The New York Times: How North Korea Uses Cryptocurrency Hackers to Fund Its Massive Spending?

Original Title: “How North Korea Used Crypto to Hack Its Way Through the Pandemic”

Authors: Choe Sang-Hun & David Yaffe-Bellany, The New York Times

Translation: Biscuit, Chain Catcher

North Korea's economy has been ravaged by UN sanctions and the coronavirus, suffering from severe food shortages. At the same time, a mysterious enterovirus has emerged in the region and began to spread widely in June.

However, the country has conducted more missile tests this year than in any previous year. The government is providing new luxury homes for party elites. North Korean leader Kim Jong-un has promised to develop advanced technology for the country's growing arsenal. A seventh nuclear test is expected at any time. But where is the funding coming from?

In April, the U.S. publicly accused North Korean hackers of stealing $620 million in cryptocurrency from the blockchain game Axie Infinity, explaining the economic source of the North Korean regime. This is the largest theft in the crypto space, and the U.S. provided the strongest evidence that stealing cryptocurrency has become a highly profitable yet relatively low-risk way for North Korea to raise funds during the pandemic to support the regime and finance its national military weapon development.

Poor, isolated, and heavily sanctioned, North Korea has long relied on illegal activities to obtain foreign currency. Specific methods include arms trafficking, drug transportation, and counterfeiting U.S. dollars, with North Korean workers digging tunnels for the Myanmar military and building statues and monuments for African dictators. Additionally, North Korea has cultivated hackers to disrupt foreign websites and steal funds from companies and banks.

Due to the pandemic, many countries have imposed controls on entry and exit, and traditional banks have strengthened firewalls against hackers, making cryptocurrency theft an increasingly important means for the North Korean regime to acquire foreign currency. North Korean hackers are accused of stealing $571 million from cryptocurrency exchanges between January 2017 and September 2018, and $316 million from 2019 to November 2020.

According to data from the crypto analytics firm Chainalysis, North Korean hackers may have stolen nearly $400 million in cryptocurrency last year. This year, the income from this area is slightly below $1 billion. According to South Korea's government statistics agency, the country's official export revenue in 2020 was only $89 million.

Cryptocurrency is not a stable source of funding. In the past two months, the market has crashed, resulting in hundreds of billions of dollars evaporating, with Bitcoin's price falling below $20,000 for the first time since the end of 2020. By the end of last year, North Korea held $170 million worth of cryptocurrency, which, according to Chainalysis, was stolen funds that had not yet been converted to cash. As of last week, these funds were worth only $65 million.

But as North Korea locked itself down due to fears of an outbreak, hackers attacking cryptocurrency exchanges allowed it to control the pandemic while generating foreign currency income in an industry lacking government oversight.

North Korean hackers roam cyberspace and launch devastating attacks, but face almost no risk of arrest, as much of the country remains offline. "For North Korea, this is a low-cost, low-risk but high-reward criminal enterprise," said Yoo Dong-ryul, a former chief counter-terrorism analyst at the South Korean police.

In North Korea's capital, Pyongyang, there is hardly enough electricity to run elevators, and most people do not have computers, let alone internet access. However, the country has long been home to many savvy and aggressive hackers.

North Korean students compete with peers from the world's top universities in international computer programming competitions. According to South Korea's National Intelligence Service, by 2013, Kim Jong-un referred to his hackers as a "universal sword," comparable to the "precise targeting capabilities" of his nuclear weapons and missiles.

"The uniqueness of North Korean hackers lies in their training, deployment, and operation under government programs," Mr. Yoo said. According to South Korean estimates, North Korea has a hacker army of about 6,800 cyber warriors, including 1,700 hackers from seven different units and 5,100 technical support personnel.

Outstanding students are carefully selected and nurtured from a young age. According to South Korean officials, the best among them participate in a hacking training program at Moranbong University, managed by North Korea's main intelligence agency, the Reconnaissance General Bureau, or the military-run Mirim College. After graduation, most are assigned to the cyber warfare department 121 of the Reconnaissance General Bureau.

