North Korea’s Building Nukes With Stolen Crypto: Will Regulators Step In?
Crypto Basics

North Korea’s Building Nukes With Stolen Crypto: Will Regulators Step In?

28m
Created 1yr ago, last updated 1yr ago

If the crypto community can’t combat the North’s cybercrime campaign, then regulation could increase, deterring investors and dampening innovation.

North Korea’s Building Nukes With Stolen Crypto: Will Regulators Step In?

Table of Contents

“North Korea is increasingly engaging in cyber-attacks on financial institutions, especially crypto platforms, thereby increasing its funding for nuclear weapons and harming the crypto industry’s growth.”

North Korean hackers are raiding crypto platforms and building more nuclear weapons with the proceeds. The investors they steal from are left angry and guilty that their stolen money is financing weapons that threaten mankind’s very existence. As the attacks have grown in frequency and intensity, regulators have shown their teeth; they demand that something be done. If the crypto community can’t combat the North’s cybercrime campaign, then regulation could increase, deterring investors and dampening innovation.

Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?

North Korea — A Nuclear Weapons Storepile

North Korea is shrouded in mystery. Its policies, traditions and beliefs arouse suspicion, criticism and occasionally ridicule. Even its full name – The Democratic People’s Republic of North Korea – invites mockery since it’s by far and away the least democratic country on earth. The North’s Supreme Leader, Kim Jong-un, rules with a uranium-tipped hammer. He cruelly punishes those subjects who fail to follow his mystifying rules and laws. Laws that limit men and women’s hairstyles to ten pre approved styles; outlaw denim jeans because of their capitalist associations; and send three generations of families whose members break the law to labour camps or prison. Those who escape paint a wretched picture of life under Kim. And yet, despite the danger Kim Jong-un represents and the suffering he inflicts, our leaders don’t intervene. Why is this?

Thanks to Kim’s enormous nuclear stockpile, we don’t really have much choice. As soon as NK proved it could build nuclear weapons back in 2006, it joined the US, Russia, China and all the other nuclear powers in a Mexican standoff wherein whoever fires first will probably end all life on earth. Since 2006, NK’s nuclear arsenal has grown; today, Kim Jong-un has enough materials for at least a hundred nuclear weapons, according to various estimates, as well as long-range ballistic missiles that can reach the United States. Of course, the question of whether the Little Rocket Man would ever use these WMDs isn’t clear. Hopefully we’ll never find out.

Cyberwarfare Enters the Building

Over the past decade, Kim’s focus has steadily shifted from bolstering his military and nuclear arsenals to cyberwarfare, a subject for which his late father, Kim Jong-Il, also expressed considerable enthusiasm. Kim Senior wrote of cyber-attacks in the Electronic Warfare Reference Guide (2005): “If the internet is like a gun, cyber-attacks are like autonomic bombs.” He later added, “modern war is decided by one’s conduct of electronic warfare.” Like father like son, the current Kim also delights in all things cyber. In 2013, he said, “cyberwarfare is an all-purpose sword that guarantees the North Korean People's Armed Forces ruthless striking capability, along with nuclear weapons and missiles.”

There’s some debate around what sparked this familial flurry of interest in cyberwarfare. Most agree, however, that two core motives underpin nearly all of the Kim family’s decisions: strengthening military might through nuclear armament, and alleviating the North’s severe economic woes. It is this second, poverty-driven point that is often overlooked.

North Koreans live in such a deeply deplorable state that to simply describe their country as “poor” would scarcely touch the sides. An estimated 60% of North Koreans [2020 study] live in absolute poverty, which means they lack access to food, water, shelter or warmth. The North’s GDP sits at just $28B, which really isn’t much for a country of 25 million people (Elon Musk made $121B last year), and nearly all its trade profits come from just one ally: China. The country’s GDP per capita is just $1,700 per person, which is worse than Afghanistan. To make matters worse, North Koreans don’t get aid from other countries because of Kim’s stubborn refusal to give up his WMDs.

When we combine these economic woes with Kim’s bottomless desire for more military power, we better understand why he relentlessly cyberattacks banks and crypto platforms. In a word: money. And given that cyberattacks are not only inexpensive when compared to traditional warfare, but indeed profitable, we can see that it makes perfect sense for Kim to steal from his enemies rather than attack them directly. Of course, it doesn’t hurt that cyberattacks are notoriously difficult to trace, and the North can therefore somewhat plausibly deny their involvement in them (although their denials often prompt snorts of laughter and derision, as you will see later).

