Cryptocracy threatens North Korea’s stolen funds when it increases weapons tests

SEOUL, June 29 (Reuters) – The plunge into the cryptocurrency markets has wiped out millions of dollars in funds stolen by North Korean hackers, say four digital investigators, who threaten a key source of funding for the sanctioned country and its weapons programs.

North Korea has used resources to steal cryptocurrencies in recent years, making it a potent hacking threat and leading to one of the largest cryptocurrency robberies recorded in March, in which nearly $ 615 million was stolen, according to US Treasury Department. read more

The sudden drop in cryptocurrencies, which began in May amid a broader economic downturn, complicates Pyongyang’s ability to monetize this and other robberies, and could affect how it plans to fund its weapons programs, two South Korean government sources said. The sources refused to be named due to the sensitivity of the case.

It comes as North Korea tests a record number of missiles – which the Korea Institute for Defense Analysis in Seoul estimates have cost as much as $ 620 million so far this year – and are preparing to resume nuclear testing in the midst of an economic crisis.

Old, unwashed North Korean cryptocurrencies monitored by New York-based blockchain analysis firm Chainalysis, which includes funds stolen in 49 hacks from 2017 to 2021, have fallen in value from $ 170 million to $ 65 million since the beginning of the year. told Reuters.

One of North Korea’s cryptocurrency caches from a 2021 robbery, which had been worth tens of millions of dollars, has lost 80% to 85% of its value in recent weeks and is now worth less than 10 million dollars, said Nick Carlsen, an analyst at TRM Labs, another US-based blockchain analysis firm.

A person who answered the phone at the North Korean embassy in London said that he could not comment on the crash because allegations of hacking of cryptocurrency are “completely false news”.

“We did nothing,” said the person, who only wanted to identify himself as an embassy diplomat. North Korea’s foreign ministry has called such allegations US propaganda.

The March 615 million dollar attack on the blockchain project Ronin, which runs the popular online game Axie Infinity, was the work of a North Korean hacker operation called Lazarus Group, US authorities say.

Carlsen told Reuters that the interconnected price movements of various assets involved in the hack made it difficult to estimate how much North Korea managed to keep from that robbery.

If the same attack happened today, the Ether currency that was stolen would be worth a little more than $ 230 million, but North Korea traded almost all of this for Bitcoin, which has had separate price movements, he said.

– It is needless to say that the North Koreans have lost a lot of value, on paper, Carlsen said. “But even at depressed prices, this is still a big move.”

The United States says Lazarus is controlled by the Reconnaissance General Bureau, North Korea’s primary intelligence agency. It has been accused of involvement in “WannaCry” ransomware attacks, hacking of international banks and customer accounts, and 2014 cyberattacks on Sony Pictures Entertainment. read more

Analysts are reluctant to give details about the types of cryptocurrencies North Korea has, which could give away investigative methods. Chainalysis said that Ether, a common cryptocurrency linked to the open source Ethereum blockchain platform, was 58%, or about $ 230 million, of the $ 400 million stolen in 2021.

Chainalysis and TRM Labs use publicly available blockchain data to track transactions and identify potential crimes. Such work has been cited by sanction monitors, and according to public contract documents, both companies work with US authorities, including the IRS, FBI and DEA.

North Korea is under extensive international sanctions because of its nuclear program, which gives it limited access to global trade or other sources of revenue and makes cryptocurrency attractive, investigators say.

‘BASIC’ for nuclear program

Although cryptocurrencies are estimated to make up only a small part of North Korea’s economy, Eric Penton-Voak, coordinator of the UN Panel on Sanctions, said at an April event in Washington, DC, that cyberattacks have become “absolutely fundamental” to Pyongyang’s ability to avoid sanctions and raise money for its nuclear and missile programs.

In 2019, sanctions watchdogs reported that North Korea had generated an estimated $ 2 billion for its weapons of mass destruction programs using cyberattacks.

An estimate from the Geneva – based international campaign to abolish nuclear weapons says that North Korea spends around $ 640 million a year on its nuclear arsenal. The country’s gross domestic product in 2020 was estimated at around $ 27.4 billion, according to South Korea’s central bank.

Official sources of revenue for Pyongyang are more limited than ever under self-imposed border barriers to combat COVID-19. China – its largest commercial partner – said in 2021 that it had imported just over $ 58 million in goods from North Korea, in the midst of some of the lowest levels of official bilateral trade in decades. Official figures do not include smuggling.

North Korea already gets only a fraction of what they steal because they have to use brokers who are willing to convert or buy cryptocurrencies without question, said Aaron Arnold from the think tank RUSI in London. A February report from the Center for a New American Security (CNAS) estimated that in some transactions, North Korea receives only a third of the value of the currency it has stolen.

After getting a cryptocurrency in a robbery, North Korea sometimes converts it to Bitcoin, and then finds brokers who want to buy it at a discount in exchange for cash, which is often kept out of the country.

“Just like selling a stolen Van Gogh, you are not going to get fair market value,” Arnold said.

CONVERTS TO CASH

The CNAS report found that North Korean hackers only show “moderate” concern about hiding their role, compared to many other attackers. It sometimes allows investigators to track digital footprints and attribute attacks to North Korea, but rarely in time to recover the stolen funds.

According to Chainalysis, North Korea has turned to sophisticated ways to launder stolen cryptocurrency, and increase the use of software tools that collect and encrypt cryptocurrencies from thousands of electronic addresses – a term for a digital storage space.

The content of a given address is often publicly visible, so that companies such as Chainalysis or TRM can monitor everything that investigations have related to North Korea.

Attackers have tricked people into giving access or hacking around security to siphon digital funds out of Internet-connected wallets to North Korea-controlled addresses, Chainalysis said in a report this year.

The sheer size of recent hacks has strained North Korea’s capacity to convert cryptocurrency into cash as quickly as before, Carlsen said. This means that some funds have been stuck even if the value falls.

Bitcoin has lost around 54% of its value this year, and smaller coins have also been hit hard, reflecting a fall in stock prices linked to investors’ concerns about rising interest rates and the growing likelihood of a global recession.

“Converting to cash is still a key requirement for North Korea if they want to use the stolen funds,” said Carlsen, who investigated North Korea as an analyst at the FBI. “Most of the goods or products the North Koreans want to buy are traded only in USD or other fiat, not cryptocurrencies.”

Pyongyang has other, larger sources of funding that they can rely on, Arnold said. As recently as December 2021, UN sanction monitors have said that North Korea continues to smuggle coal – usually to China – and other major exports that are banned under Security Council resolutions.

VOLATILE CURRENCIES

North Korean hackers sometimes seem to wait for rapid declines in value or exchange rates before converting to cash, said Jason Bartlett, author of the CNAS report.

“This sometimes backfires as there is little certainty when it comes to predicting when the value of a coin will increase rapidly, and there are several cases of highly depreciated cryptocurrencies that only sit in North Korea-linked wallets,” he said.

Sectrio, the cyber security department of the Indian software company Subex, said there were signs that North Korea had begun to increase its attacks on conventional banks again instead of cryptocurrencies in recent months.

The company’s banking sector-focused “honeypots” – bait data systems meant to attract cyberattacks – have seen an increase in “abnormal activities” since cryptocurrency, as well as an increase in “phishing” emails, which try to trick recipients into giving away security information, Sectrio said. in a report last week.

But Chainalysis said it had not yet seen a major change in North Korea’s cryptocurrency behavior, and few analysts expect North Korea to give up digital currency.

“Pyongyang has added cryptocurrency to its calculation of sanctions evasion and money laundering, and this is likely to remain a permanent target,” Bartlett said.

Reporting by Josh Smith. Edited by Gerry Doyle

Our standards: Thomson Reuters Trust Principles.