In North Korea, only a few workers whose loyalty has been vetted by the authorities are allowed to work abroad. Among them, the most loyal hackers operate in countries like China, Russia, Belarus, and Southeast Asian nations such as Singapore, the Philippines, and Malaysia, often posing as computer engineers.

Axie Infinity is a blockchain-based game where players earn tokens that can be exchanged for cryptocurrency. Earlier this year, the game was hacked, resulting in the theft of $620 million in cryptocurrency.

Like other North Korean workers abroad, these hackers operate under the supervision of political personnel dispatched from Pyongyang.

"If you think they feel moral guilt for attacking other people's networks, you are mistaken," said Jang Se-iul, a graduate of Mirim College who served as an officer in the North Korean military and defected to South Korea in 2008, in an interview. "For them, cyberspace is a battlefield, and they are fighting against enemies that harm their country."

Mr. Jang said North Korea initially built its electronic warfare capabilities for defensive purposes but quickly realized it could be an effective offensive weapon against its digital enemies.

As Mr. Jang arrived in Seoul, South Korean and U.S. websites were suffering a wave of cyberattacks. North Korean hackers, named Lazarus, Kimsuky, and BeagleBoyz, use increasingly sophisticated tools to infiltrate military, government, corporate, and defense industry networks worldwide, conducting cyber espionage and stealing sensitive data to aid their country's weapon development.

"There is no doubt that North Korean hackers are really skilled," said Eric Penton-Voak, coordinator of a UN expert panel, at a webinar in April, using the North Korean official name "The Democratic People's Republic of Korea." "They are looking at the very interesting and under-regulated cryptocurrency space because no one really understands it, and they excel at exploiting all vulnerabilities."

According to Chainalysis, North Korean hackers typically compromise foreign crypto wallets through phishing attacks, luring victims with fake LinkedIn job pages or other bait. The hackers then use a complex set of financial tools to transfer the stolen funds, moving the loot through the encrypted application "Tor" that combines multiple streams of digital assets, making it harder for victims to trace the stolen cryptocurrency.

"They are very methodical about money laundering," said Erin Plante, senior director of investigations at Chainalysis. "They make only small moves over a long period, ultimately trying to evade investigators."

The final step is to convert the cryptocurrency into cash. Generally, North Korea uses offshore exchanges to convert the stolen cryptocurrency into Chinese yuan. "They have cashed out most of the stolen funds," Ms. Plante said. "This is a very powerful tool for them to evade sanctions."

The crypto game Axie Infinity was created by Sky Mavis, a company founded in Vietnam in 2018. Players accumulate cryptocurrency by playing the game. By last year, the game had over 2.5 million daily active users. The game's success made the company a target for North Korean hackers: Sky Mavis employees are constantly subjected to sophisticated spear-phishing attacks across various social channels.

Sky Mavis founder Aleksander Leonard Larsen said the company was hacked after an employee downloaded a Word document. He noted that this employee is no longer with the company.

"The entire industry will face this disaster sooner or later," Larsen said, adding that the attack on Sky Mavis by North Korean hackers should serve as a "wake-up call" for the crypto industry, as it anticipates an increasing number of security threats in the future.

The U.S. government is trying to combat crypto theft and punish hackers. In April, U.S. cryptocurrency expert Virgil Griffith was sentenced to 63 months in prison for unauthorized travel to attend a conference in Pyongyang in 2019, where he promoted cryptocurrency and taught its underlying technology to North Korea.

The U.S. has also indicted three North Korean hackers for participating in a "widespread criminal conspiracy," including stealing over $1.3 billion from banks and cryptocurrency companies. One of the hackers, Park Jin-hyok, worked in information technology at a North Korean trade fair, which U.S. officials described as a front company affiliated with North Korea's Lazarus Group.

Last week, the cryptocurrency platform Harmony announced it had been hacked for $100 million in cryptocurrency. Chainalysis tracked the flow of funds, which led to the mixer Tornado. Chainalysis stated on Monday that these transfer patterns followed a familiar script, pointing to a clear culprit: North Korea.