North Korean hackers stole nearly $400 million in crypto last year

North Korean hackers stole nearly $400 million in cryptocurrency last year

The past year has seen an astonishing rise in the value of cryptocurrencies such as Bitcoin and Ethereum, with the value of Bitcoin increasing by 60% in 2021 and the value of Ethereum increasing by 80%. So perhaps it’s no surprise that the ruthless North Korean hackers who feed on the booming crypto economy also had a good year.

North Korean hackers stole a total of $395 million in cryptocurrency last year via seven incursions into cryptocurrency exchanges and investment firms, according to blockchain analysis firm Chainalysis. The nine-figure sum represents nearly $100 million more than the previous year’s thefts by North Korean hacker groups, bringing their total over the past five years to $1.5 billion in cryptocurrency alone — not counting the hundreds of millions more in the country. Steal from the traditional financial system. This hoard of stolen cryptocurrency now contributes significantly to the coffers of the authoritarian Kim Jong-un regime as it seeks to fund itself – and its weapons programs – despite severe and isolated sanctions and the country’s faltering economy.

“They have been very successful,” says Erin Blunt, director of investigations at Chainalysis, whose report called 2021 a “remarkable year” for cryptocurrency thefts in North Korea. The findings show that global serial robberies in North Korea have accelerated even in the midst of a law enforcement effort. For example, the US Department of Justice indicted three North Koreans in absentia in February of last year, accusing them of stealing at least $121 million from crypto companies along with a slew of other financial crimes. Charges were also brought against a Canadian man who allegedly aided in money laundering. But these efforts did not stop the hemorrhage of crypto wealth. “We were excited to see action against North Korea by law enforcement agencies, yet the threat continues and is growing,” Blunt says.

Chainalysis figures, which are based on the exchange rates at the time of the theft, do not only indicate an estimate of the value of the cryptocurrency. The growth in stolen money is also in line with the number of thefts last year. The seven breaches tracked in 2021 were three more than in 2020, though they are fewer than 10 successful attacks by North Korean hackers in 2018, when they stole a record $522 million.

For the first time since Chainalysis began tracking cryptocurrency thefts in North Korea, Bitcoin no longer represents anywhere near the majority of what the country has seized, accounting for only about 20 percent of stolen funds. The entirety of 58 percent of the groups’ cryptocurrency gains came in the form of stolen ether, the Ethereum network’s currency unit. Another 11 percent, about $40 million, came from stolen ERC-20 tokens, a form of crypto-asset used to create smart contracts on the Ethereum blockchain.

Chainalysis blamed the increased focus on Ethereum-based cryptocurrencies — $272 million in total thefts last year versus $161 million in 2020 — to the massive rise in asset prices in the Ethereum economy, along with growth-fuelled startups. “Some of these exchanges and trading platforms are only newer and perhaps more vulnerable to these types of interference,” she says. “They are heavily trading Ether and ERC-20 tokens, and they are just easier targets.”

While Chainalysis has refused to identify most of the victims of hacker thefts it tracked down last year, its report blames North Korean hackers for stealing about $97 million in crypto assets from Japan’s platform in August, including $45 million in Ethereum tokens. ( did not respond to WIRED’s request for comment on the hacking hack in August.) Chainalysis says it linked all seven 2021 cryptocurrency hacks to North Korea based on malware samples, hacking infrastructure, and tracking stolen funds in blocks of blockchain addresses identified as It is controlled by North Korean pirates.

Chainalysis says all the thefts were carried out by Lazarus, a loose group of hackers widely believed to work for the North Korean government. But other hacker-tracking companies note that Lazarus has several distinct groups. However, security firm Mandiant echoes Chainalysis’ findings that cryptocurrency theft has become a priority for nearly all North Korean groups it tracks, in addition to any other missions it might pursue.

Last year, for example, two North Korean groups contacted TEMP, and both Hermit and Kimsuke appeared to be tasked with targeting biomedical and pharmaceutical organizations, which would most likely steal information about COVID-19, says Fred Blanc, senior analyst at Mandiant. . However, both groups continued to target crypto holders throughout the year. “This consistency of financially motivated operations and campaigns continues to be the undercurrent of all these other activities they have had to do in the last year,” says Blanc.

Even a Mandiant group calling APT38 — which previously focused on traditional financial interventions, such as the theft of $110 million from Mexican financial firm Bancomext and $81 million from Bangladesh’s central bank — now appears to have turned its sights on cryptocurrency goals. “Almost all of the North Korean groups we track have had a finger in the crypto pie in some way,” says Blanc.

Undoubtedly, one of the reasons why crypto-hackers have focused on other forms of financial crime is the relative ease of laundering digital cash. After the APT38 Bangladesh bank robbery, for example, the North Koreans had to recruit Chinese money launderers to gamble tens of millions in a casino in Manila to prevent investigators from tracking the stolen funds. By contrast, Chainalysis has found that groups have plenty of options for laundering their stolen cryptocurrency. They cashed in their winnings through exchanges – largely taking advantage of those in Asia and trading their cryptocurrency in Chinese renminbi – that have less than strict compliance with KYC regulations. Groups often used “mixing” services to hide the origins of funds. And in many cases, they have used decentralized exchanges designed to connect cryptocurrency traders directly without an intermediary, often with little to no anti-money laundering rules.

Chainalysis found that North Koreans have been remarkably patient with cashing in their stolen cryptocurrency, often holding the funds for years before the laundering process begins. In fact, it appears that the hackers still hold $170 million in unlaundered cryptocurrency from previous years’ thefts, which they will undoubtedly benefit from over time.

All of those hundreds of millions, says Fred Mandiant’s plan, would end up in the accounts of a highly militarized rogue state that spent years under severe sanctions. “The North Korean regime has figured out that they have no other options,” says Blanc. “They don’t have any other real way to deal with the world or the economy. But they have this very cool cyber capability.” “And they are able to take advantage of it to bring money into the country.”

Until the crypto industry finds out how to secure itself against these hackers — or to prevent their coins from being laundered and turned into clean bills — the illicit etheric revenue stream of the Kim regime will continue to grow.

This story originally appeared on

Leave a Comment