Last year saw a impressive increase in the value of cryptocurrencies like Bitcoin and Ethereum, with Bitcoin gaining 60 percent in value in 2021 and Ethereum rising 80 percent. So perhaps it’s no surprise that the relentless north korean hackers Those who feed into that booming crypto economy also had a very good year.
North Korean hackers stole a total of $395 million worth of cryptocurrency last year through seven hacks at cryptocurrency exchanges and investment firms, according to blockchain analytics firm Chainalysis. The nine-figure sum represents an increase of nearly $100 million over the previous year’s thefts by North Korean hacking groups, and brings their total loot over the past five years to $1.5 billion. only in cryptocurrencies, not including the hundreds of millions more that have not been counted in the country. has robbed the traditional financial system. That trove of stolen cryptocurrencies now contributes significantly to the coffers of Kim Jong-un’s totalitarian regime as he seeks to fund himself and his cronies. weapons programs—despite the country’s heavily sanctioned, isolated and diseased economy.
“They’ve been very successful,” says Erin Plante, senior director of research at Chainalysis. whose report calls 2021 a “flagship year” for North Korean cryptocurrency thefts. The findings show that North Korea’s global serial thefts have accelerated even amid an attempted police crackdown; the United States Department of Justice, for example, charged three North Koreans in absentia in February last year, accusing them of stealing at least $121 million from cryptocurrency businesses along with a host of other financial crimes. Charges were also filed against a Canadian man who had allegedly helped launder the funds. But those efforts have not stopped the bleeding of crypto wealth. “We were excited to see action against North Korea by law enforcement,” says Plante, “but the threat remains and is growing.”
Chainalysis’s numbers, based on exchange rates at the time the money was stolen, don’t just point to an appreciation in the value of the cryptocurrency. The growth in stolen funds is also keeping pace with the number of thefts from last year; the seven breaches tracked by Chainalysis in 2021 are three more than in 2020, though fewer than the 10 successful attacks North Korean hackers carried out in 2018, when they stole a record $522 million.
For the first time since Chainalysis began tracking cryptocurrency thefts from North Korea, Bitcoin no longer accounts for anywhere near the majority of the country’s profits, accounting for only around 20 percent of stolen funds. 58 percent of the groups’ cryptocurrency profits came in the form of stolen ether, the monetary unit of the Ethereum network. Another 11 percent, about $40 million, came from stolen ERC-20 tokens, a form of crypto asset used to create smart contracts on the Ethereum blockchain.
Chainalysis’s Plante attributes that increased focus on Ethereum-based cryptocurrencies ($272 million in total thefts last year vs. $161 million in 2020) to skyrocketing asset prices in the Ethereum economy, combined with startups that the growth has fostered. “Some of these exchanges and trading platforms are newer and potentially more vulnerable to these kinds of intrusions,” he says. “They are trading a lot of ether and ERC-20 tokens, and they are easier targets.”
While Chainalysis declined to identify most of the victims of the hacker heists it tracked last year, its report blames North Korean hackers for the Theft of around $97 million in crypto assets from Japanese exchange Liquid.com in August, including $45 million worth of Ethereum tokens. (Liquid.com did not respond to WIRED’s request for comment on its August hacker breach.) Chainalysis says it has linked all seven cryptocurrency hacks of 2021 to North Korea based on malware samples, infrastructure hacking, and tracking stolen money in blockchain address pools. has been identified as being controlled by North Korean hackers.
Chainalysis says that all the thefts were carried out by Lazarus, an informal group of hackers believed to be working for the North Korean government. But other hacker tracking firms have pointed out that Lazarus comprises many different groups. Security firm Mandiant, however, echoes Chainalysis’s findings that stealing cryptocurrency has become a priority for virtually every North Korean group it tracks, in addition to any other missions they may undertake.
Last year, for example, two North Korean groups called Mandiant, TEMP. Hermit and Kimsuky seemed tasked with targeting biomedical and pharmaceutical organizations likely to steal information related to COVID-19, says Fred Plan, a senior analyst at Mandiant. However, both groups continued to target crypto holders throughout the year. “That consistency of operations and financially motivated campaigns is still the background to all these other activities that they had to do last year,” says Plan.
Even the Mandiant group calls APT38, which had previously focused on more traditional financial intrusions, such as theft of $110 million from the Mexican financial institution Bancomext and $81 million from the Central Bank of Bangladesh—now appears to have set his sights on cryptocurrency targets. “Almost every North Korean group we track has a finger in the cryptocurrency pie in some way,” says Plan.
One of the reasons hackers have targeted cryptocurrencies over other forms of financial crime is undoubtedly the relative ease of digital money laundering. After APT38’s Bangladesh bank robbery, for example, the North Koreans had to recruiting Chinese money launderers to gamble their tens of millions at a casino in Manila to prevent investigators from tracking down stolen funds. On the contrary, Chainalysis found that groups have many options to launder their stolen cryptocurrency. They have cashed in their profits through exchanges, largely by exploiting Asia-based ones and exchanging their cryptocurrency for Chinese renminbi, which have less-than-strict compliance with know-your-customer regulations. Groups have often used “mixing” services to hide the origins of money. And in many cases, they have used decentralized exchanges designed to directly connect crypto traders without intermediaries, often with few anti-money laundering rules.
Chainalysis found that North Koreans have been remarkably patient in cashing in their stolen crypto, often holding the funds for years before beginning the laundering process. The hackers, in fact, appear to be holding onto $170 million in unlaundered cryptocurrency from previous years’ heists, which they will no doubt collect over time.
All those hundreds of millions, says Mandiant’s Fred Plan, will end up in the accounts of a highly militarized rogue nation that has spent years under harsh sanctions. “The North Korean regime has realized that it has no other options. They have no other real way of relating to the world or to the economy. But they have this pretty amazing cybernetic ability,” says Plan. “And they can take advantage of it to bring money into the country.”
Until the cryptocurrency industry figures out how to protect itself against such hackers, or prevent its coins from being laundered into clean bills, the flow of ethereal and illicit income from the Kim regime will continue to grow.
This story originally appeared on wired.com.