World News

Crypto crash threatens stolen North Korean funds as it intensifies weapons tests

SEOUL, June 29 (Reuters) – The collapse of cryptocurrency markets has destroyed millions of dollars in funds stolen by North Korean hackers, four digital investigators say, threatening a key source of funding for the sanctioned country and its weapons programs.

North Korea has invested in the theft of cryptocurrencies in recent years, making it a powerful hacker threat and leading to one of the largest reported cryptocurrency thefts in March, in which nearly $ 615 million was stolen, according to the US Treasury Department. Read more

The sudden drop in cryptocurrencies, which began in May amid a wider economic slowdown, is complicating Pyongyang’s ability to profit from this and other thefts and could affect the way it plans to fund its weapons programs, two sources said. by the South Korean government. Sources declined to be named due to the sensitivity of the issue.

Register now for FREE unlimited access to Reuters.com

I’m registering

That comes as North Korea tests a record number of missiles – which the Seoul Defense Research Institute says has cost up to $ 620 million so far this year – and prepares to resume nuclear tests amid the economic crisis.

Old, unwashed North Korean cryptocurrencies monitored by New York-based blockchain analysis firm Chainalysis, which includes funds stolen from 49 hacks from 2017 to 2021, have fallen from $ 170 million to $ 65 million since the start of the year. he told Reuters.

One of North Korea’s 2021-million-dollar cryptocurrency cash thefts lost 80 percent to 85 percent of its value in the past few weeks and now costs less than $ 10 million, Nick Carlsen said. , an analyst with TRM Labs, another US-based blockchain analysis company.

A man who answered the phone at the North Korean embassy in London said he could not comment on the crash, as allegations of cryptocurrency hacking were “completely false news.”

“We haven’t done anything,” said the man, who identified himself as an embassy diplomat. North Korea’s foreign ministry called such allegations American propaganda.

The March $ 615 million attack on the Ronin blockchain project, which powers the popular online game Axie Infinity, was the work of a North Korean hacker operation called the Lazarus Group, US officials said.

Carlsen told Reuters that the interconnected price movements of various assets involved in the hacking make it difficult to assess how much North Korea has managed to keep from this robbery.

If the same attack happened today, the stolen Ether currency would have cost a little more than $ 230 million, but North Korea has replaced almost all of it with bitcoin, which has separate price movements, he said.

“Needless to say, the North Koreans have lost a lot of value on paper,” Carlsen said. “But even at lower prices, it’s still a huge extraction.”

The United States says Lazarus is controlled by North Korea’s Central Intelligence Agency, North Korea’s main intelligence bureau. He is accused of involvement in the WannaCry ransomware attacks, hacking of international banks and customer accounts and cyber attacks against Sony Pictures Entertainment in 2014. Read more

Analysts are reluctant to provide details on what types of cryptocurrency North Korea has, which could reveal the methods of investigation. Chainalysis said Ether, a common cryptocurrency linked to the open source blockchain platform Ethereum, was 58%, or about $ 230 million, of the $ 400 million stolen in 2021.

Chainalysis and TRM Labs use publicly available blockchain data to track transactions and identify potential crimes. Such work has been cited by sanctions observers, and according to public procurement records, both companies work with U.S. government agencies, including the IRS, FBI and DEA.

North Korea is under widespread international sanctions over its nuclear program, which gives it limited access to global trade or other sources of income and makes crypto theft attractive, investigators say.

“FUNDAMENTALLY” for a NUCLEAR PROGRAM

Although cryptocurrencies are thought to make up only a small fraction of North Korea’s finances, Eric Penton-Voak, coordinator of the UN expert group that monitors sanctions, said at an event in Washington in April that cyberattacks had become “absolutely fundamental” to Pyongyang’s ability to evade sanctions and raise money for its nuclear and missile programs.

In 2019, sanctions observers reported that North Korea had generated approximately $ 2 billion for its cyber-attack weapons of mass destruction programs.

