Crypto crash threatens stolen North Korea funds as it ramps up weapons testing


SEOUL, June 29 (Reuters) – Falling cryptocurrency markets have wiped out millions of dollars in funds stolen by North Korean hackers, four digital investigators say, threatening a key funding source for the stricken country. sanctions and its weapons programs.

North Korea has invested resources in cryptocurrency theft in recent years, making it a potent hacking threat and leading to one of the largest cryptocurrency thefts on record in March, during of which nearly $615 million was stolen, according to the US Treasury. Read more

The sudden drop in crypto stocks, which began in May amid a broader economic downturn, complicates Pyongyang’s ability to profit from this and other heists, and could affect how it plans to fund its programs. weapons, two South Korean government sources said. The sources declined to be named due to the sensitivity of the issue.

Join now for FREE unlimited access to


It comes as North Korea tests a record number of missiles – which the Korea Institute for Defense Analysis in Seoul estimates have cost up to $620 million so far this year – and prepares to resume nuclear testing amid an economic crisis.

Former unlaundered North Korean crypto assets monitored by New York-based blockchain analytics firm Chainalysis, which include funds stolen in 49 hacks from 2017 to 2021, have shrunk from $170 million to $65 million. dollars since the start of the year, the company told Reuters.

One of North Korea’s cryptocurrency caches from a 2021 heist, which was worth tens of millions of dollars, has lost 80% to 85% of its value in the past few weeks and is now worth less than $10 million, said Nick Carlsen, an analyst at TRM Labs, another US-based blockchain analytics company.

A person who answered the phone at the North Korean embassy in London said they could not comment on the accident because the cryptocurrency hacking allegations are “totally false”.

“We didn’t do anything,” said the person, who only identified himself as an embassy diplomat. The North Korean Foreign Ministry called the allegations US propaganda.

The March $615 million attack on the Ronin blockchain project, which powers the popular online game Axie Infinity, was the work of a North Korean hacking operation dubbed the Lazarus Group, according to US authorities.

Carlsen told Reuters that the interconnected price movements of the various assets involved in the hack made it difficult to estimate how much North Korea had managed to avoid the heist.

If the same attack happened today, the stolen Ether currency would be worth just over $230 million, but North Korea swapped almost all of that for Bitcoin, which saw distinct price moves, did he declare.

“Needless to say, the North Koreans have lost a lot of value, on paper,” Carlsen said. “But even at depressed prices, it’s still a huge booty.”

The United States claims that Lazarus is controlled by the Reconnaissance General Bureau, North Korea’s main intelligence office. He has been accused of involvement in the “WannaCry” ransomware attacks, the hacking of international banks and customer accounts, and the 2014 cyberattacks on Sony Pictures Entertainment. Read more

Analysts are hesitant to provide details about the types of cryptocurrency held by North Korea, which could reveal investigative methods. Chainalysis said Ether, a common cryptocurrency tied to open-source blockchain platform Ethereum, accounted for 58%, or around $230 million, of the $400 million stolen in 2021.

Chainalysis and TRM Labs use publicly available blockchain data to track transactions and identify potential crimes. Such work has been cited by sanctions screeners, and according to government procurement records, both companies work with US government agencies, including the IRS, FBI and DEA.

North Korea is under widespread international sanctions for its nuclear program, giving it limited access to global trade or other sources of revenue and making crypto heists attractive, investigators say.


Although cryptocurrencies are believed to make up only a small part of North Korea’s finances, Eric Penton-Voak, coordinator of the UN panel of experts that monitors sanctions, said during a briefing. an event in April in Washington, DC, that cyberattacks have become “absolutely fundamental” to Pyongyang’s ability to evade sanctions and raise funds for its nuclear and missile programs.

In 2019, sanctions watchers reported that North Korea generated around $2 billion for its weapons of mass destruction programs using cyberattacks.

An estimate by the Geneva-based International Campaign to Abolish Nuclear Weapons indicates that North Korea spends about $640 million a year on its nuclear arsenal. The country’s gross domestic product was estimated in 2020 at around $27.4 billion, according to South Korea’s central bank.

Pyongyang’s official sources of revenue are more limited than ever due to self-imposed border closures to fight COVID-19. China – its biggest trading partner – said in 2021 it had imported just over $58 million worth of goods from North Korea, amid one of the lowest levels of official bilateral trade in decades . Official figures do not include smuggling.

North Korea already receives only a fraction of what it steals because it has to rely on brokers willing to convert or buy cryptocurrencies no questions asked, Aaron Arnold of think tank RUSI told London. A February report by the Center for a New American Security (CNAS) estimated that in some deals, North Korea gets only a third of the value of the currency it stole.

After obtaining cryptocurrency in a heist, North Korea sometimes converts it to Bitcoin and then finds brokers who will buy it at a discount in exchange for cash, often held outside the country.

“Just like selling a stolen Van Gogh, you won’t get fair market value,” Arnold said.


The CNAS report found that the North Korean hackers show only “moderate” concern about concealing their role, compared to many other attackers. This allows investigators to sometimes follow digital leads and attribute attacks to North Korea, but rarely in time to recover stolen funds.

According to Chainalysis, North Korea has turned to sophisticated ways of laundering stolen cryptocurrency, increasing its use of software tools that bundle and scramble cryptocurrencies from thousands of email addresses – an indicator for a digital storage location.

The contents of a given address are often publicly visible, allowing companies such as Chainalysis or TRM to monitor any investigations related to North Korea.

Attackers tricked people into giving them access or hacking security to siphon digital funds from internet-connected wallets to addresses controlled by North Korea, Chainalysis said in a report this year.

The sheer size of recent hacks has strained North Korea’s ability to convert cryptocurrency to cash as quickly as in the past, Carlsen said. This means that some funds have been blocked even though their value is falling.

Bitcoin has lost around 54% of its value this year and smaller coins have also been hit hard, reflecting a decline in stock prices on investor concerns about rising interest rates and the growing likelihood of a recession. world.

“Cash conversion remains a key requirement for North Korea if it wants to use the stolen funds,” said Carlsen, who has investigated North Korea as an FBI analyst. “Most of the commodities or products that North Koreans want to buy are only traded in USD or other fiat currencies, not cryptocurrencies.”

Pyongyang has other larger sources of funding it can rely on, Arnold said. UN sanctions monitors said as recently as December 2021 that North Korea continues to smuggle coal – usually to China – and other major exports banned by Security Council resolutions. .


North Korean hackers sometimes seem to wait for rapid drops in value or exchange rates before converting to cash, said Jason Bartlett, the CNAS report’s author.

“This sometimes backfires as there is little certainty in predicting when a coin’s value will rise rapidly and there are several cases of highly depreciated crypto funds just sitting in North Korea-related wallets. “, did he declare.

Sectrio, the cybersecurity division of Indian software firm Subex, said there were signs that North Korea had resumed stepping up attacks on conventional banks rather than cryptocurrencies in recent months.

The company’s banking-focused ‘honeypots’ – decoy computer systems meant to lure cyberattacks – have seen an increase in ‘abnormal activity’ since the crypto crash, as well as an increase in e “Phishing” emails, which attempt to trick recipients into giving away security information, Sectrio said in a report last week.

But Chainalysis said there is no major change in North Korea’s crypto behavior yet, and few analysts expect North Korea to abandon digital currency theft.

“Pyongyang has added cryptocurrency into its sanctions evasion and money laundering calculus and it will likely remain an ongoing target,” Bartlett said.

Join now for FREE unlimited access to


Reporting by Josh Smith. Editing by Gerry Doyle

Our standards: The Thomson Reuters Trust Principles.


Comments are closed.