We don’t know much about how Kim’s cyberwarfare teams function, or how many operatives he has, or from which countries they operate. Most of what we do know comes from leaked documents and testimony from defectors and escapees. We’re not even sure what to call Kim’s hackers. They often pick a new name to hack one or two companies, only to swap it for something else once they move on. Their previous names include Guardians of the Peace, IsOne, WhoIs, NewRomanic [sic?] Cyber Army and Hidden Cobra, to name a few. Regardless of which name they use, Kim’s hackers use the same strategies and tools over and over again, which has led many to believe that most of NK’s financially motivated cyberattacks are the work of just one team known by just one name: Lazarus Group.

The Lazarus Group is essentially a cybercrime syndicate that steals money from foreign companies to fund Kim’s nuclear war chest. Intelligence agencies, state departments and cyber researchers concur with the FBI’s official position: that Lazarus is a “state-sponsored hacking organization.”
Nobody knows the Lazarus Group’s true size or strength besides Kim and a few trusted insiders. The U.S. army, however, suggests the group comprises at least 1,700 cyber specialists that operate as two units: BlueNorOff and AndAriel. The former targets financial institutions like crypto exchanges, whereas the latter targets NK’s long list of nemeses. Other sources, mostly defectors, suggest Lazarus has some 6,000 operatives spread out over the world, many of whom secretly work from China (although the Chinese government vehemently disputes this). Lazarus could, for all we know, include every North Korean cyber operative, or it may include just an elite few. They might share an office block somewhere in Pyongyang, or they could all work remotely from all over the world. Whatever its true size and strength though, Lazarus has already drained billions of dollars from unsuspecting financial institutions all over the world, and more will surely follow.

The earliest cyberattack attributed to Lazarus occurred between July 4-9 2009, and was dubbed Operation Troy. Nobody used the name Lazarus at the time, but the tools and strategies the hackers used were later matched up with subsequent attacks. In preparation for the attack, Lazarus agents hijacked between 20,000 and 50,000 computers, mostly in South Korea, with which they overloaded websites and servers with traffic (called a distributed denial of service, or DDoS attack). The first wave targeted U.S. and South Korean government, media and financial websites, including those of the White House, Pentagon, NYSE and the Washington Post. The second wave attacked exclusively South Korean sites, and brought down numerous administration, security, defence and intelligence sites. The third and final wave again targeted South Korean sites, including its National Intelligence Service and several of its largest banks. The true economic cost stemming from these attacks isn’t known, but estimates suggest hundreds of millions of dollars were lost from missing revenue, as the attacks prevented many people from running their businesses.

Law Enforcement Closes In

Tracing cyberattacks to any person, group, or state is a notoriously tricky business, unless of course they own up to it, which most hackers rarely do. It wasn’t surprising then that nobody — including Kim — claimed credit for wreaking havoc across South Korea’s networks. After all, why would they? What would they gain by confessing?

It is sometimes possible to trace an attacks’ origin, however, even when hackers go to great lengths to shield their identities. Operation Troy was one such case. South Korean police, during their initial investigation, found hard evidence that Lazarus was involved in the attack. And some years later, researchers proved that Lazarus reused their Operation Troy malware for other attacks. One of these attacks began on March 20, 2013, and was christened Operation Dark Seoul.

The day in question had seemed like any other cold and wet March day in South Korea, right up until hackers paralyzed the network services used by dozens of media and financial companies. Three TV stations and a bank’s computer network went offline, which downed their TV channels, ATMs,and mobile apps as well. The hacked websites posted messages that lavished Kim Jong-un with praise and claimed Anonymous (a hacktivist group) was behind the hack. Even before the awkwardly suspicious messages emerged, the media had already suggested that Kim & Co were responsible; after all, it’s not like Kim has much of a fan club outside Pyongyang. And once the pro-Kim posts turned up, it was all but certain that Lazarus was behind the attacks.
A few years after the attacks subsided, research carried out by malware researchers uncovered incontrovertible evidence that the multi-year cyber campaign had in fact been carried out by the North Korean government. When they analysed the hackers’ code, they found dozens of commonalities between the Dark Seoul malware and the malware used in the North’s other attacks against South Korea.