According to an estimate from the Geneva-based international campaign to eliminate nuclear weapons, North Korea spends about $ 640 million a year on its nuclear arsenal. The country’s gross domestic product is estimated at about $ 27.4 billion in 2020, according to the Central Bank of South Korea.

Official sources of revenue for Pyongyang are more limited than ever with self-imposed border restrictions to combat COVID-19. China, its largest trading partner, said in 2021 it had imported just over $ 58 million worth of goods from North Korea, amid some of the lowest levels of official bilateral trade in decades. Official figures do not include smuggling.

North Korea now gets only a fraction of what it steals because it has to use brokers willing to convert or buy cryptocurrencies without asking questions, said Aaron Arnold of the RUSI think tank in London. A February report by the Center for a New American Security (CNAS) estimates that in some transactions, North Korea receives only a third of the value of the stolen currency.

After receiving a cryptocurrency for theft, North Korea sometimes converts it into bitcoin, then finds brokers who will buy it at a discount in exchange for cash, which is often held outside the country.

“Like selling a stolen Van Gogh, you won’t get a fair market value,” Arnold said.

CASH CONVERT

The CNAS report found that North Korean hackers showed only “moderate” concern about hiding their role, compared to many other attackers. This allows investigators to sometimes follow digital leads and attribute attacks to North Korea, albeit rarely in time to recover stolen funds.

According to Chainalysis, North Korea has turned to sophisticated ways to launder stolen cryptocurrencies, increasing the use of software tools that combine and encrypt cryptocurrencies from thousands of email addresses – a designation for digital storage.

The content of an address is often publicly visible, allowing companies such as Chainalysis or TRM to monitor anyone whose investigations are related to North Korea.

The attackers tricked people into giving access or hacking security to suck digital funds from Internet-related wallets at North Korean-controlled addresses, a Chainalysis report said this year.

The large size of the latest hacks has strained North Korea’s capacity to convert cryptocurrency into money as quickly as in the past, Carlsen said. This means that some funds are blocked, even when their value falls.

Bitcoin has lost about 54% of its value this year, and smaller coins have also been hit hard, reflecting a drop in stock prices linked to investors’ concerns about rising interest rates and the growing likelihood of a global recession.

“Turning cash remains a key requirement for North Korea if they want to use the stolen funds,” said Carlsen, who is investigating North Korea as an analyst at the FBI. “Most goods or products that North Koreans want to buy are traded only in US dollars or other fiats, not in cryptocurrencies.

Pyongyang has other, larger sources of funding it can count on, Arnold said. UN sanctions observers said as early as December 2021 that North Korea continued to smuggle coal – usually to China – and other major exports banned under Security Council resolutions.

VARIABLE CURRENCIES

It seems that North Korean hackers sometimes wait for rapid declines in value or exchange rates before turning them into cash, said Jason Bartlett, author of the CNAS report.

“This sometimes has the opposite effect, as there is little certainty in predicting when a coin’s value will rise rapidly, and there are several cases of heavily devalued cryptocurrencies that are simply in North Korean-related portfolios,” he said.

Sectrio, the cybersecurity division of the Indian software company Subex, said there were signs that North Korea had begun to step up attacks on conventional banks rather than cryptocurrencies in recent months.

The company’s “lures” focused on the banking sector – computer lure systems designed to attract cyberattacks – have seen an increase in “anomalous activities” following the collapse of the cryptocurrency, as well as an increase in “phishing” emails that try to trick recipients into giving far security information, Sectrio said in a report last week.

But Chainalysis said it has not yet noticed a major change in North Korea’s crypto behavior and few analysts expect North Korea to stop stealing digital currencies.

“Pyongyang has added cryptocurrency to its calculations to avoid sanctions and money laundering, and that is likely to remain a permanent goal,” Bartlett said.

Register now for FREE unlimited access to Reuters.com

I’m registering

Report by Josh Smith. Edited by Gary Doyle

Our standards: Thomson Reuters’ principles of trust.