Value of crypto currency such as Bitcoin and Ethereum has skyrocketed in the last year, with Bitcoin increasing by 60% in 2021 and Ethereum increasing by 80%. It’s certainly no surprise, then, that the relentless North Korean hackers who profit from the expanding crypto economy enjoyed a banner year.
Hackers stole $395 million last year
North Korean hackers stole $395 million in cryptocurrencies last year through seven hacks into cryptocurrency exchanges and investment organizations. The nine-figure sum represents a nearly $100 million increase over the previous year’s thefts by North Korean hacker groups, bringing their total haul in cryptocurrency to $1.5 billion over the last five years—not counting the uncounted hundreds of millions more stolen from the traditional financial system. Despite the country’s tightly sanctioned, isolated, and struggling economy, that stash of stolen cryptocurrency now adds significantly to Kim Jong-dictatorial Un’s regime’s finances as it strives to support itself—and its weapons projects.
Erin Plante’s say on the hacks
“They’ve been extremely effective,” says Erin Plante, a senior director of investigations at Chainalysis, whose analysis predicts a “banner year” for North Korean cryptocurrency crimes in 2021. The findings show that North Korea’s global, serial robberies have increased even in the face of an attempted law enforcement crackdown; in February of last year, the US Justice Department indicted three North Koreans in absentia, accusing them of stealing at least $121 million from cryptocurrency businesses, among other financial crimes. A Canadian guy was also charged with allegedly assisting in the money laundering. Those attempts, however, haven’t stemmed the loss of cryptocurrency riches. “We were encouraged to see law enforcement agencies take action against North Korea,” Plante says, “but the threat remains and is escalating.”
The Chainalysis figures, which are based on exchange rates at the time the money was stolen, don’t just show a rise in the value of cryptocurrencies. The increase in stolen assets corresponds to the number of thefts last year; the seven breaches detected by Chainalysis in 2021 are three more than in 2020, but still less than the ten successful operations carried out by North Korean hackers in 2018, when they stole a record $522 million.
Bitcoin accounts for a quarter of the stolen crypto
For the first time since Chainalysis began tracking North Korean cryptocurrency thefts, Bitcoin no longer accounts for more than a quarter of the total, accounting for only about 20% of the total. Instead, stolen ether, the Ethereum network’s currency unit, accounted for 58 percent of the parties’ cryptocurrency earnings. The theft of ERC-20 tokens, a type of crypto asset used to establish smart contracts on the Ethereum blockchain, accounted for another 11% of the total, or roughly $40 million.
Ethereum based crypto became the focus of the hacks
The heightened focus on Ethereum-based cryptocurrencies, $272 million in total thefts last year versus $161 million in 2020—is due to the skyrocketing price of assets in the Ethereum ecosystem, as well as the embryonic firms that growth has spawned.
While Chainalysis declined to identify the majority of the victims of cyber thefts it investigated last year, its research blames North Korean hackers for the theft of $97 million in crypto assets from the Japanese exchange Liquid.com in August, including $45 million in Ethereum tokens. (A request for comment from WIRED on Liquid.com’s August hacking intrusion went unanswered.) Based on malware samples, hacking infrastructure, and tracing stolen money into clusters of blockchain addresses it has identified as controlled by North Korean hackers, Chainalysis claims it has linked all seven 2021 cryptocurrency breaches to North Korea.
Hacks were carried out by Lazarus
According to Chainalysis, the thefts were all carried out by Lazarus, a loose collective of hackers commonly suspected of working for the North Korean government. Other hacker-tracking companies, on the other hand, have pointed out that Lazarus is made up of several different gangs. Despite this, security firm Mandiant agrees with Chainalysis’ findings that stealing cryptocurrency has become a top objective for nearly all of the North Korean groups it monitors, in addition to whatever other missions they may be pursuing.
For example, two North Korean gangs known as TEMP were identified by Mandiant last year. According to Fred Plan, a senior analyst at Mandiant, Hermit and Kimsuky appeared to be tasked with targeting biological and pharmaceutical firms in order to collect information connected to Covid-19. Throughout the year, though, both groups continued to attack bitcoin users. “That consistency of financially motivated operations and campaigns continues to be the undercurrent of all of the other things that they had to perform in the previous year,” Plan explains.
At last
Even the organisation Mandiant refers to as APT38, which has historically focused on more traditional financial breaches such the loss of $110 million from Bancomext in Mexico and $81 million from Bangladesh’s Central Bank, now appears to be focusing on cryptocurrency targets. Plan claims that “almost all of the North Korean groups we track have a finger in the bitcoin pie in some fashion.”