Operation Dark Seoul continued through June. Lazarus members released compromising military information about a number of NK’s most ardent enemies: chiefly the U.S. and South Korea. The leaked data included personal information about 40,000 United States Forces Korea personnel and 100,000 South Korean citizens. When the U.S. and South Korean intelligence services accused Kim of masterminding Dark Seoul, his officials claimed the U.S. and South Korea had actually cyberattacked them first, and then denied all involvement. To simultaneously claim innocence and provocation is an unusual way to defend oneself, but it’s a normal day at the office for Kim.

The Dark Seoul attacks cemented Lazarus’ reputation as a cyber force to be reckoned with, but it wasn’t until Nov. 24, 2014, that the world really woke up to what Lazarus could do. On the day in question, Sony’s employees arrived at their office expecting the usual Monday drudgery, only to find their computer screens stuck on a pixelated red skeleton adorned with the words “Guardians of Peace” and various threats (image below). Shortly thereafter, a Reddit post emerged claiming Sony Pictures had been hacked.

Questions were raised about whether this “Guardians” moniker represented a genuinely new hacking group, or if it was simply a red herring. The latter theory was true, it turns out.

Later the same day, Sony’s confidential data materialized online. The data contained a mix of social security numbers (47,000), personal and private employee emails (millions), employee salaries, as well as dozens of unpublished scripts and films. The media got right to work on the leaked emails, and it didn’t take long for juicy discussions about Hollywood stars to turn up, including Angelina Jolie and Charlie Sheen. The quantity of leaked data was actually so vast that it took journalists weeks to finish unpacking this new treasure trove of stories.

In a surprising turn of events, the hackers quickly reached out to Sony with an unusual demand: that they not release an upcoming comedy film called The Interview. Failing to shelve the film, the hackers said, would result in even more embarrassing data cropping up online. This demand raised eyebrows, alarms and red flags at Sony and the U.S. intelligence agencies, as it didn’t seem to make sense. Why would a group of evidently talented hackers go through so much trouble to prevent one movie from being released?

The answer lies in the content of the film itself. The Interview tells a story about two journalists, played by Seth Rogan and James Franco (pictured above), who are personally invited by Kim Jong-un to North Korea in order to interview him. In a typical Hollywood twist, the CIA steps in and trains the journalists to assassinate Kim. When The Interview’s teaser trailers emerged, which present Kim as an unhinged lunatic ripe for assassination, the real Kim Supreme was somewhat miffed.
Some months before Sony’s hack, Kim had actually expressed his concerns about the film to the UN. He claimed any film that showed a country’s current leader being assassinated would constitute an act of terrorism and a declaration of war. Who knew the Little Rocket Man had such strong opinions about Hollywood storylines?

Once the hackers’ demand was made public, U.S. intelligence officials formally pointed the finger at Kim and his Lazarus hackers. They also cited evidence that included technical analysis, as well as similarities between the hacking tools and malware used in Sony’s hack and other attacks attributed to Lazarus. During a later investigation, the FBI found numerous proxy IP addresses that originated from somewhere in North Korea, which officially put to bed the question of “who’s to blame” for Sony’s hack.

And yet, despite the overwhelming evidence against him, Kim’s media officials forcefully denied any involvement: “the hacking into the SONY Pictures might be a righteous deed of the supporters and sympathizers with the DPRK in response to its appeal [that the film be shelved],” and that “we do not know where in America the SONY Pictures is situated.” The latter of these rebuttals (“we do not know where…SONY Pictures is”) implies that despite NK’s proven nuclear/cyber capabilities, its agents cannot locate a business’s address. Just to be clear, a simple Google search provides Sony’s corporate address in “0.83 seconds.” It’s also on Wikipedia.

These original and compelling counterarguments didn’t convince anyone in the U.S. government.

Secretary of State John Kerry openly condemned the North, Kim and Lazarus for hacking Sony. It wasn’t until 2018, four years later, that the U.S. Justice Department formally charged a Lazarus member for his role in the Sony hack. The hacker’s name is Park Jin Hyok, and his name and picture still feature on the FBI’s Most Wanted pages.

Where might Kim procure such talented hackers like Park? It’s not as if the North has a bustling cyber community or an expansive pool of savvy programmers from which he can simply pluck out the finest specimens and command them to steal cash on his behalf. This riddle’s answer, according to escapee testimony, is that Kim has set up a kind of cyber scouting program, wherein educators hand-pick prodigious math students to train as cyber soldiers from a young age, possibly as young as twelve. The chosen ones withdraw from their regular schools and travel to Pyongyang, where cyber experts (possibly Lazarus members) train them in cyberwarfare and to become the next generation of Lazarus hackers.

