Reuters/SeoulFour digital investigators say that the drop in cryptocurrency markets has wiped out millions of dollars that hackers in North Korea stole. This threatens a key source of funding for the country, which is under sanctions, and its weapons programmes.
In recent years, North Korea has put a lot of effort into stealing cryptocurrencies. This has made it a powerful hacking threat and led to one of the biggest cryptocurrency thefts ever in March, when almost $615 million was taken, according to the U.S. Treasury.
Two South Korean government sources said that the sudden drop in the value of cryptocurrencies, which began in May as the economy as a whole slowed down, makes it harder for Pyongyang to make money from this and other thefts and may change how it plans to pay for its weapons programmes. Because the matter was sensitive, the sources didn’t want to be named.
It comes at a time when North Korea is testing a record number of missiles, which the Korea Institute for Defense Analyses in Seoul says has cost as much as $620 million so far this year, and is getting ready to start testing nuclear weapons again while the economy is in a bad spot.
Since the beginning of the year, the value of old, unwashed North Korean crypto holdings has dropped from $170 million to $65 million, according to the New York-based blockchain analytics firm Chainalysis. This includes funds stolen in 49 hacks from 2017 to 2021.
One of North Korea’s cryptocurrency caches from a heist in 2021 was worth tens of millions of dollars, but it has lost 80% to 85% of its value in the last few weeks and is now worth less than $10 million, said Nick Carlsen, an analyst with TRM Labs, another U.S. blockchain analysis firm.
When the North Korean embassy in London was called, the person who answered the phone said he couldn’t say anything about the crash because the claims of cryptocurrency hacking are “totally fake news.”
“We didn’t do anything,” said the person, who only said he was a diplomat from an embassy. The Foreign Ministry of North Korea has said that these claims are just U.S. propaganda.
U.S. authorities say that the $615 million attack on blockchain project Ronin in March, which runs the popular online game Axie Infinity, was done by a North Korean hacking group called the Lazarus Group.
Carlsen told Reuters that it was hard to figure out how much North Korea was able to keep from the hack because the price changes of different assets were linked.
If the same attack happened today, the stolen Ether currency would be worth a little more than $230 million, but he said that North Korea traded almost all of it for Bitcoin, whose price has changed in a different way.
Carlsen said, “It goes without saying that the North Koreans have lost a lot of value on paper.” “But even though prices are low, this is still a big score.”
The United States says that North Korea’s main intelligence service, the Reconnaissance General Bureau, is in charge of Lazarus. It has been blamed for the “WannaCry” ransomware attacks, the hacking of international banks and customer accounts, and the cyberattacks on Sony Pictures Entertainment (NYSE:SONY) in 2014.
Analysts don’t want to say what kinds of cryptocurrencies North Korea has because that could give away ways to investigate. The company said that 58 percent, or about $230 million, of the $400 million stolen in 2021 was Ether, a common cryptocurrency linked to the open-source blockchain platform Ethereum.
Chainalysis and TRM Labs use blockchain data that is available to the public to track down transactions and find possible crimes. Sanctions watchers have talked about this work, and public contracting records show that both firms do work for U.S. government agencies like the IRS, FBI, and DEA.
Investigators say that because of its nuclear programme, North Korea is subject to many international sanctions that make it hard for it to trade or find other ways to make money. This makes crypto heists seem like a good idea.
“BASIC” to the nuclear programme
Even though cryptocurrencies are only thought to make up a small part of North Korea’s finances, Eric Penton-Voak, the coordinator of a UN panel of experts that monitors sanctions, said at an event in April in Washington, D.C., that cyberattacks have become “absolutely fundamental” to Pyongyang’s ability to avoid sanctions and raise money for its nuclear and missile programmes.
In 2019, people who keep track of sanctions said that North Korea had used cyberattacks to make about $2 billion for its programmes to make weapons of mass destruction.
The International Campaign to Abolish Nuclear Weapons, which is based in Geneva, says that North Korea spends about $640 million a year on its nuclear arsenal. South Korea’s central bank said that the country’s gross domestic product would be around $27.4 billion in 2020.
Pyongyang has less money coming in from official sources than ever before because it has shut down its borders to fight COVID-19. China, which is North Korea’s biggest trading partner, said in 2021 that it had bought just over $58 million worth of goods from the country. This was some of the lowest official trade between the two countries in decades. The official numbers don’t include smuggling.
Aaron Arnold of the RUSI think tank in London said that North Korea already only gets a small portion of what it steals because it has to use brokers who will convert or buy cryptocurrencies without asking any questions. A report from the Center for a New American Security (CNAS) in February said that North Korea gets only one-third of the value of the money it steals in some transactions.
After stealing cryptocurrency, North Korea sometimes turns it into Bitcoin and then finds brokers who will buy it at a discount in exchange for cash, which is often held outside the country.
Arnold said, “You won’t get fair market value, just like if you tried to sell a stolen Van Gogh.”
CONVERTING TO CASH
The CNAS report found that, compared to many other attackers, North Korean hackers don’t care as much about hiding who they are. This means that investigators can sometimes follow digital trails to link attacks to North Korea, but usually not in time to get the stolen money back.
Chainalysis says that North Korea is using more complex ways to wash stolen cryptocurrency. For example, it is using more software tools that pool and scramble cryptocurrency from thousands of electronic addresses, which are names for places where digital money is stored.
Most of the time, the contents of an address can be seen by anyone. This lets companies like Chainalysis or TRM keep an eye on addresses that investigations have linked to North Korea.
In a report released this year, Chainalysis said that hackers tricked people into giving them access or got around security to move digital funds from wallets connected to the internet to addresses controlled by North Korea.
Carlsen said that the size of recent hacks has made it hard for North Korea to turn cryptocurrency into cash as quickly as it used to. That means that some funds are stuck even though their value is going down.
This year, Bitcoin has lost approximately 54% of its value, and smaller coins have also suffered significantly.This is similar to the drop in stock prices, which was caused by investors’ worries about rising interest rates and the growing likelihood of a global recession.
“North Korea still needs to turn the stolen money into cash if they want to use it,” said Carlsen, who looked into North Korea as an FBI analyst. The majority of the goods and services North Korea desires can only be purchased with US dollars or other fiat currencies, not cryptocurrencies.
Arnold said that Pyongyang can get money from other, bigger sources. As recently as December 2021, U.N. monitors of sanctions said that North Korea is still smuggling coal—usually to China—and other major exports that are banned by Security Council resolutions.
VOLATILE CURRENCIES
The author of the CNAS report, Jason Bartlett, stated that it appears that North Korean hackers sometimes wait until the value or exchange rates drop rapidly before turning their hacks into cash.
“This sometimes backfires because it’s hard to know when the price of a coin will go up quickly, and there are several cases of highly devalued crypto funds just sitting in wallets linked to North Korea,” he said.
Sectrio, the cybersecurity division of the Indian software company Subex, said that there are signs that North Korea has started attacking traditional banks again instead of cryptocurrencies in the past few months.
In a report last week, Sectrio said that there have been more “anomalous activities” and “phishing” emails, which try to trick people into giving away security information, on the firm’s “honeypots” for the banking sector since the crypto crash. “Honeypots” are fake computer systems that are meant to attract cyberattacks.
But Chainalysis said it hadn’t seen North Korea’s crypto behaviour change much, and analysts don’t think North Korea will stop stealing digital currencies.
“Pyongyang has added cryptocurrency to its list of ways to get around sanctions and launder money,” Bartlett said. “This is likely to be a permanent target for them.”