How North Korean hackers have weaponized Bitcoin

North Korea has quietly become a cryptocurrency superpower. It has stolen billions in bitcoin and ether and is funneling profits to its nuclear weapons program.

It was an astonishing interview for recruiter Elliott Garlock. While screening candidate engineers for a crypto firm in February, Garlock encountered one applicant who raised almost every conceivable red flag.

The interviewee joined the Zoom interview with his camera off and had to be cajoled into turning it on. There was constant chatter in the background, like he was jammed in a small, crowded room. He claimed to be from San Francisco but, when pressed, wasn’t able to pinpoint his location more precisely than “Bay Area.”

It was a strange and unproductive interview. Worst of all, it was the first of many. Garlock, the founder of the Stella Talent Partners recruitment firm, soon encountered another, nearly identical candidate. Then another, and another and another.

“I got annoyed after a while, because it was a total waste of time,” Garlock said. “I originally thought the scam was that they were offshore, trying to take advantage of remote work to just get a salary for not working.”

Now there’s a new hypothesis: The people interviewing for jobs were North Koreans trying to siphon money to the reclusive nation. That’s in accord with warnings from both the FBI and the Treasury Department, which have cautioned about North Korea’s escalating risk to the cryptocurrency industry.

The danger is more than theoretical, as one catastrophic hack in March showed. The Lazarus Group, a hacking outfit associated with  North Korea’s government, managed to drain over $600 million in crypto from a blockchain used by NFT game Axie Infinity. North Korean hackers stole $840 million in the first five months of 2022, according to Chainalysis data, over $200 million more than they’d plundered in 2020 and 2021 combined.

That is of extraordinary consequence. About a third of the crypto North Korea loots goes into its weapons program, including nuclear weapons, estimates Anne Neuberger, a deputy national security adviser in the Biden administration. It’s also funneled to the country’s espionage operations. When two South Koreans earlier this year were revealed to have been stealing military information for a North Korean spy, it turned out they’d been paid in bitcoin.

“Crypto is arguably now essential to North Korea,” said Nick Carlsen, a former North Korea analyst at the FBI who now works for crypto security firm TRM Labs. “By any standard, they are a crypto superpower.”

A crypto superpower with nuclear weapons, that is. A country whose crypto prowess, North Korea watchers say, is directly funding the development of those nukes, with the odds of a new nuclear weapons test growing. The rogue nation has been ratcheting up ballistic missile tests in the past 10 days: Over 5 million residents of Japan were told to seek immediate shelter on Wednesday after North Korea launched a missile over the island of Hokkaido. It’s highly likely this, too, was funded at least in part by stolen cryptocurrency.

The Democratic People’s Republic of Korea, as North Korea is formally known, has come to depend more on crypto since the pandemic began. It historically relied on black market trade, exporting coal, meth, cigarettes and labor to Southeast Asia, Russia and especially China. But the zero COVID strategy of leader Kim Jong Un has closed borders, thinning the country’s already slight revenues. Trade with China, by far North Korea’s biggest economic partner, fell 80% in 2020, and reports of food shortages abound. At the same time, cryptocurrency values have skyrocketed.

Despite the recent crypto crash, bitcoin is trading 250% higher than before the pandemic. Ether, the second biggest cryptocurrency, is up over 700%.

Garlock estimates he encountered a dozen candidates he now considers North Korean operatives between February and April. None of them got referred to one of his client companies, which is lucky. North Korean hackers have shown they can cause immense damage if they manage to dupe just one person.

One bad click

A single corrupted file can leave disaster in its wake. The Axie Infinity hack that netted North Korea over $600 million in crypto started with just that: a tainted PDF.

Axie Infinity is a web browser game similar to Pokemon, except that the Axie creatures you battle are owned as NFTs and can be traded for crypto. To support this digital economy, developer Sky Mavis created its own blockchain called Ronin, whose sole purpose is to process Axie Infinity transactions. At its peak in August 2021, the game was generating over $15 million a day. A senior engineer who worked on Ronin was approached by North Korean operatives on LinkedIn earlier this year, according to a report from The Block. After several rounds of interviews, the engineer received a formal job offer via PDF.

