North Korean hackers have allegedly stolen hundreds of millions in crypto to fund nuclear programs

Technology

The FBI claims North Korea-linked hackers were behind a $100 million crypto heist on the so-called Horizon bridge in 2022.
Budrul Chukrut | Sopa Images | Lightrocket | Getty Images

North Korea-linked hackers have stolen hundreds of millions of crypto to fund the regime’s nuclear weapons programs, research shows.

So far this year, from January to Aug. 18, North Korea-affiliated hackers stole $200 million worth of crypto — accounting for over 20% of all stolen crypto this year, according to blockchain intelligence firm TRM Labs.

“In recent years, there has been a marked rise in the size and scale of cyber attacks against cryptocurrency-related businesses by North Korea. This has coincided with an apparent acceleration in the country’s nuclear and ballistic missile programs,” said TRM Labs in a June discussion with North Korea experts.

In that discussion, TRM Labs said there has been a pivot away from North Korea’s “traditional revenue-generating activities” — an indication that the regime may be “increasingly turning to cyber attacks to fund its weapons proliferation activity.”

Separately, crypto research company Chainalysis said in a February report that “most experts agree the North Korean government is using these stolen assets to fund its nuclear weapons programs.”

The Permanent Mission of North Korea to the United Nations in New York, a diplomatic mission of the regime to the UN, did not respond to CNBC’s request for comment.

They need every dollar they can. And this is just obviously a much more efficient way for North Korea to make money.
Nick Carlsen
intelligence analyst, TRM Labs

Since North Korea’s first nuclear test in 2006, the United Nations has slapped multiple sanctions on the reclusive regime — known formally as DPRK, or the Democratic People’s Republic of Korea — for its nuclear and ballistic missile programs.

The sanctions, which include bans on financial services, minerals, metals and arms, are aimed at limiting North Korea’s access to sources of funding it needs to support its nuclear activities.

Just last month, the FBI warned crypto companies that North Korea-linked hackers are planning to “cash out” $40 million of crypto.

The agency also said in January it continues “to identify and disrupt North Korea’s theft and laundering of virtual currency, which is used to support North Korea’s ballistic missile and Weapons of Mass Destruction programs.”

“They are under pretty serious economic stress with international sanctions. They need every dollar they can. And this is just obviously a much more efficient way for North Korea to make money,” Nick Carlsen, intelligence analyst at blockchain analytics firm TRM Labs, told CNBC.

“Even if that dollar stolen in crypto doesn’t directly go towards the purchase of some component for the nuclear program, it frees up another dollar to support the regime and its programs,” said Carlsen.

North Korean hackers’ exploits

North Korea-affiliated hackers exploit vulnerabilities in the crypto ecosystem in a variety of ways.

Some examples include phishing and supply chain attacks, as well as through infrastructure hacks which involve private key or seed phrase compromises, TRM Labs said in the report.

According to data from Chainalysis, 2022 was the biggest year ever for crypto hacking.

A whopping $3.8 billion was stolen from crypto businesses, primarily from exploiting decentralized finance protocols and by North Korea-linked attackers, said Chainalysis.

In March last year, U.S. officials accused North Korea-linked hackers of stealing a record amount of more than $600 million worth of crypto assets from Ronin Bridge in the popular blockchain game Axie Infinity using stolen private keys — passwords that allow users to access and manage funds.

Hackers exploit what’s known as a blockchain “bridge,” which allows users to transfer their digital assets from one crypto network to another.

Evolving tactics

North Korean-affiliated cybercriminals reportedly posed as recruiters and lured an engineer from blockchain gaming firm Sky Mavis into believing there was a job opportunity, The Wall Street Journal said in June.

The hacker shared a malware-laced document with the victim, enabling the criminals to access the engineer’s computer and steal more than $600 million in crypto after they broke into Sky Mavis’s digital pets game, Axie Infinity. 

“They leverage social engineering and they get themselves into the community. They build relationships and gain access to systems,” Erin Plante, vice president of Investigations at Chainalysis, told CNBC.

The U.S. Treasury’s Office of Foreign Assets Control and South Korea’s authorities has imposed sanctions against several entities and individuals for helping North Korean IT professionals fraudulently obtain employment overseas and launder illicitly obtained funds back to North Korea.

“They target employers located in wealthier countries, utilizing a variety of mainstream and industry-specific freelance contracting, payment, and social media and networking platforms,” said the press release, adding that North Korean IT workers often take on projects that involve virtual currency.

“DPRK IT workers also use virtual currency exchanges and trading platforms to manage digital payments they receive for contract work as well as to launder these illicitly obtained funds back to the DPRK.”