Threat actors from the Democratic People’s Republic of Korea (DPRK) are increasingly targeting the cryptocurrency sector as a major revenue generation mechanism since at least 2017 to get around sanctions imposed against the country.
“Even though movement in and out of and within the country is heavily restricted, and its general population is isolated from the rest of the world, the regime’s ruling elite and its highly trained cadre of computer science professionals have privileged access to new technologies and information,” cybersecurity firm Recorded Future said in a report shared with The Hacker News.
“The privileged access to resources, technologies, information, and sometimes international travel for a small set of selected individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyber attacks against the cryptocurrency industry.”
The disclosure comes as the U.S. Treasury Department imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds.
The threat actors from the country are estimated to have stolen $3 billion worth of crypto assets over the past six years, with about $1.7 billion plundered in 2022 alone. A majority of these stolen assets are used to directly fund the hermit kingdom’s weapons of mass destruction (WMD) and ballistic missile programs.
“$1.1 billion of that total was stolen in hacks of DeFi protocols, making North Korea one of the driving forces behind the DeFi hacking trend that intensified in 2022,” Chainalysis noted earlier this February.
A report published by the U.S. Department of Homeland Security (DHS) as part of its Analytic Exchange Program (AEP) earlier this September also highlighted the Lazarus Group’s exploitation of DeFi protocols.
“DeFi exchange platforms allow users to transition between cryptocurrencies without the platform ever taking custody of the customer’s funds in order to facilitate the transition,” the report said. “This allows DPRK cyber actors to determine exactly when to transition stolen cryptocurrency from one type of cryptocurrency to another, enabling attribution to be more difficult to determine or even trace.”
The cryptocurrency sector is among the top targets for state-sponsored North Korean cyber threat actors, as repeatedly evidenced by the myriad campaigns carried out in recent months.
DPRK hackers are known for adeptly pulling off social engineering tricks to target employees of online cryptocurrency exchanges and then lure their victims with the promise of lucrative jobs to distribute malware that grants remote access to the company’s network, ultimately allowing them to drain all available assets and move them to various DPRK controlled wallets.
Other campaigns have employed similar phishing tactics to entice users into downloading trojanized cryptocurrency apps to steal their assets as well as watering hole attacks (aka strategic web compromises) as an initial access vector, alongside engaging in airdrop scams and rug pulls.
Another notable tactic adopted by the group is use of mixing services to conceal the financial trail and cloud attribution efforts. Such services are typically offered on cryptocurrency exchange platforms that do not employ know your customer (KYC) policies or anti-money laundering (AML) regulations.
“Absent stronger regulations, cybersecurity requirements, and investments in cybersecurity for cryptocurrency firms, we assess that in the near term, North Korea will almost certainly continue to target the cryptocurrency industry due to its past success in mining it as a source of additional revenue to support the regime,” Recorded Future concluded.