The Ronin blockchain runs on a proof-of-authority model, wherein validation control is given to nine handpicked accounts. To gain control of the blockchain, bad actors needed to control five of these nine validator accounts. When the senior engineer clicked the infected link, he unwittingly gave North Korean hackers keys to four of those validators. Once they were inside Axie Infinity’s computer system, hackers were able to get keys for a fifth. The $600 million was drained shortly after.

Sky Mavis didn’t respond to a request for comment. But in a post-mortem published in April, the company said: “Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. … The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”

It’s possible the North Korean operatives hired a middleman company to orchestrate the faux employer phishing scheme. That’s what they did in 2019, paying an actor to play an executive in fake job interviews with the goal of infiltrating the computer systems of Chile’s Redbanc. (North Korea never got to steal from the bank, thanks to an eagle-eyed IT guy, who saw suspicious activity on the network.)

It’s tempting to write off the Ronin hack as a disorganized crypto company being exploited. But the same tactics have worked against world-renowned targets. The infamous Sony hack of 2014, a response to the studio’s distribution of Seth Rogan’s The Interview, a comedy about an assassination attempt on Kim, was achieved in much the same way. Hackers gained access to Sony’s computer network by pretending to be a businessman, former assistant US attorney Tony Lewis told the BBC.

Emails from the businessman, ostensibly about his wish to work with Sony, contained a link infected with malware, a link that at least one employee clicked. Two months later, computers at Sony headquarters went black, and the Lazarus Group, North Korea’s most notorious hacking outfit, made its presence known. (At the time, the culprits called themselves Guardians of Peace.)

Months later, North Korean operatives pretended to be a job applicant and sent resumes to employees of Bangladesh’s central bank. This time at least three employees clicked the link, according to Symantec cybersecurity expert Eric Chien, giving them access to the bank’s computer network. The attackers waited a full year to make their move and, in February 2016, attempted to send $951 million from Bangladesh Bank’s account with the Federal Reserve to accounts in the Philippines and Sri Lanka.

It was a carefully orchestrated heist. Hackers spent a year learning about the bank’s IT system, and planned the robbery on a Thursday that coincided with both Bangladesh’s Friday-Saturday weekend and a Philippine public holiday on the Monday, delaying alerts on both ends. Yet it was hamstrung by a stroke of bad luck. After several transactions went through, the Federal Reserve blocked the next $851 million. The attackers sent money to a Philippine bank located on a Jupiter Street. That triggered an alert because, by sheer coincidence, an unrelated Greek company called Jupiter Seaways Shipping was already on the Fed’s sanctions watch list for helping Iran bypass oil sanctions.

Though it didn’t go to plan, North Korean operatives still managed to steal $64 million from Bangladesh Bank.

“All of the skills they’ve learned, they’re basically now applying it to crypto,” said Soo Kim, a former CIA analyst who’s now at the Rand Corporation, a think tank.

North Korea’s considerable cyber capabilities are a paradox. In a rare 2017 survey the UN was allowed to conduct, only 1% of North Korean households were found to have internet access. Despite this, the DPRK has developed a formidable army of computer hackers.

“They basically do a talent search when kids from elite families are sent to elementary schools,” Rand’s Kim explained. “They send these kids abroad to Russia to get the [hacking] skills, and that’s how they patriotically serve the country. They find ways to infiltrate networks.”

It’s estimated that around 7,000 North Koreans work in North Korea’s cyber program. Kim Jong Un in the past has called his elite cyberattackers “warriors” that can “penetrate any sanctions for the construction of a strong and prosperous nation.”

Crypto is an obvious target for these cyber soldiers. The very point of cryptocurrency is decentralization, meaning there’s no Federal Reserve to block $851 million. The Ronin hack was a boon for North Korea. Naturally, it didn’t stop there.

Harmony Bridge is a protocol that allows traders to send crypto between blockchains. It was exploited in June, and drained of $100 million. The FBI has named North Korea as the culprit. The hack started like all the others, with one person making an honest mistake.

“We believe the hackers … employed phishing schemes to trick at least one software developer to install malicious software on their laptop,” Harmony core team member Jack Chan wrote in August.

In just two moves, North Korea stole $700 million worth of crypto, over 10 times the amount it burgled from Bangladesh Bank. It’s also more than the $650 million the Korea Institute for Defense Analyses estimates North Korea spent on missile tests between January and June.

