New York Times: How North Korea uses crypto hacking to fund its massive spending

North Korea’s economy has been ravaged by UN sanctions and the coronavirus, and it is plagued by food shortages. At the same time, a hepatoenterovirus of unknown origin emerged in the region and began to spread rapidly in June.

Yet the country has conducted more missile tests this year than in any previous year . The government is providing new luxury homes for the party elite. North Korean leader Kim Jong-un has pledged to develop advanced technology for the country's growing arsenal. The country is expected to conduct its seventh nuclear test any day. But where will the money come from?

In April this year, the United States publicly accused North Korean hackers of The $620 million theft of cryptocurrency from Axie Infinity explains the North Korean regime’s financial resources. This is the largest theft in the crypto space and provides the strongest evidence yet that stealing cryptocurrency has become a very lucrative but relatively risk-free way for North Korea to raise funds during the COVID-19 pandemic to support the regime and fund its national military weapons development.

Poor, isolated and heavily sanctioned North Korea has long been raising foreign currency through illegal activities, including arms trafficking, drug transport and counterfeiting of U.S. dollar bills. North Korean workers dig tunnels for the Burmese military and build statues and monuments to African dictators. In addition, North Korea trains hackers to deface foreign websites and steal money from companies and banks.

As many countries implement border controls and traditional banks strengthen firewalls against hackers due to the COVID-19 pandemic, stealing cryptocurrencies has become an increasingly important means of obtaining foreign exchange for the North Korean regime. North Korean hackers are accused of stealing $571 million from cryptocurrency exchanges between January 2017 and September 2018, and $316 million from 2019 to November 2020.

North Korean hackers may have stolen nearly $400 million in cryptocurrency last year, according to crypto data firm Chainalysis . This year, revenue is just under $1 billion. South Korea’s official export revenue in 2020 was just $89 million, according to the South Korean government’s statistics agency.

Cryptocurrency is not a stable source of funds. Over the past two months, the market has crashed, causing hundreds of billions of dollars to evaporate, and the price of Bitcoin has fallen below $20,000 for the first time since the end of 2020. At the end of last year, North Korea held $170 million worth of cryptocurrency, which was funds stolen by the country but not converted into cash, according to Chainalysis. As of last week, these funds were worth only $65 million.

But as North Korea locks itself down over fears of an outbreak, hacking cryptocurrency exchanges has allowed it to both control the outbreak and generate foreign currency in an industry that lacks government regulation.

North Korean hackers roam cyberspace and launch devastating attacks with little risk of arrest because much of the country is offline. “This is a low-cost, low-risk but high-reward criminal enterprise for North Korea,” said Yoo Dong-ryul, a former top counterterrorism analyst at the South Korean police.

North Korea's capital, Pyongyang, barely has enough electricity to run its elevators, and most people don't have computers, let alone access to the internet. Yet the country has been home to many of the world's most sophisticated and aggressive hackers.

North Korean students compete against their peers from the world’s top universities in international computer programming competitions. By 2013, Kim Jong-un called his hackers an “all-purpose sword,” comparing them to the “precision targeting capabilities” of his nuclear weapons and missiles, according to South Korea’s National Intelligence Service.

"North Korean hackers are unique in that they are trained, deployed and operate under a government program," said Mr. Yoo. According to South Korean estimates, North Korea has a hacker army of about 6,800 cyber warriors, including 1,700 hackers in seven different units and 5,100 technical support staff.

Outstanding students are carefully selected and trained from an early age. According to South Korean officials, the best of them participate in the hacker training program at Moranbong University, which is managed by the Reconnaissance General Bureau, North Korea's main spy agency, or the military-run Mirim College. After graduation, most are assigned to the 121st Department, the cyber warfare department of the Reconnaissance General Bureau.

In North Korea, only a small number of workers whose loyalty has been vetted by authorities are allowed to work abroad. Among them, highly loyal hackers operate in China, Russia, Belarus and Southeast Asian countries such as Singapore, the Philippines and Malaysia, often posing as computer engineers.

