Will Hack For Nukes: A Look Inside North Korea’s Cryptocurrency Extortion Ring

To finance its nuclear weapons development, North Korea has industrialized the theft of cryptocurrencies, and its state-sponsored hackers are becoming more adept at stealing money. Cashing in on cryptocurrencies is now more difficult than ever because international law enforcement agencies are after you.

On the screen, there was a straightforward and plain threat: I had encrypted your data, and if you didn’t pay me within a week, you wouldn’t be able to get them back.

On May 12, 2017, at 12 o’clock, a red alert page appeared on the screens of more than 300,000 Windows users worldwide, requesting a transfer of around $300 worth of Bitcoin to retrieve their data.

Later, the virus was given the name of « WannaCry. » The worst-ever cryptocurrency ransomware onslaught, which eventually spread to more than 150 nations, was regarded by victims to be a routine cryptocurrency ransomware occurrence, but the U.S. authorities later claimed that Lazarus, a hacker organization controlled by the North Korean government, was responsible.

Less than 1% of North Korea’s population has access to Kwangmyong, the nation’s Intranet service, yet the government of the country has still developed some of the greatest hackers in the world, on par with superpowers like the United States, China, and Russia.

In recent years, the Pyongyang government has successfully raised money for nuclear weapons research through large-scale financial extortion schemes like WannaCry by utilizing the decentralized nature of cryptocurrencies and its two-decade-old cyberwarfare capabilities.


In the wake of the Bangladesh Bank attack in January 2015, the world finally came to understand North Korea’s capacity for cyberwarfare. Several bank workers received what seemed to be a typical job application email at the time. However, the cover letter and résumé that were included both had viruses that, when downloaded, connected to the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network.

The malware transmitted many commands to move $1 billion in money illegitimately from the Federal Reserve Bank of New York through the SWIFT network, pretending to be the Central Bank of Bangladesh. The FBI was alerted to the request and the suspicious transaction was stopped thanks to one of the instructions that attempted to transfer money to a bank branch in Manila, Philippines, on Jupiter Street. Fortunately, the word « Jupiter » was the name of a sanctioned Iranian vessel. Still, five transactions were completed, and the hackers made off with the $81 million in stolen money.

The assault demonstrated that North Korea has unquestionably refined its approach from earlier assaults. Hackers in this instance skulked in the financial system for a year, collecting data and buying themselves time before acting.

The cyber capabilities of North Korea were found to be more potent than previously thought by the West.

The hackers used the weekend in Bangladesh, the time difference between Bangladesh and New York, and the Lunar New Year holiday in the Philippines to extend the time for sending the money. After receiving the money, they made the decision to move it to a bank account in Manila, the Philippine capital, and then transferred the majority of it to a casino where they used the gaming tables to launder the money before sending it back to North Korea.

The West was compelled to acknowledge that North Korea’s cyber forces are stronger than previously thought as a result of the bank theft in Bangladesh. North Korea was more determined than ever to steal cryptocurrency thanks to the theft, even if they only managed to pocket $81 million out of the intended $1 billion.

Simultaneously, North Korea underwent a complex procedure of money laundering that resulted in the write-off of an additional 90% of the intended cash. This process taught North Korea just how labour- and time-intensive the requirements of conventional banking institutions can be.

However, with the emergence of cryptocurrencies, North Korea saw the decentralized technology – an open financial system without the need to go through banks or government-regulated financial institutions – as a means of evading sanctions, skipping the money-laundering procedure, and investing the proceeds straight into its nuclear weapons program.

Cyber history of North Korea

The Pyongyang administration has long-standing plans to launch cyberattacks. In the 1990-starting Gulf War, the U.S.-led coalition deployed technological tools in addition to conventional weaponry to help overthrow Iraq. When electronic warfare first became a viable option, the Chinese Communist Party established a research team to study « electronic intelligence warfare. »

The Korean People’s Army (KPA) claims that after seeing the report, then-Supreme Leader Kim Jong Il said, « If the Internet is like a gun, a cyber attack is like an atomic bomb, » and then ordered the KPA General Staff to develop « information warfare » capabilities to support its nuclear weapons program.

The Electronic Reconnaissance Department, also known as the Cyber Warfare Guidance Department, or Bureau 121 was founded by the North Korean government in 2008 as part of the Reconnaissance Bureau of the KPA General Staff. It was tasked with launching cyberattacks, engaging in cyberespionage, and gathering information on international politics, the economy, and society.

