North Korean Hacker Group Steals $3 Billion in Crypto Assets Over 6 Years

Recently, a report released by a cybersecurity agency revealed that hacker groups associated with North Korea have stolen Crypto Assets worth 3 billion dollars over the past 6 years.

The report pointed out that in just one year, this hacker group plundered 1.7 billion dollars in Crypto Assets, and this funding is likely to be used to support various plans of North Korea.

A blockchain data analytics company stated that $1.1 billion was stolen from decentralized finance (DeFi) platforms. The U.S. Department of Homeland Security also emphasized the hacker group's exploitation of DeFi protocols in a report released last September.

This hacker group is known for stealing funds. In 2016, they hacked into the Central Bank of Bangladesh and stole $81 million. In 2018, they attacked a Japanese Crypto Assets exchange, stealing $530 million, and hacked into the Central Bank of Malaysia, stealing $390 million.

Since 2017, North Korea has targeted the encryption industry for cyberattacks, stealing a total value of over $3 billion in Crypto Assets. Prior to this, North Korea had hijacked the SWIFT network to steal funds from financial institutions. This behavior has attracted significant attention from international organizations, prompting financial institutions to increase their investments in cybersecurity defenses.

In 2017, as Crypto Assets gradually became mainstream, North Korean Hackers shifted their targets from traditional finance to this new digital finance, initially aiming at the South Korean crypto market and then expanding globally.

In 2022, North Korean hackers were accused of stealing approximately $1.7 billion in crypto assets, an amount equivalent to about 5% of North Korea's domestic economic scale or 45% of its military budget. This amount is nearly 10 times North Korea's export figure for 2021.

North Korean hackers' methods of stealing Crypto Assets in the encryption industry are often similar to traditional cybercrimes that utilize encryption mixers, cross-chain transactions, and fiat over-the-counter trading. However, with state support, they are able to scale their thefts to levels that traditional cybercrime groups cannot reach.

Data shows that about 44% of stolen Crypto Assets in 2022 were related to North Korean Hacker activities.

North Korean hackers target not only exchanges but also individual users, venture capital firms, and other technologies and protocols. All institutions and individuals in the industry could potentially become targets, thereby providing financial support to the North Korean government.

Practitioners in the crypto assets industry, exchange operators, and entrepreneurs should be aware that they may become targets of hacker attacks.

Traditional financial institutions should also closely monitor the activities of North Korean hacker groups. Once stolen Crypto Assets are converted into fiat currency, the funds are transferred between different accounts to conceal their origin. Typically, stolen identities and altered photos are used to bypass anti-money laundering and customer identity verification. Any personal identification information of individuals who become victims of breaches may be used to register accounts and complete the money laundering process. Therefore, companies in the non-Crypto Assets and traditional financial sectors should also be vigilant to prevent their data or infrastructure from being used as a springboard for further intrusions.

Due to the intrusions by North Korean Hacker groups often starting with social engineering and phishing activities, organizations should train employees to monitor such activities and implement strong multi-factor authentication, such as passwordless authentication that complies with FIDO2 standards.

North Korea will continue to view stealing Crypto Assets as a primary source of income to fund military and weapons programs. While it is unclear how much of the stolen Crypto Assets is directly used to fund missile launches, both the amount of stolen Crypto Assets and the number of missile launches have significantly increased in recent years. Without stricter regulations, cybersecurity requirements, and investments in the cybersecurity of Crypto Assets companies, North Korea will almost certainly continue to use the Crypto Assets industry as an additional source of national income.

On July 12, 2023, an American enterprise software company announced that it had been breached by a North Korean-supported Hacker. Researchers subsequently released a report indicating that the group responsible for this attack is likely a North Korean Hacker organization focused on Crypto Assets. As of August 22, 2023, the FBI issued a notice stating that the North Korean Hacker organization is involved in multiple Hacker attacks, having stolen $197 million in Crypto Assets. These funds enable the North Korean government to continue operating under strict international sanctions and to finance up to 50% of its ballistic missile program costs.

In 2017, North Korean hackers infiltrated several exchanges in South Korea, stealing Crypto Assets worth approximately $82.7 million at the time. There were also reports that after the personal identity information of a user from an exchange was leaked in July 2017, Crypto Assets users became targets of the attacks.

In addition to stealing Crypto Assets, North Korean hackers have also learned how to mine Crypto Assets. In April 2017, researchers discovered Monero mining software installed in an intrusion by a certain hacker organization.

In January 2018, South Korean researchers announced that a North Korean organization had infiltrated the server of an undisclosed company in the summer of 2017 and used it to mine about 70 Monero coins, which were worth approximately $25,000 at the time.

In 2020, security researchers continued to report new cyber attacks by North Korean hackers targeting the Crypto Assets industry. The North Korean hacker group conducted attacks on cryptocurrency exchanges in multiple countries and used LinkedIn as a way to initially contact their targets.

2021 was the highest-yielding year for North Korea in the Crypto Assets industry, as North Korean hackers infiltrated at least 7 Crypto Assets institutions and stole $400 million worth of Crypto Assets. Additionally, North Korean hackers began targeting altcoins, including ERC-20 tokens, as well as NFTs.

In January 2022, researchers confirmed that there is still $170 million worth of Crypto Assets waiting to be redeemed since 2017.

In 2022, notable attacks by North Korean hacker groups included multiple cross-chain bridges, with total losses nearing $1 billion. These attacks specifically targeted the cross-chain bridges of these platforms, which connect different blockchains and allow users to send crypto assets from one blockchain to another.

In October 2022, the Japanese National Police Agency announced that North Korean hacker groups had launched attacks against companies in the Crypto Assets industry operating in Japan. Although no specific details were provided, the statement indicated that some companies had been successfully breached, resulting in the theft of Crypto Assets.

Between January and August 2023, North Korean Hacker groups reportedly stole $200 million from multiple platforms. In one of the attacks, the Hacker may have impersonated a recruiter, specifically targeting employees of the target company by sending recruitment emails and LinkedIn messages. The company stated that the Hacker spent 6 months trying to gain access to its network.

To prevent North Korean cyber attacks, experts recommend taking the following measures:

1. Enable multi-factor authentication (MFA) and use hardware devices to enhance security.
2. Enable all available MFA settings for the Crypto Assets exchange.
3. Verify the authenticity of social media accounts.
4. Ensure the legality of transactions and verify any free Crypto Assets or NFT promotional activities.
5. Check official sources, especially for activities involving large platforms.
6. Carefully check the URL to prevent phishing sites.

For social media scams, it is also important to pay attention to:

1. Be extra cautious during transactions, remember that Crypto Assets are not institutionally guaranteed.
2. Use a hardware wallet, which is more secure than a "hot wallet" that is always connected to the internet.
3. Only use trusted decentralized applications and verify smart contract addresses.
4. Carefully check the official website URL to prevent domain name spelling errors.
5. Remain skeptical of deals that seem too good to be true.

By taking these measures, Crypto Assets users and companies can significantly reduce the risk of becoming targets for North Korean Hacker attacks.