Axie Infinity, a blockchain-based money-making game where players win tokens that can be redeemed for cryptocurrency, was the target of a $620 million theft of cryptocurrency earlier this year.

Like other North Korean workers abroad, the hackers operate under the watchful eye of political operatives sent from Pyongyang.

“If you think they would have moral compunction about attacking other people’s networks, you are wrong,” Jang Se-iul, a Merrill College graduate who served as an officer in the North Korean army before defecting to South Korea in 2008, said in an interview. “For them, cyberspace is a battlefield, and they are fighting against enemies who are harming their country.”

Mr. Jang said North Korea initially built its electronic warfare capabilities for defensive purposes but soon realized it could be an effective offensive weapon against its digital enemies.

Mr. Jang’s arrival in Seoul comes amid a wave of cyberattacks on websites in South Korea and the United States. North Korean hackers, who go by names like Lazarus, Kimsuky and BeagleBoyz, use increasingly sophisticated tools to infiltrate military, government, corporate and defense industry networks around the world, conduct cyber espionage and steal sensitive data to aid their country’s weapons development.

“There’s no question that North Korean hackers are really good,” Eric Penton-Voak, coordinator of the U.N. panel of experts, said during an April webinar, using an acronym for North Korea’s official name, “The Democratic People’s Republic of Korea.” “They’re looking at the very interesting and unregulated space of cryptocurrencies because nobody really understands them and they can exploit weaknesses.”

According to Chainaysis, North Korean hackers typically compromise foreign crypto wallets through phishing attacks, luring victims with fake LinkedIn job pages or other lures. The hackers then use a complex set of financial tools to transfer the stolen funds, moving the loot through the encryption application "Tor" that combines multiple digital asset streams, making it more difficult for victims to track the movement of stolen cryptocurrencies.

“They were very methodical in how they laundered the money,” said Erin Plante, senior director of investigations at Chainalysis. “They were moving only small amounts over a long period of time, ultimately trying to evade investigators.”

The final step is to turn the cryptocurrency into cash. Generally, North Korea uses offshore exchanges to convert the stolen cryptocurrency into Chinese yuan. "They have cashed out most of the stolen funds," Ms. Plante said. "It's a very powerful tool for them to evade sanctions."

The crypto game Axie Infinity was created by Sky Mavis , a company founded in Vietnam in 2018. Game players accumulate cryptocurrency through gold farming. As of last year, the game had more than 2.5 million daily active users. The game's success made the company a target for North Korean hackers: Sky Mavis employees were constantly subjected to advanced spear-phishing attacks on various social channels.

Sky Mavis founder Aleksander Leonard Larsen said the company was hacked after an employee downloaded a Word document. He said the employee no longer works at the company.

“The entire industry had to face this disaster sooner or later,” Larsen said, adding that the North Korean hackers’ attack on Sky Mavis should serve as a “wake-up call” for the crypto industry as it sees increasing security threats in the future.

The U.S. government has tried to crack down on crypto theft and punish hackers. In April, American cryptocurrency expert Virgil Griffith was sentenced to 63 months in prison for traveling without authorization to a conference in Pyongyang in 2019 and promoting cryptocurrency and the technology behind it to North Korea.

The U.S. also indicted three North Korean hackers for participating in a “wide-ranging criminal conspiracy” that included stealing more than $1.3 billion from banks and cryptocurrency companies. One of the hackers, Park Jin Hyuk, worked in information technology at Chosun Expo, which U.S. officials have described as a shadow company affiliated with North Korea’s Lazarus Group.

Last week, cryptocurrency platform Harmony announced that $100 million in cryptocurrency had been stolen. Chainalysis tracked the flow of funds, which flowed to the mixer Tornado . Chainalysis said on Monday that the transfers followed a familiar script, pointing to an obvious culprit: North Korea.