The Reconnaissance General Bureau (RGB), which includes Bureau 121, was created by North Korea in 2009 by merging all of its intelligence and internal security institutions.

According to current estimates, Bureau 121 employs between 3,000 and 6,000 people worldwide, including in China, India, Malaysia, and Russia. Its divisions include « APT 37 » and « Kimsuky, » which focus on political cyberespionage, and « Lazarus, » which launched the WannaCry assault, which specializes in financial blackmail.

The country’s second nuclear test happened simultaneously with the first cyberattack.

Upon becoming leadership in 2012, Kim Jong-un carried on his father’s desire to advance cyberwarfare. Kim Jong-un made a public statement the year after he assumed power that cyberwarfare, nuclear weapons, and missiles are all the same: « an all-purpose sword » with their « ruthless targeting capability, » North Korea’s military is capable of becoming unbeatable. North Korea’s current policy, which is focused on cyberattacks, was established as a result of this proclamation.

Operation Troy, launched by North Korea against South Korea in 2009, was the country’s first known cyberattack. In the early stages of understanding the potential of cyberwarfare, Pyongyang’s administration sought to showcase its cyberprowess on a global scale. The strike also happened at the same time as North Korea’s second nuclear test, when it adopted a rigid military and cyber strategy without worrying about retribution.

North Korea launched repeated distributed denial-of-service (DDoS) attacks on its main adversaries, South Korea and the U.S., between 2013 and 2016, which briefly disrupted or even paralyzed the operations of governmental organizations, electrical infrastructure, military systems, and more. North Korea’s cyber activities became more focused on information gathering.

At least six significant cyber espionage strikes against South Korea alone occurred during this time, which was also an era of widespread cyber espionage.

North Korean hackers developed their talents over time, and eventually, neither the targets of the attacks—South Korea and the United States—nor the methods—were restricted to DDoS. After 2015, North Korea stopped attacking conventional banks and financial institutions in favour of stealing decentralized cryptocurrency, which it then used to continue funding large-scale nuclear tests.

Blockchain information

The Kim Jong-un government’s use of cyberattacks as a « all-purpose sword »—a yearlong effort to train a cyber army of hackers to steal sizable sums of money through cyberattacks targeting government agencies, financial institutions, and even the general public—is to blame for North Korea’s quick nuclear development.

North Korea launched at least 90 missiles in a record amount in 2022 alone, and Kim Jong-un ordered a buildup in nuclear material with the potential to be used for making bombs. The governments of the United States and South Korea think that all necessary preparations have been made for the seventh nuclear weapons test.

According to Anne Neuberger, the U.S.’s deputy national security adviser, around one-third of the bitcoin North Korea stole was utilized for its weapons development. The UN assessment also stated that North Korea’s bitcoin thefts via hacks are a « important source of revenue » for the country’s nuclear and ballistic missile programs.

According to a blockchain research company called Chainalysis’ examination of publicly available transaction data, North Korea stole a record amount of cryptocurrencies in 2022, totaling $1.7 billion, according to a Reuters article that cited a UN report that is not publicly accessible. It is obvious that cryptocurrency hacking has grown to be a significant source of income for the North Korean treasury when compared to North Korea’s total exports of just $142 million in 2020.

Financial Decentralization

Fiat currencies, like the U.S. dollar and the Hong Kong dollar, are issued by centralized institutions in the conventional financial sector and rely on other financial institutions to conduct financial transactions, such withdrawing and depositing fiat cash through banks. Cryptocurrencies, on the other hand, are based on block-refining technology, do not have a central issuer, and may be used to build « wallets » to receive and transmit money anonymously without the need for institutions to confirm transactions.

When users transfer bitcoin, the transaction details are stored in a « distributed ledger technology » (DLT), which is disseminated over a peer-to-peer (P2P) network and is not maintained by a single organization. Each user copies and keeps an exact public copy of the ledger on this network.

Since cryptocurrencies are « anonymous » and « decentralized, » a heist of cryptocurrencies would not resemble the Bangladesh Bank incident since there would be no Federal Reserve to stop them from taking $851 million.

Lazarus is more motivated than ever to direct its operations towards cryptocurrency targets after the WannaCry attack successfully took $625 million in cryptocurrencies. Their main objectives at first were bitcoin exchanges. Though they no longer target conventional financial institutions, hackers still use the same strategies, such as phishing or social engineering, to infect target companies’ computers with malicious software and obtain access to their information systems in order to transfer money from their virtual wallets.