Hard interviews

William Burleson describes speaking to a suspected North Korean operative as “one of the most awkward things I’ve done in my life.” Burleson is head of growth at crypto recruitment firm Up Top Search, and was building the company’s Discord channel so recruitment could be done within the popular messaging platform.

In his first week on the job, Burleson encountered three suspicious candidates he now believes were North Korean operatives.

Just as in Garlock’s cases, the candidates were apprehensive about turning their cameras on. In some cases Burleson could hear whispering, as though someone offscreen was trying to tell the candidate how to answer Burleson’s questions in real time.

“Just very weird, delayed responses, hearing the same words or phrases consistently,” Burleson said, describing the interviews. “I know they weren’t based in the States [as they claimed] due to the time zone difference. I only saw them appearing online on Discord during the Eastern Asia hours.”

These candidates typically have poor English skills, but a language barrier isn’t what makes these interviews so stilted. Encountering ESL engineers and developers isn’t unusual in crypto recruitment — there was something different, something intangibly amiss with these particular candidates.

“This group of people have these very flat affects,” Garlock recalls. “They don’t have positive or negative emotions that flash on their face.”

Burleson called talking to them eerie. “You could just tell, human to human, something is off.”

He noted that several sketchy candidates, instead of leaving a resume, would leave links on Discord to protocols they had allegedly worked on. When Burleson ran these links through a safety checker, they always failed the test.

Infected links are a dead giveaway of suspicious activity, but it’s not always so obvious. Dan Eskow, founder of Up Top Search, thinks he has a way of identifying these North Korean operatives.

“Instead of going through your pitch, you ask him, ‘How’s the weather in Kansas? How’s your day going?'” Eskow explained. “They explode. They panic because their instructor, whoever’s telling them what to say, hasn’t prepared them to answer questions like ‘How’s the weather?'”

One time, Burleson said, a candidate left the call after being asked an off-topic query. Most times, a tangential question is just met with an uncomfortable blank stare.

Operations attributed to North Korea vary in their sophistication. Mandiant, a cybersecurity firm that in July warned of increased North Korean activity in crypto, says there are likely several groups within North Korea working to funnel money from crypto to the regime. The Lazarus Group is the best known cell of hackers, but only one of many.

Some groups are more skilled than others. Much of what Mandiant detects is sloppy work. Bad actors have presented screenshots of code they claim to have written, only for these pictures to be discovered stolen from freelance job boards. Often these operatives steal resumes but don’t even bother changing the names and references.

“There are most likely thousands of these operators attempting to gain employment all over the world, and each individual can run multiple personas all at the same time,” said Joe Dobson, senior principal analyst at Mandiant.

There are several reasons crypto firms are particularly vulnerable to North Korea infiltration. Normalized remote work allows bad actors operating out of North Korea or China to feign US or Canadian origin. Crypto culture also relishes anonymity. Personal details are often rejected at a philosophical level as being irrelevant — the very creator of bitcoin, Satoshi Nakamoto, remains pseudonymous to this day. And while tech companies often hire people to build the company around, Garlock says, crypto companies approach hiring more experimentally: hire liberally, keep them if they’re good, cut them if they’re not.

Many crypto companies are run by young, first-time CEO entrepreneurs, Garlock explained. People who tend to know a lot about crypto but have little or no experience running a company. “At the same time, they’re super capitalized,” he said. “You have, like, a 25-year-old crypto CEO, who, between his crypto assets and cash assets, has between $25 [million] and $500 million in capital.”

The reasons North Korea targets the crypto industry are easy to understand. What happens after the money is stolen, however, is less obvious.

After the steal

Authorities and researchers are slowly piecing together the details of North Korea’s crypto activities, but a few crucial pieces are missing. We know North Korea doesn’t liquidate stolen crypto in one big sale. Instead, it sells batches of bitcoin and ether over a period of months or years, trickle feeding the regime millions of dollars at a time. The crypto stolen from the Ronin blockchain in March, for instance, is still being offloaded.

That’s according to Nick Carlsen, the former FBI researcher now at TRM Labs, who tracks North Korea’s blockchain activities. Selling all the crypto at once, or at more regular intervals, would make it much easier to trace.

“What they’re doing with this Ronin hack, they’re up against the limit of how much money you can launder in the crypto ecosystem,” Carlsen said.

Laundering cryptocurrency is easier than laundering US bills, but it still requires work. Bad guys make use of several tools. First are bridges, like the Harmony Bridge that North Korea hacked, which allow traders to send crypto between different blockchains. Then there are mixers, which mask where crypto comes from. You could, for instance, send 5 bitcoin from Wallet A to a mixer, where it’s tumbled around with crypto sent by other people. Five bitcoin are then taken from that pool and sent to Wallet B, making it harder to track its precise provenance.

Just as money launderers shift money between different banks and institutions, crypto launderers send money between bridges and mixers in order to hide blemished tokens within bags of clean ones. To disguise funds stolen from Ronin, tokens have been sent between 12,000 different crypto addresses, according to Chainalysis.

The US is trying to make this process harder for crypto launderers in general and North Korea in particular. Citing the threat from the Kim regime, the US Treasury banned bitcoin mixer Blender in May, followed by the Tornado Cash mixer in August.

“We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered,” Brian Nelson, the US Treasury’s undersecretary for terrorism and financial intelligence, said in May.

Perhaps the biggest obstacle is the crypto exchanges you or your friends might use. Exchanges like Binance and Coinbase are dead ends for blockchain tracers. It’s easy to see that money is sent to an exchange like Binance, but tracking those tokens within the exchange — between different user accounts, for instance — is impossible without subpoena power, said Convex Labs head of research Nick Bax.

It would be too strong to call exchanges like Binance safe havens. They have anti-money laundering protocols, some with actual teeth: Binance in April recovered $5.8 million in crypto stolen from Ronin, for instance. Still, to researchers like Bax, the barriers that exchanges throw up are far harder to penetrate than mixers like Tornado Cash.

“Roughly 25% of the funds deposited in Tornado over a certain timespan originated in the Ronin hack,” Bax said. “You can’t hide that amount of money in that size anonymity pool, it just doesn’t work.”

“We can trace the funds in and out of Tornado,” he added, “but the centralized exchanges, Coinbase, Binance, Houbi, are a mixer unless you have subpoena powers.”

Bax sees both sides of the issue. The same wall that obstructs his investigations, he points out, has also stopped Russian President Vladimir Putin’s regime from tracing crypto sent to imprisoned political opponent Alexei Navalny.

The downside to North Korea’s modus operandi is that it takes time and patience, which has proven costly. In the months since the Ronin heist, for instance, the $600 million haul has been devalued to about $250 million. But the advantage for the regime is that it can obscure some of its movements. While FBI and crypto researchers are often able to confidently say North Korea is behind a certain hack, it’s less clear who’s buying North Korea’s crypto, and for how much.

It’s thought that much of North Korea’s stolen crypto is offloaded to Chinese buyers, but few particulars are known. The Department of Justice in 2020 found two Chinese nationals guilty of laundering some of the $100 million North Korea stole from a Hong Kong-based exchange in 2018, but that charge was an exception. What happens after dirty crypto is laundered remains largely opaque.

North Korea is “not going to get 99 cents on the dollar for its crypto,” Carlsen explained. “What the actual rate is, I don’t think anyone has a really solid answer on that. But the kind of guy who’s going to buy $20 million worth of stolen bitcoin is not going to pay $20 million.”

Mass destruction

Though precise details about buyers are unclear, there’s little doubt about where the profits from North Korea’s stolen crypto are funneled. “It’s going to illegal weapons programs,” Rand’s Soo Kim said. “It’s going to funding Kim’s luxurious lifestyle.” That ill-gotten crypto gains are funding North Korea’s weapons program has also been flagged by the Treasury.

The risks entailed by Kim’s weapons program were simultaneously highlighted and overshadowed by the political spectacle of Donald Trump’s presidency. But over 5 million Japanese residents were reminded of those risks on Wednesday when North Korea launched a ballistic missile over the island of Hokkaido. The launch triggered Hokkaido’s air-raid alerts, and any resident watching TV was urged to take shelter immediately.

It was the fifth launch from North Korea in a week, with other missiles landing in Korean and Japanese seas. After staying relatively quiet during the pandemic, the Kim regime has resumed an aggressive stance against the US and South Korea, its perennial rival. In September, North Korea’s parliament rubber-stamped a new law stating nuclear missiles would be launched if South Korea or the US tried to assassinate Kim.

