North Korean-backed state hackers have stolen an estimated $3 billion in a long string of hacks targeting the cryptocurrency industry over the last six years since January 2017.
Kimsuky, Lazarus Group, Andariel, and other North Korean hacking groups have been behind attacks akin to typical cybercriminal gangs, albeit on a much larger scale, given that their operations have been behind 44% of all stolen cryptocurrency throughout last year, according to a report by Recorded Future’s Insikt Group.
While cryptocurrency exchanges are at the top of their targeting list, they’ve also been linked to attacks against individual users and venture capital firms.
Cryptocurrency theft is one of Pyongyang’s regime’s most significant income streams, notably earmarked for financing military and weapon development programs (although there is no data on how much funding is set aside toward ballistic missile launches, both the volume of stolen cryptocurrency and missile launches have concurrently surged in the last several years).
“Since 2017, North Korea has significantly increased its focus on the cryptocurrency industry, stealing an estimated $3 billion worth of cryptocurrency,” Recorded Future analysts said.
“Initially successful in stealing from financial institutions through the hijacking of the SWIFT network, North Korea shifted its attention to cryptocurrency during the 2017 bubble, starting with the South Korean market and later expanding globally.
“In 2022 alone, North Korean threat actors were accused of stealing $1.7 billion in cryptocurrency, equivalent to 5% of the country’s economy or 45% of its military budget.”
As recently outlined in a confidential United Nations report, North Korean state hackers have been behind unprecedented levels of cryptocurrency theft, stealing between $630 million and more than $1 billion in 2022 alone, effectively doubling Pyongyang’s illicit profits from cyber theft compared to the previous.
Their cryptocurrency attacks started surging after the hack of South Korean exchanges Bithumb, Youbit, and Yapizon in 2017 when they stole crypto assets worth roughly $82.7 million.
In the last two years, North Korean Lazarus hackers have been linked to crypto heists against the Harmony blockchain bridge ($100 million in losses), the Nomad bridge ($190 million in losses), the Qubit Finance bridge ($80 million in losses), and the largest crypto hack ever after breaching the Ronin Network cross-chain bridge and stealing $620 million.
This year alone, they’ve also allegedly stolen $200 million in multiple attacks, including from Atomic Wallet ($35 million), AlphaPo ($60 million in two separate attacks), and CoinsPaid ($37 million).
Recorded Future researchers provide a detailed history of North Korean cryptocurrency targeting in their full report, available here.
This week, the Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on the Kimsuky hacking group for their involvement in acquiring intelligence that helped support North Korea’s weapons of mass destruction (WMD) programs.
In September 2019, it levied sanctions on three other North Korean hacking groups (Lazarus, Bluenoroff, and Andariel) for channeling cryptocurrency stolen in cyberattacks back to the country’s government.
The Treasury Department also sanctioned the Sinbad, Tornado Cash, and Blender.io cryptocurrency mixer services used by North Korean hacking groups to launder funds stolen in the Atomic Wallet, Axie Infinity, Nomad, and Horizon hacks.
Additionally, OFAC announced sanctions in May against four North Korean entities engaged in illicit IT worker schemes and cyber assaults intended to generate revenue to fund the Democratic People’s Republic of Korea’s (DPRK) WMD programs.