Hackers from North Korea stole nearly $400 million worth of cryptocurrency in 2021 through at least seven attacks and most of it was Ether or ETH rather than Bitcoin, according to blockchain analysis firm, Cainalysis.
2021 was a record year for North Korea’s military hackers, the most notorious of which is Lazarus, the group behind the destructive wiper attack on Sony Pictures Entertainment in 2014, WannaCry ransomware in 2017, multiple banks via the SWIFT banking system, and numerous cryptocurrency exchanges.
Also known as APT 38, the group has focused in on cryptocurrency theft as a prime vehicle for raising revenue for the country and evading US and UN economic sanctions. A UN Panel of experts in 2018 concluded that its cryptocurrency hacks contribute to North Korea’s ballistic missile programs.
The group employs common tactics used by other nation-state hacking groups and cybercriminals, including social engineering, phishing and software exploits.
“From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%,” Chainalysis said in its report.
Attacks from North Korean hackers in 2021 mostly targeted investment firms and centralized cryptocurrency exchanges, according to Chainalysis. The groups used social engineering to move funds from targets’ wallets to addresses controlled by North Korean accounts. The funds were then laundered and cashed out.
Last year, 68% of the funds that North Korean hackers stole were Ether, which replaced Bitcoin as the primary cryptocurrency. Bitcoin, however, still plays a key role in laundering stolen Ether via decentralized exchanges before being mixed into new wallets and then cashed out.
Cryptocurrency mixer or ‘tumbler’ software breaks down a user’s funds into small sums and blends it with other transactions in micro-transactions before sending an equivalent value to a new address. The US filed its first money laundering charges against a US Bitcoin mixing service in 2020.
“DPRK is a systematic money launderer, and their use of multiple mixers … is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat,” the report notes.
North Korea also has about $170 million in cryptocurrency holdings from 49 attacks that have yet to be laundered through mixers. Of that, $55 million came from attacks carried out in 2016 while $35 million came from attacks in 2020 and 2021.
Chainalysis notes that $97 million stolen from cryptocurrency wallets managed by Japanese cryptocurrency exchange Liquid.com in August was moved to addresses controlled by a party working on behalf of DPRK, resulting in $91.35 million being laundered.
North Korea’s hacks on cryptocurrency exchanges are well document by the US Cybersecurity and Infrastructure Security Agency (CISA). The US government’s umbrella term for the country’s hacking is HIDDEN COBRA.
A February 2021 report from CISA details the work of North Korean hackers in connection with the AppleJesus malware that targeted Windows and Mac systems worldwide by posing as a legitimate cryptocurrency trading platform.