When South Korea’s new president, Yoon Suk-yeol, offered Kim economic incentives for denuclearization, the DPRK regime balked. Kim’s sister, Yo Jong, said Yoon was “still childish” and “should shut his mouth.”

“No one barters their destiny for corn cake,” she added.

North Korea is recognized by the Bulletin of Atomic Scientists as one of the potential flashpoints for a nuclear war. Formed by Albert Einstein after atomic weapons flattened Hiroshima and Nagasaki, the Bulletin maintains the Doomsday Clock. As unwelcome as your 6 a.m. alarm may be, this alarm clock is far worse: The closer the Doomsday Clock is set to midnight, the closer Bulletin scientists estimate we are to our end.

In January, it was set as late as it’s ever been in its 75-year history: 100 seconds to midnight. For comparison, in 1949 after the Soviet Union exploded its first atomic bomb, the Doomsday Clock was set at 3 minutes to midnight. When the Soviet Union dissolved in the early 1990s, the clock was wound back to 17 minutes to midnight.

Recent worries about nuclear war have understandably been concentrated in Ukraine. Facing embarrassing battlefield failures in its war there, Putin has made increasingly explicit nuclear threats. Another problem country is Iran, which is slowly building its nuclear capacity. Like North Korea, Iran has been besieged by economic sanctions. But the Khamenei administration is buoyed by flowing oil reserves. North Korea is unique in its utilization of cryptocurrency to avoid the sanctions tied to its nuclear program.

North Korea’s recent missile tests are thought to be partially in response to US Vice President Kamala Harris’ visit to South Korea in September. Experts like Rand’s Soo Kim think they presage a nuclear weapons test, which would be the first since September 2017.

“Some people think it’s bluffing and, to an extent, there is going to be a little bit of that,” Kim said. “But if Kim [Jong Un] was not serious about using the weapons, he would not be displaying them, he would not be flaunting them, and he would not be doing it so diligently.”

Nuclear weapons act as an invaluable set of cards for North Korea, Rand’s Kim explained. Even if it has no intention of dismantling its weapon program, the regime can play that hand when it needs to. The stakes are so high that officials in Washington and Seoul are forced to take note. Meanwhile, the most effective way to confront North Korea would be with the help of China, North Korea’s biggest unofficial trade partner. The trouble is, Soo Kim said, North Korea is itself a bargaining chip for China. It could help rein its raucous neighbor in, but what is Washington willing to do in return?

While this game is being played, the Doomsday Clock ticks on.

Teach a man to phish

The US government is limited in what it can do to stop North Korea’s crypto heists. The Treasury Department is actively trying to dull laundering tools used by the regime, leading to its bans on Tornado Cash and Blender. Perhaps more significantly, the FBI has been working to recover stolen funds. Collaborating with blockchain analytics firm Chainalysis, the FBI in September froze $30 million in crypto stolen from Ronin.

“It’s like we’re in a catchup game,” Soo Kim said, “where you’re not fast enough to actually meet North Korea at the destination, but you’re always just following after them.”

A more effective route, according to Convex Labs’ Bax, is to stop the hacks from happening in the first place. “We always take the reactive approach, chasing the money after it’s been stolen,” he said. “That money is being reinvested into criminal enterprises. We have to prevent it before it happens. That’s the only way.”

Bax points out that North Korea specializes in phishing scams — estimating that around half of all crypto phishing scams come out of North Korea — and so helping people detect phishing attacks should be a priority. He also advocates government-subsidized security audits. It took only one engineer to be phished for Ronin’s funds to be drained, while attackers needed only two signatures to steal $100 million from Harmony Bridge.

Major hacks attributed to North Korea have died down in recent months. The crypto winter, when bitcoin and ether plunged in value amid recession fears, has led to a hiring freeze. The regime is also still busy laundering the funds it stole during the first half of the year. But the industry has proven too lucrative for North Korea to cease operations.

“It’s going to take a really critical moment, some major incident that really shocks people, and then there’s going to be a lot of pressure to do something,” said Carlsen. “It’s a constant waiting game.

“There’s going to be another one coming.”

Zeen is a next generation WordPress theme. It’s powerful, beautifully designed and comes with everything you need to engage your visitors and increase conversions.

Zeen Subscribe
A customizable subscription slide-in box to promote your newsletter

I consent to the terms and conditions