Why Attack When We Can Rob?

Kim adjusted his cyber strategy following the Sony hack. Perhaps Kim had a Supreme lightbulb moment of sorts, in which a Glorious thought appeared in his Glorious Mind that went something along the lines of “Why are we attacking our enemies when we could just rob them blind instead?”

And rob them they did. In the second week of 2015, Lazarus pulled off its first financially motivated cyberattack. Its victim was an Ecuadorian bank called Banco del Austro. Lazarus members covertly infiltrated the bank via a supposedly secure bank terminal. They then contacted Wells Fargo, pretending to work for the bank, and asked them to transfer $12M from the Banco del Austro’s account to the hackers’ accounts in Hong Kong. Even though the hackers transferred the money using SWIFT, the global payment system, SWIFT denied any liability for the breach, as did Wells Fargo. They claimed that Banco del Austro had inadequately protected its network and was therefore at fault.

Lazarus launched two further attacks in May and October the same year (2015), in the Philippines and Vietnam. Unlike in Ecuador, however, its attempts to steal $1M from Tien Phong Bank in Vietnam and its probing attacks on numerous Filipino banks were thwarted.  Both hacks made the news, but nobody attributed either to Kim or Lazarus right away. That happened nearly a year later, following one of Lazarus’ most audacious cyberattacks: the Bangladesh Central Bank heist.

The heist began in January 2015 when someone using the name “Rasel Ahlam” sent his CV and cover letter to various employees of Bangladesh Bank – the country’s central bank. Unfortunately for those workers who read them, the attachments contained hidden malware built by the Lazarus Group. This malware gave Lazarus near total control over the bank’s network, including its internal accounts and money transfers. Surprisingly, in an extraordinary show of restraint, the hackers didn’t use this access for over a year. Instead they planned where to send their stolen money and how they would launder it.

At 20:36 EST on Feb. 4, 2016, Lazarus began the first of thirty-five attempted transfers from the Bangladesh Bank’s New York Fed account.

Kim’s hopes of a payday and some new shiny nuclear toys were nearly disappointed right away by the unlikeliest of security measures: a lone printer on the bank’s 10th floor, which printed each and every transfer from the bank’s accounts as they happened. Lazarus hackers knew about the printer before the heist, and had hacked its software to shut it down while they emptied the bank’s accounts. However, the bank’s staff noticed the printer malfunctioning and restarted it right away. After it rebooted, the printer spat out dozens of pages that showed someone was stealing $951M from their account with the U.S. Federal Reserve. The bank’s staff reached out to the Fed at once, but they couldn’t get through to anyone who could help them. Which was all part of Lazarus’ plan.

When the bank discovered the fraudulent transfers, it was 08:45 local time, so most of its staff were at their desks and ready to help. Unfortunately, the only people who actually could help worked at the Fed office in New York, USA, where the local time was 22:00. As such, most of the Fed’s employees weren’t at the office while the heist was underway and therefore couldn’t do anything to help the bank in time. By merely exploiting the time difference between the U.S. and Bangladesh, Lazarus nearly pulled off not only the biggest cyber heist in history, but the largest theft of all time. Thankfully, however, Kim’s hopes of a billion-dollar payday were dashed by sheer fluke.

The heist-ruining blunder transpired when a Lazarus member decided to send their looted cash to an RCBC bank on Jupiter Street in Manila, the Philippines. This bank’s street address would have seemed normal and innocuous enough to Lazarus, and under microscopically different circumstances they would have made off with far more money than they actually did. But by pure chance, the Fed had recently sanctioned an Iranian shipping vessel called Jupiter, so when the first batch of stolen cash arrived at a bank bearing the same name, alarm bells started ringing. The remaining transfers to the bank on Jupiter street were reviewed and then halted by Fed employees, but they weren’t fast enough to catch the first five transactions totalling $101m.

Stealing over a cool hundred mil was a remarkable achievement for Lazarus and a great payday for Kim. It was, however, only one tenth of what Kim had hoped for. Perhaps Kim’s celebratory Soju tasted somewhat sour that evening.

A New Way Forward — Hacking Crypto

After the Bangladesh heist, Lazarus & Co appear to have realised that rather than targeting banks and financial services providers, which have fiercely robust security systems in place, they should target cryptocurrency platforms instead. At first glance, this seems like an obvious bad idea. Crypto services are supposedly more secure than TradFi banks, aren’t they?

Cryptocurrencies and platforms are built using blockchains, which are designed to be decentralized (they work without a central controller approving everything, like a bank). Apps and services built on decentralized platforms have more than a few advantages over their centralized competition: they don’t have a single point of failure (and have therefore fewer cyber vulnerabilities), they operate trustlessly (without intermediaries) and blockchain data is often public, cryptographically verified, and therefore more reliable. Unfortunately, despite the cryptocurrencies themselves being secure, the same can’t be said for centralized (CeFi) exchanges.

Many crypto exchanges are far more centralized than we like to think. They often rely on just one or two crypto wallets for many or all transactions, which exposes them to the centralization-related security vulnerabilities that also trouble the TradFi sector: namely, single points of failure that are easily attacked. It is therefore the CeFi crypto exchanges that represent a chink in the crypto space’s armour. As such, it should come as no surprise that Lazarus began to target these CeFi exchanges from April 2017 onwards.

The first crypto platform targeted by Lazarus Yapizon — a small South Korean CeFi exchange who later rebranded to Youbit. Lazarus struck Yapizon on April 22, 2017, and compromised four of the exchange’s hot wallets in which most of its users’ funds were stored. The hackers made off with a third of Yapizon’s funds: 3,816 BTC, which at the time were worth about $5M.

Lazarus then targeted another CeFi platform — Bithumb — in July. At the time, Bithumb was one of the busiest crypto exchanges in South Korea and the fourth largest globally by volume. Despite its size and decent reputation, its staff didn’t notice when large sums of crypto vanished from the company wallets. It wasn’t until users found they couldn’t withdraw their funds that Bithumb’s team jumped into action. And by action, we mean they actively buried their heads in the sand. After a two-day communications blackout, the firm admitted that hackers had socially engineered their way into one of its employee’s computers, from where they stole $7M in various cryptocurrencies and the personal details of 31,800 of its users.

Kim’s hackers didn’t sit around celebrating their string of victories; they got right back to work and struck Yapizon again using the same winning strategy from the first hack. This time, they stole 4,000 Bitcoin, or 17% of the exchange’s assets. These two breaches in quick succession left Yapizon with neither money nor options. The firm filed for bankruptcy and closed its digital doors forever just a few days before Christmas. A few weeks later, South Korean intelligence blamed Lazarus for both hacks.

Like Yapizon, it seems Bithumb didn’t learn much from being hacked the first time. Lazarus hacked Bithumb again in 2018. This time they took $30M. To make matters worse, they struck the exchange again in 2019 for a further $20M. A report into Bithumb’s breaches commissioned by the U.S. Secret Service revealed that Kim’s hackers had contacted Bithumb during the first breach and demanded a $16M ransom in exchange for user details they stole during the first hack. It’s not clear whether Bithumb paid the ransom.
Just before Lazarus rang in the end of a cyber-successful 2017, its members pulled off its biggest crypto heist yet: a $62M theft from NiceHash. Like the Bithumb hack earlier in the year, it was NiceHash users who first noticed their money was missing. In a later statement, the CeFi exchange said, “our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen.” At the time, nobody knew whether Lazarus agents or some other group were behind the theft; many pointed fingers at NiceHash’s founder Matjaž Škorjanc. In 2021, however, an indictment was filed in the U.S. which charged three known Lazarus agents (Jon Chang Hyok, Kim Il, and Park Jin Hyok) with a wide range of cybercrimes, including the NiceHash hack.

Blockchain — Law Enforcement's Best Friend?

It’s worth thinking about how Lazarus members cashed out so much crypto. After all, blockchain was supposed to make money laundering harder due to the technology’s transparency, wasn’t it? If that’s true, how did Kim’s cyber crew get away with so much supposedly secure money? Don’t worry –— cryptocurrencies aren’t broken, and cashing out stolen crypto isn’t a walk in the park. Just look at the millions of dollars’ worth of crypto that remains as of yet uncashed. If thieves were able to cash it out, why wouldn’t they?

