exploits, malware and advanced social engineering to siphon funds into addresses they control. To launder the funds, they use obfuscation techniques such as mixing, using services like the now sanctioned Tornado Cash to create a disconnect between the cryptocurrency they deposit and withdraw and chain hopping, which is the process of swapping between several different kinds of cryptocurrency in a single transaction," she explained.
When questioned about Binance's possible role in this issue, the executive said Chainalysis is not able to comment on behalf of the world's biggest cryptocurrency exchange.
Turning point, Russia-China connection
Security experts in Washington said the core of North Korea's cybercrimes and its continued efforts to advance its nuclear weapons are complicating the Joe Biden administration's efforts to pursue regional stability amid the rise of China.
But Plante said despite North Korean hackers' sophistication, law enforcement agencies are "increasingly able to trace the moves of stolen funds" through blockchain analysis, making it harder for the North's hackers to get away with "these types of attacks."
"Through advanced tracing technologies and blockchain analytics, investigators can follow stolen funds throughout these steps to cash out points and work with industry players to quickly freeze funds and seize them," she said.
According to its findings, more than $30 million worth of crypto assets stolen by North Korean-linked hackers from the Axie Infinity hack have been seized. About $1 million dollars in funds stolen by North Korean hackers from Harmony Bridge were also tracked and seized.
 |
| Bitcoins against a backdrop of the flag of North Korea / gettyimages |
"We expect more such stories in the coming years, largely due to the transparency of the blockchain," Plante said.
She said it remains unclear if Chinese or Russian hackers are supporting North Korea's hacking efforts.
"But we do know that North Korean-linked hackers have used services located in countries all over the world, including China and Russia, to attempt to launder and cash out their ill-gotten gains," Plante added.
Looking at the trends in the way that North Korean hackers attack their victims, what cryptocurrency services can do is to avoid the risk of hackers accessing bitcoins by strengthening their defenses against attacks, the executive elaborated.
"Organizations can invest in strong security strategies and tools and train employees to identify suspicious communications. General security practices will be key given that North Korean hackers particularly leverage sophisticated phishing attacks to gain access to their target's system. Ensuring that every employee in an organization is vigilant and strengthening the technical aspect of cyber defenses is very important," she said, adding that steps aimed at addressing DeFi space-related issues are necessary.
North Korea's blending of cybercrimes and nuclear development is posing a threat to the national security of Washington and its two most important East Asian allies. Plante said it is necessary for more government agencies to be equipped with the tools and training to investigate cryptocurrency-related criminal activities.
"We've already seen that when the government and the private sector work together, we can achieve meaningful results, exemplified by our work in the Ronin Bridge case and with the South Korean government in the Harmony Bridge case. An important starting point is the implementation of FATF standards for virtual assets," according to the expert.
FATF stands for Financial Action Task Force, a global money laundering and terrorist financing watchdog.
"FATF's focus should be on making it more challenging for illicit actors to launder and cash out stolen funds by ensuring that virtual asset businesses have in place strong money laundering controls. The FATF has emphasized that many countries are lagging behind in the implementation of the FATF requirements and has accordingly agreed on a roadmap to strengthen implementation," she answered.
![[INTERVIEW] How 'bojagi' helped adoptee reconnect with Korean roots](https://img.koreatimes.co.kr/upload/thumbnailV2/c86d9511c2ec4953b649c09ab7069a7e.jpg/dims/resize/178/optimize)
![[INTERVIEW] As Georgia marks Independence Day, new ambassador vows to bolster ties](https://img.koreatimes.co.kr/upload/thumbnailV2/8de0c845722140af9202d73e3de705e2.jpg/dims/resize/178/optimize)
![[INTERVIEW] Former UK gang member shares hard-learned lessons to prevent youth violence](https://img.koreatimes.co.kr/upload/thumbnailV2/6865f9eb33cc40f6b14c77764e0472b2.jpg/dims/resize/178/optimize)
![[INTERVIEW] 'No more part-time jobs': VANNER talks about life after winning 'Peak Time'](https://img.koreatimes.co.kr/upload/thumbnailV2/79128864ba1643498f9a49fc7a82f2f1.jpg/dims/resize/178/optimize)
