Stolen cryptocurrencies are usually used to gain a personal advantage, but in the case of North Korea, the country is funding its nuclear programs.
A fresh UN report and a study by security firm Chainanalysis
confirmed that North Korea performed a series of cyberattacks in the last few years to obtain cryptocurrencies
and continue to develop its nuclear and ballistic missile infrastructure.
The Democratic People’s Republic of Korea (DPRK) has been under United Nations sanctions since 2006 in an attempt to prevent the Asian country from carrying out further nuclear missile tests.
In 2017, a stricter embargo was applied over the country’s nuclear and missile program, following reports that it had continued expanding its nuclear capacity.
In order to circumvent the sanctions and continue to collect funds, resources, and technology from countries like Iran, North Korea resorted to cyberattacks on cryptocurrency centralized exchanges
and investment firms in North America, Europe, and Asia.
It is estimated that from 2019 to November 2020, around $316.4 million in crypto assets had been stolen, with a single specific crypto hack
occurring in September 2020 when $281 million worth of cryptocurrencies were stolen from an unspecified exchange. A second related hack of $23 million occurred in October of the same year.
The UN report, examined and documented by Reuters
, states that $50M worth of cryptocurrency was stolen to fund the country’s missile program and nuclear weapon facilities between 2020 and 2021.
The Chainanalysis study goes as far as to report $400M was the amount stolen during the same period.
The Asian country has apparently laundered stolen cryptocurrencies from Chinese over-the-counter brokers who exchanged them with fiat currencies, especially the US dollar. The UN came to such conclusions from investigations over activities carried out by the Reconnaissance General Bureau, North Korea’s intelligence agency, currently on the UN sanctions blacklist for cyberattacks.
The United States reported that DPRK had performed nine ballistic missile launches in January of this year, considered the most significant monthly number in the history of the country’s missile programs. Apparently, it also recently tested a developmental hypersonic missile and a submarine-launched missile.
The UN report revealed that DPRK's cyberattacks on cryptocurrency exchanges and investment businesses represented a crucial revenue source for Pyongyang.
The Chainanalysis report investigated the different methods used by the hackers to siphon funds from crypto organizations. Many different techniques, including phishing
lures, code exploits, and malware
, were utilized to exploit companies' hot wallets
and then move the stolen funds into North Korea-controlled addresses.
It is widely recommended to move large sums of cryptocurrency out of hot wallets because they are connected to the internet and therefore more vulnerable to hacking. Cold wallets
are safer options because they can be used with no internet connection.
The Chainalysis report also revealed that the so-called Lazarus Group, a hacking group controlled by the Reconnaissance General Bureau, might be behind the cyberattacks.
The group is said to have operated since 2018 by stealing and laundering more than $1.75 billion worth of cryptocurrency in the time it’s been active, with many of the funds devoted to the DPRK’s nuclear program.
They stole cryptocurrencies from several exchanges, including UpBit in 2019, which gained them more than $49 million worth of cryptocurrency. KuCoin
and another unnamed platform were also hacked in 2020 when $250 million were stolen in total.
revealed at the time that the hack occurred after cybercriminals gained access to the private keys of the exchange’s hot wallets. A thorough investigation concluded that Lazarus Group was behind the hack after analyzing the hackers’ use of specific money laundering
tactics frequently used in the past. The strategy included utilizing a mix of different cryptocurrencies
to obscure the trail back to the fund’s source and using DeFi platforms
to launder a portion of the stolen funds.
allow users to swap
one type of cryptocurrency for another without a centralized custodial intermediary taking care of the users’ funds. This way, DeFi platforms don’t have to take KYC
(Know Your Customer) data from customers, making it easier for cybercriminals to move funds with extra anonymity.
Another strategy applied by the group has been to increasingly use unique, different wallet and exchange deposit addresses to launder funds. By the end of December 2020, Lazarus Group had 2,078 separate cryptocurrency addresses, suggesting that it has progressively been spreading its funds around to mitigate the risk of any specific address being identified and frozen.
The UN security council suggested that the revenue generated from these hacks directly supports North Korea’s weapons of mass destruction and ballistic missile programs, thereby dodging international sanctions.
"Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out," the Chainanalysis report added.
Between 2020 and 2021, the hackers used several different cryptocurrencies, including BTC, Ethereum, and privacy coins
, which are more challenging to track down from blockchain
data. Only 20% of the stolen funds were Bitcoin
, 58% were Ether
, while 22% were ERC-20 tokens
and other altcoins.
While cryptocurrencies like Bitcoin are popular among enthusiasts for being uncensorable and unconfiscatable, DPRK’s use of digital assets
is seen in the industry as a threat and a way to enable massive-scale crime.
On the other hand, blockchain’s transparency that openly reveals movements of funds represents a way to track down criminal activities more efficiently and an opportunity to get the funds frozen or seized, as recently happened with the Bitfinex hackers' episode
Although authorities often regard cryptocurrencies as money laundering tools, it is fair to wonder whether holding bad actors accountable for their crimes has ever been more attainable.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.