The popularity of cryptocurrencies has led to the emergence of several Centralized Exchanges (CEX) all over the world that make it possible to buy cryptocurrencies using fiat money like the US dollar. the replacement of cryptocurrencies with fiat money and the transition from one type of cryptocurrency to another.

Money laundering is still something North Korea needs to invest on.

This implies that the centralized exchange also maintains all records of the transfer of money and, like a regular bank, requests actual identity verification from the consumer. Therefore, North Korea still needs to invest in money laundering notwithstanding how simple it is to steal cryptocurrency.

Hacking a cryptocurrency exchange is simple; the true difficulty lies in turning cryptocurrencies into cash to buy nuclear weapons components.

North Korea’s increasingly sophisticated money laundering techniques—which include how to hide as much of the record of money flow on the block refinery before converting it to legal tender, making it impossible for investigators to trace the source of these funds—are what should draw international attention and concern, not who North Korea is attacking.

By using automated programs to carry out peel chains during the initial attacks, Lazarus cleaned up money. When significant sums of stolen money are moved in discrete, little transactions to several bitcoin addresses, it’s known as a « peel chain » to keep the trading platform from seeing. Mixers are now being used by hackers at the same time.

The fact that North Korea has used the same coin mixer repeatedly makes it simpler for investigators to determine the organization’s practices for money laundering, but there are still gaps in the money laundering process. The assets of any individual or organization having business links to North Korea in the United States were also frozen as part of the 2017 expansion of unilateral U.S. penalties by former U.S. President Donald Trump.

Companies from different nations were inclined to stop doing business with North Korea out of concern for losing access to the American market, effectively cutting off North Korea’s access to the world financial system and leaving the North Korean government with the only option of using « over-the-counter brokers » to convert cash in stolen cryptocurrency funds into fiat currency.

The U.S. Treasury Department imposed sanctions on two Chinese nationals, Tian Yinyin and Li Jiadong, for their roles in this incident in which they helped turn stolen bitcoin into fiat money. American citizens were prohibited from conducting business with them, and their assets in the country were blocked.

Hackers stole more than $280 million from the Singaporean cryptocurrency exchange KuCoin in September 2020, accounting for more than half of all cryptocurrencies taken in that month.

Tighter cryptocurrency rules

North Korea’s cryptocurrency nuclear goal is still uncertain, despite ongoing advancements in its money laundering and programming methods.

Law enforcement has started to recover stolen money one by one as North Korea has upgraded its cryptocurrency skills and made it easier to trace money to crypto address networks.

Finding out where the money goes is not subject to a time constraint.

North Korea stole bitcoin from the Ronin Network hack in 2023 valued $5.8 million, according to Norwegian authorities. Along with cryptocurrency companies, the FBI looked into and pinpointed the location of North Korea’s attempt to turn stolen money into legal cash. The FBI also collaborated with law enforcement and business sources to freeze more than $30 million in bitcoin.

It is possible to track the money years after the crime was committed since every crypto transaction is logged in a public ledger. In light of this, as well as initiatives made by organizations like the U.S. Office of Foreign Assets Control (OFAC) to isolate hackers’ favourite money-laundering services from the rest of the bitcoin ecosystem, it is likely that future intrusions will grow more difficult and futile.

North Korea may find it more challenging to turn stolen money into cash as a result of the heightened attention. For instance, the Treasury Department of the United States has added coin blenders to the list of entities that are subject to penalties from Pyongyang. The ubiquitous North Korean blenders Tornado Cash and Blender.io had their assets frozen in 2022, and American nationals were forbidden from utilizing the services.

With cryptocurrency values abruptly falling in mid-2022 and the cryptocurrency industry becoming more unpredictable with the demise of exchange FTX, which declared bankruptcy in 2022, North Korea’s nuclear weapons plans are now also uncertain due to fluctuating cryptocurrency prices.

A blockchain analysis company called Chainalysis claims that from the beginning of 2022, the value of dirty coins among the monies taken by North Korea in 49 hacks between 2017 and 2021 has decreased from $170 million to $65 million.

Due to tighter restrictions and the confiscation of stolen money, Chainalysis has also noticed an uptick in North Korean hackers attacking non-cryptocurrency networks.

Although the bitcoin market is extremely volatile, there are still commercial prospects for investors, according to Luke McNamara, chief analyst at Google’s Cyber Security, who believes that North Korea will certainly continue its cryptocurrency attacks. This is viewed by North Korea as the project systems’ vulnerable underbelly. Therefore, North Korea will continue to find cryptocurrencies highly appealing as long as new block-refining projects keep appearing on the market.

Recommended For You

About the Author: Paul

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *