North Korean Hacker Group Steals $3 Billion in Crypto Assets in 6 Years

Recently, a report released by a cybersecurity agency revealed a shocking fact: a hacker organization associated with North Korea has successfully stolen up to $3 billion in Crypto Assets over the past 6 years.

According to reports, the organization plundered $1.7 billion in Crypto Assets in just one year in 2022, and these funds are likely to be used to support various plans in North Korea. A blockchain data analytics company pointed out that about $1.1 billion was stolen from decentralized finance (DeFi) platforms. The U.S. Department of Homeland Security also emphasized the organization's frequent attacks on DeFi protocols in a report released last September.

This hacker organization is known for its fund thefts. In 2016, they hacked the Central Bank of Bangladesh and stole $81 million. In 2018, they launched an attack on a Japanese crypto assets exchange, stealing $530 million, and stole $390 million from the Central Bank of Malaysia.

Since 2017, North Korea has targeted the encryption industry as a primary objective for cyber attacks. Prior to this, they had stolen funds from financial institutions by hijacking the SWIFT network. This behavior has drawn significant attention from international institutions, prompting financial organizations to increase their investments in cybersecurity defenses.

In 2017, with the rise of Crypto Assets, North Korean hackers shifted their focus from traditional finance to this emerging digital asset. They initially targeted the South Korean crypto market and then expanded their influence globally.

In 2022, North Korean hackers were accused of stealing approximately $1.7 billion in Crypto Assets, a figure that represents about 5% of North Korea's domestic economic scale or 45% of its military budget. This amount is nearly 10 times North Korea's total exports in 2021.

North Korean hackers' methods of operation in the encryption industry are often similar to traditional cybercrime tactics such as using crypto mixers, cross-chain transactions, and fiat over-the-counter trading. However, due to state support, they are able to scale their theft activities to levels that traditional cybercrime gangs cannot reach.

According to data tracking, about 44% of stolen Crypto Assets in 2022 were related to North Korean Hacker activities.

The attack targets of North Korean hackers are not limited to exchanges but also include individual users, venture capital firms, and other technologies and protocols. All institutions and individuals operating in the Crypto Assets industry may become potential targets, and these actions provide the North Korean government with a continuous channel for operation and fundraising.

Practitioners, exchange operators, and entrepreneurs in the encryption industry should be aware that they may become targets of hacker attacks. Traditional financial institutions should also closely monitor the activities of North Korean hacker organizations. Once Crypto Assets are stolen and converted into fiat currency, the funds will be transferred between different accounts to cover the source. Typically, stolen identities and modified photos are used to circumvent anti-money laundering and customer identity verification.

Due to the intrusions by North Korean Hacker groups often starting with social engineering and phishing activities, organizations should train employees to monitor such activities and implement strong multi-factor authentication, such as passwordless authentication that complies with FIDO2 standards.

North Korea will continue to view the theft of Crypto Assets as a major source of revenue to fund its military and weapons programs. While it remains unclear how much of the stolen Crypto Assets is directly used to fund missile launches, both the amount of stolen Crypto Assets and the number of missile launches have significantly increased in recent years. Without stricter regulations, cybersecurity requirements, and investments in the cybersecurity of Crypto Assets companies, North Korea will almost certainly continue to use the Crypto Assets industry as a source of additional income for the state.

In July 2023, an American enterprise software company announced that a North Korean-backed Hacker had breached its network. Researchers subsequently released a report indicating that the group responsible for the attack was likely a North Korean hacker organization focused on Crypto Assets. As of August 2023, the FBI issued a statement saying that the North Korean hacker organization was involved in multiple hacking attacks, having stolen $197 million in Crypto Assets. These funds enabled the North Korean government to continue operations under strict international sanctions and to finance up to 50% of its ballistic missile program costs.

In 2017, North Korean hackers infiltrated several South Korean exchanges, stealing Crypto Assets worth approximately $82.7 million. In July of the same year, after the personal identification information of users from an exchange was leaked, Crypto Assets users also became targets of the attacks.

In addition to stealing Crypto Assets, North Korean hackers have also learned to mine Crypto Assets. In April 2017, researchers discovered that Monero mining software was installed during an intrusion by the hacker organization. In January 2018, South Korean researchers announced that a North Korean organization had compromised a company's server in the summer of 2017 and used it to mine approximately 70 Monero coins, which were worth about $25,000 at the time.

In 2020, security researchers continued to report new cyber attacks by North Korean hackers targeting the crypto assets industry. North Korean hacker groups attacked cryptocurrency exchanges in multiple countries and used LinkedIn as a way to initially contact their targets.

2021 was the most active year for North Korea in the Crypto Assets industry, as they infiltrated at least 7 Crypto Assets institutions and stole $400 million worth of Crypto Assets. In addition, North Korean hackers began targeting altcoins, including ERC-20 tokens, as well as NFTs.

In January 2022, researchers confirmed that there is still $170 million worth of Crypto Assets pending redemption since 2017.

In 2022, significant attacks by North Korean hacker groups included multiple cross-chain bridges, resulting in total losses exceeding $900 million. These attacks specifically targeted cross-chain bridges that connect two blockchains, allowing users to send one Crypto Asset from one blockchain to another containing a different Crypto Asset.

In October 2022, the Japanese National Police Agency announced that North Korean hacker groups had conducted attacks against companies in the Crypto Assets industry operating in Japan. Although no specific details were provided, the statement indicated that some companies had successfully been infiltrated, and Crypto Assets were stolen.

Between January and August 2023, North Korean hacker groups reportedly stole $200 million from multiple platforms. In one of the attacks, the hacker may have posed as a recruiter, specifically targeting employees of the target company by sending recruitment emails and LinkedIn messages. The company stated that the hacker spent 6 months trying to gain access to its network.

In order to prevent cyber attacks from North Korea targeting Crypto Assets users and companies, experts have made the following suggestions:

1. Enable Multi-Factor Authentication (MFA): Use hardware devices like YubiKey for wallets and transactions to enhance security.

2. Enable any available MFA settings for Crypto Assets exchanges to maximize account protection against unauthorized logins or theft.

3. Verify verified social media accounts, check if the username contains special characters or numbers replacing letters.

4. Ensure that the requested transaction is legitimate, and verify any airdrop or other free Crypto Assets or NFT promotional activities.

5. Always check official sources when receiving airdrops or other content from large platforms.

6. Always check the URL and observe the redirection after clicking the link to ensure that the website is the official site and not a phishing site.

For social media scams, there are the following defense tips:

1. Be especially cautious when trading crypto assets. Crypto assets do not have any institutional safeguards to mitigate "traditional" fraud.

2. Use a hardware wallet. Hardware wallets may be more secure than "hot wallets" that are always connected to the internet.

3. Only use trusted decentralized applications (dApps) and verify the smart contract address to confirm its authenticity and integrity.

4. Double-check the official website's URL to avoid imitation. Some Crypto Assets phishing pages may rely on misspelled domain names to deceive users.

5. Be skeptical of offers that seem too good to be true. Crypto Assets phishing pages lure victims with favorable Crypto Assets trading rates or low Gas fees for NFT minting interactions.