Probably because it’s more trouble than it’s worth, as is often the case when fencing stolen loot. Just ask Vincenzo Peruggia, the man who stole the Mona Lisa in 1911. The art thief hid the world’s most valuable painting in a trunk in his Paris apartment for two years and then smuggled the painting into Italy where tried to sell it to an art gallery in Florence. The gallery owner promptly turned him in to the police. Peruggia was then arrested and carted off to prison, and Leonardo’s masterpiece returned to the Louvre.

Funnily enough, selling stolen crypto can be just as hard as fencing stolen artworks, if not harder — since paintings aren’t stored on a public, immutable ledger. And it’s not like Kim or a Lazarus member could easily register an account on Coinbase or Binance as both have stringent, mandatory KYC checks in place. Most of the other high-liquidity exchanges do as well.

There are, however, a few strategies and tools that Lazarus (and other hackers) use to cash out their stolen crypto. The current favourite among these are currency mixers, which let thieves conceal where their stolen crypto came from by blending it with other peoples’ crypto in a shared pool.

Research by Chainalysis shows that Lazarus hackers consistently use mixers as part of their crypto laundering strategy. They usually deposit stolen Ether and Bitcoin into various mixers, wait a few days, then withdraw their cleaned funds to trade on decentralized exchanges (DEXs). Eventually the cleaned crypto arrives at a CeFi exchange based in Asia, where Lazarus trades it for cash which is deposited in accounts under Kim’s control.
The mixer Lazarus commonly uses is Tornado Cash. If the name rings a bell, that’s because Tornado has taken a hammering in the press recently, specifically for helping Lazarus clean their stolen crypto. The U.S. government was aware of this, and officials imposed sanctions on Tornado in August this year, citing evidence that the platform had laundered more than $7B in crypto since 2019. The bad news for Tornado didn’t stop there; Dutch authorities arrested an alleged Tornado Cash developer in mid-August this year as well, which prompted fury among the crypto community. Many people argued that law enforcement shouldn’t prosecute developers for building legitimate software tools, even if criminals sometimes use them.
Regardless of what we think about the legality and ethics of these sanctions and arrests, it’s clear that regulators have ramped up their efforts to shut down Kim’s cybercrime campaign. To be fair, they had good reason to: research published at the end of 2018 by a cybersecurity firm Group-IB suggests that during the preceding 24 months, Kim’s hackers reaped $571M by attacking crypto exchanges.
Of course, the attacks didn’t end with NiceHash and Bithumb. In November 2019, Lazarus set its sights on a popular South Korean exchange called UpBit. The hackers somehow managed to submit an “abnormal transaction” of 342,000 Ether from one of the exchange’s accounts. UpBit’s CEO confirmed the breach in an official statement the following week. The stolen assets, worth $50M at the time, weren’t recoverable, but they fortunately didn’t come from user accounts. UpBit froze all transactions for about seven weeks following the hack, when it reopened its doors and allowed users to trade again. The exchange is still up and running now, and the phrase “Most Trusted Digital-Asset Exchange,” adorns its landing page; an optimistic phrase considering its history.
A short while after UpBit’s breach, the UN reported that Kim’s cyberattacks had by their estimates accrued $2B. Furthermore, research from Chainalysis at the time indicated the Lazarus Group’s share of all crypto stolen over 2019 was an astonishing 70%. We can only speculate on how Kim spent this money, but it’s likely that most of it went toward his favourite pastime: building ever-bigger intercontinental ballistic missiles.
Lazarus set their sights on Singapore-based KuCoin next in September 2020. The hackers accessed the exchange’s private keys for its hot wallets sometime in early September, possibly through a leak. This let them drain Bitcoin, Ethereum and a range of ERC-20 tokens worth $275M. In a happy and surprising turn of events, however, most of the money was reportedly recouped. KuCoin CEO Johnny Lyu later explained that by coordinating with partners and other platforms, his team had clawed back $236M — or 84% — of the stolen funds, and its insurance covered the rest. In the end, what could have been Lazarus’ biggest score yet was scuppered by an organised and united crypto community.

You may remember that during September of 2020, the Covid-19 pandemic was in full swing. Borders were shut, planes were grounded and the world economy grinded to a halt. Every country suffered from financial pain; but owing to widespread poverty, poor infrastructure, and a near non-existent list of foreign allies, North Koreans suffered worse than most. Because while other countries collaborated to create Covid tests and vaccines, Kim showed little interest in working with the West, even temporarily. Instead, he tried to steal his way to salvation.

As early as March 2020, when the pandemic was just breaking out, Kim’s cyber soldiers targeted healthcare and pharmaceutical firms with phishing emails and fake job applications that were loaded with malware. It’s not clear what exactly they were hunting for, but vaccine recipes seem likely. Healthcare firms remained a target well into 2021, when Lazarus cyberattacked Pfizer, the U.S. pharma giant who worked with BioNTech to produce one of the most widely-used Covid-19 vaccines. The attacks on healthcare and pharmaceutical companies were later analyzed by Microsoft, who found that Lazarus had tried to hack quite a few other pharma and healthcare firms besides Pfizer as well.
There isn’t much evidence to suggest any of North Korea’s attacks on pharma firms bore fruit. Unfortunately we can’t say the same for crypto: Lazarus drained $400M from crypto platforms throughout 2021. This enormous sum is partly explained by crypto’s global market cap smashing various all-time highs and boosting their loot’s value. Kim’s largest haul that year came from the Japanese CeFi exchange Liquid.com, from which his hackers stole and laundered $91M in 67 different ERC-20 tokens, as well as Bitcoin and Ether. Like most of the aforementioned crypto hacks, Lazarus somehow took control of the exchange’s hot wallets, transferred themselves funds and laundered them through Tornado Cash, from where the trail went cold.
Chainalysis research suggests that following the Liquid.com hack, North Korea had around $170M in stolen crypto sitting in various wallets. There are a few different explanations for this, first and foremost that crypto mixers like Tornado aren’t a crypto-laundering panacea. If a hacker gets his funds through a mixer before anyone’s aware of the hack, then they work just fine. But crypto platforms are savvier than they used to be, and most have alarm bells that ring when they get hacked, which lets them track the stolen money before it arrives at a mixer. They can then track and sometimes freeze the money with help from the community before it enters a mixer, as seen in the KuCoin hack. Of course, it’s also possible that Kim & Co are long on crypto and therefore want their loot’s value to increase before they exchange it for cash.

So far in 2022, Lazarus has hacked two large platforms. The first was Ronin, an Ethereum sidechain built for Axie Infinity, the P2E game. The second was Harmony, a U.S.-based blockchain company that builds cross-chain bridges. .

Ronin fell first in March of 2022. Lazarus had set up an elaborate phishing scheme on LinkedIn that advertised fake jobs to employees who worked at crypto firms. One of these job adverts caught a senior engineer at Axie unaware. After applying, the engineer went through several interview rounds and eventually received an “extremely generous” compensation package as a PDF attachment. The PDF was of course riddled with malware that infected Ronin’s network. Before long, Lazarus accessed the private keys for a majority (5/9) of Ronin’s validator nodes, which let them freely approve any transaction they wanted.

It was six days before Ronin’s engineers realised that they had been hacked. They weren’t tipped off by any cyber tools or security measures either; it was only after a user queried why they couldn’t withdraw their Ether that the team discovered the breach. When the dust settled, 173,600 Ether and $25.5M USDC (totalling $625M) was drained from Ronin by Lazarus, making this Lazarus’ biggest score to date.

Two weeks passed before the U.S. Treasury Department blamed Kim, Lazarus and North Korea. The FBI agreed. Three quarters of Ronin’s missing crypto was later traced by a data analytics company called Elliptic, who showed the hackers swapped the stolen USDC for Ether right away so the authorities couldn’t freeze it and then laundered the Ether through currency mixers, once again including Tornado Cash.
The Ronin hack lost tens of thousands of investors significant amounts of money. Axie, the game for which the Ronin sidechain was built, was extremely popular among people who were out of work through the Covid-19 lockdowns, as it gave them a way to earn money from home. It also lets gamers socialize with their friends while earning a little money on the side. And yet, the real tragedy here isn’t that regular folks lost a lot of money: it’s that their stolen cash will finance an ever-growing nuclear arsenal controlled by a man who executes anyone who falls asleep while he’s speaking.

