North Korea has significantly expanded its focus on cryptocurrency, amassing an estimated $3 billion through illicit means since 2017. Initially successfully stealing from financial institutions by exploiting the SWIFT network, the regime shifted its attention during the 2017 cryptocurrency boom. North Korean cyber operators transitioned from traditional finance to the emerging digital financial landscape, initially targeting the South Korean cryptocurrency market before expanding globally.
In 2022 alone, North Korean threat actors were accused of pilfering approximately $1.7 billion in cryptocurrency, equivalent to about 5% of North Korea’s economy or 45% of its military budget. This staggering sum surpasses the value of North Korea’s 2021 exports, which stood at $182 million, as reported by the Observatory of Economic Complexity (OEC).
Fininterest crypto analyst Nellius Irene commented on the data: ” As North Korea continues to view cryptocurrency theft as a key revenue source, particularly for military and weapons funding, the international community faces a critical juncture. Strengthening regulatory frameworks, bolstering cybersecurity requirements, and enhancing investments in cybersecurity for cryptocurrency and traditional financial entities are imperative to mitigate this persistent threat. Without decisive action, North Korea’s targeting of the cryptocurrency industry is likely to persist, posing risks to global financial stability and security.”
The tactics employed by North Korean threat actors in targeting the cryptocurrency industry and their laundering methods closely resemble those of traditional cybercriminal groups—utilizing cryptocurrency mixers, cross-chain swaps, and fiat conversions. However, state support enables North Korean threat actors to operate on a larger scale, with approximately 44% of stolen cryptocurrency in 2022 traced back to them. Targets extend beyond cryptocurrency exchanges to individual users, venture capital firms, and various technologies and protocols.
Participants in the cryptocurrency industry, including individual users, exchange operators, and financiers, need to be vigilant against potential targeting by North Korean threat actors. This risk extends to entities in traditional finance, prompting the need for heightened awareness of North Korean threat group activities. Stolen cryptocurrency is often laundered through fiat conversion, with North Korean threat actors obscuring the funds’ origins through intricate transactions. Stolen identities and altered photos are commonly employed to bypass anti-money laundering and know-your-customer (AML/KYC) verification processes.
Beyond cryptocurrency and traditional finance, the broader corporate landscape should also be wary of North Korean threat group activities. Companies may unknowingly become conduits for further intrusions, using their data or infrastructure as launch pads. Since most intrusions originate from social engineering and phishing campaigns, organizations should train employees to detect such activities and implement robust multi-factor authentication, such as FIDO2-compliant passwordless authentication.
Evidently, the regime views cryptocurrency theft as a significant revenue source, especially for funding military and weapons programs. While the direct correlation between stolen cryptocurrency and financing ballistic missile launches remains unclear, the volume of cryptocurrency theft and missile launches has surged in recent years. Without stronger regulations, cybersecurity requirements, and increased investments in cybersecurity for cryptocurrency firms, North Korea will likely persist in targeting the industry to bolster its revenue streams and support the regime.