Every time Lazarus hacks another crypto platform, one of the first questions the victims ask is “who’s going to pay back the money I lost?” The answer is never simple and is too often: “nobody.” Of the firms who fell for one of Lazarus’ scams, many declared bankruptcy as they couldn’t pay back their community. Others chose not to repay their community but still carried on anyway, promising to do better next time. Few of those in the latter category ever managed to build back their reputation. With Axie, though, there is some hope. In April, the firm raised $150M through Binance to try and reimburse the victims. And while this sum doesn’t plug the hole, it goes some way toward healing what will for most people be a devastating financial wound.
And last but certainly not least, we arrive at Lazarus’ latest victim: Harmony, a California-based firm that builds bridges that connect different blockchains together. In a blog post, Harmony’s employees explained that hackers had “compromised” their bridge through eleven transactions that drained all its funds — ~$100M by their estimates — and that they were working with law enforcement and the wider crypto community to recoup the missing money. Three days later, however, $96M of the stolen crypto was laundered through Tornado Cash by then unknown hackers, and is therefore unlikely to be seen again.
Researchers like Chainalysis took little time establishing that it was Lazarus who had hacked Harmony. And in the weeks that followed, intelligence officials from numerous countries expressed serious concerns about Kim’s clearly burgeoning cybercriminal empire: “I’m veryconcerned about North Korea’s cyber capabilities… They use cyber to gain, we estimate, up to a third of [stolen crypto] funds to fund their missile program,” said Anne Neuberger, who is  President Biden’s deputy national security advisor for cyber and emerging technology.
In an embarrassing revelation, it later emerged that Harmony was forewarned that its security didn’t cut the mustard. The warnings came from a developer with the Twitter handle Ape Dev, who pointed out that Harmony’s bridge used a multi-sig wallet that hackers could drain with just two stolen signatures. Ape tweeted: “if two of the four multisig signers are compromised, we’re going to see another nine-figure hack.” Ape’s prophecy, of course, came true. But he wasn’t the only developer to cast doubt on cross chain bridges. Vitalik Buterin shared his concerns on Reddit in January this year: “The fundamental security limits of bridges are actually a key reason why while I am optimistic about a multi-chain blockchain ecosystem […] I am pessimistic about cross-chain applications.” The Ethereum founder later added on Twitter that “there are fundamental limits to the security of bridges that hop across multiple "zones of sovereignty."
View post on Twitter

Once these warnings had made the rounds on Twitter, Harmony released a statement: “This incident is a humbling and unfortunate reminder of how our work is paramount to the future of this space, and how much of our work remains ahead of us.”

Can Any of This Be Stopped?

Lazarus’ relentless cyberattacks brought to the surface a question with which the crypto community has always struggled: how much control should lawmakers and regulators have over crypto in order to keep investors safe? The libertarian wing argues that no agency should be able censor, suppress or control crypto transactions, regardless of their legality; and that any control ceded to regulators is a failure. Whereas states and their regulators claim, for the most part, that they should be able to freeze any user’s funds if they suspect them of a crime, and that regulation would be the best way to constrain Kim’s cyberwarfare campaign.

There’s no easy answer to this question of how (or even if) crypto should be regulated to fight back against Lazarus. If regulators control who can and can’t use crypto, doesn’t that defeat the whole point of decentralized currencies? Equally though, if regulators could freeze criminal wallets and stamp out currency mixers, we could better fight back against Lazarus and hamper Kim’s nuclear program. Is regulation, therefore, a price worth paying?

After all, despite all its faults and weaknesses, North Korea represents one of the greatest threats to humanity’s survival. It’s also the only nation on earth whose military hacks businesses and banks to build nuclear weapons. And every time another crypto platform gets hacked, Kim’s rocket scientists produce yet another even bigger weapon of mass destruction.

Unless the crypto industry can devise a way to either recoup the money stolen during Lazarus’ hacks or somehow prevent platforms from being hacked in the first place (without help from regulators), then regulators are bound to step in soon. In a way, they already have by sanctioning Tornado Cash. If this trend spreads, if the crypto space becomes so heavily regulated that wallets and transactions require identity documents to work, then all crypto will have amounted to is a slightly more efficient version of the banking systems we have now.

What crypto needs is a concerted, global and collaborative push to develop tools and strategies that can do what regulators claim only regulation can: protect investors and prevent Lazarus from stealing any more money. If these tools don’t materialize sometime soon, regulators could use Kim as their excuse to impose KYC checks and all other kinds of regulation on the entire crypto space. Those platforms who don’t comply could face sanctions or end up blacklisted, just like Tornado Cash.

When the Edward Snowden exposed the NSA’s illegal mass surveillance programs, the U.S. government argued the programs were justified in order to prevent terrorism and keep the American people safe. It would be naïve to assume that the state couldn’t use a similar excuse to implement regulation that would bring crypto under state control.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.
1 person liked this article