► In this environment of rapid innovation within the cryptocurrency and blockchain technology industry coupled with unyielding sanctions against Pyongyang, North Korean hackers have become the greatest state state-sponsored threat to the financial services sector.

► As long as Pyongyang views the potential gains of cyber operations against financial institutions and technologies greater than the potential risks and necessary resource expenditure to conduct these operations, North Korea will likely maintain its status as the greatest state-sponsored threat to the financial services sector in years to come.

Background

North Korean hackers have become the most dangerous state-sponsored threat to the financial services sector. While other state-sponsored cyber adversaries to the United States and South Korea, such as Chinese and Russian actors, typically target government agencies and democratic institutions, Pyongyang continues to devote a large portion of its cyber resources towards exploiting the global financial market with a growing focus on cryptocurrency. Since the mid-80s, Pyongyang has steadily increased its offensive cyber capabilities through domestic innovation and support from foreign actors, which has increased its ability to conduct destructive and disruptive cyberattacks. While South Korean government agencies and researchers will likely remain major targets for North Korea, Pyongyang’s appetite for cybercrime has grown beyond the Korean Peninsula in recent years, with financially motivated cyber operations targeting entities and institutions around the world.

According to publicly available information written in both English and Korean language, Pyongyang has adapted its traditional modus operandi for cybercrime to focus heavily on exploiting vulnerabilities in financial institutions outside of the Korean Peninsula, such as foreign banks and cryptocurrency exchanges. This shift occurred around 2015 and continues today with a steady increase in intrusions against cryptocurrency exchanges, in particular. Official U.S. government statements support this claim as the U.S. Department of Justice has identifying North Korean hackers attempting to steal over $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and various countries in Africa during this timeframe. A recent report by the Center for a New American Security outlined an expanding toolkit of cyber-enabled money laundering platforms, such as decentralized finance (DeFi) and other evolving financial technology, that highlight this shift in North Korean cybercrime. Pyongyang will likely continue to exploit these technologies to improve both their cybercrime capabilities and potential net gain profits from cyber heists.

In this environment of rapid innovation within the cryptocurrency and blockchain technology industry coupled with unyielding sanctions against Pyongyang, North Korean hackers have become the greatest state state-sponsored threat to the financial services sector. Despite its global status as a pariah state, Pyongyang is acutely aware of growing financial trends abroad and how best to exploit them to its benefit. For example, U.S. economic sanctions on North Korea significantly increased in 2016 following expansions in North Korea-specific sanctions regimes, the same year when Bitcoin gained mass popularity and other cryptocurrency coins, like Ethereum, started to gain momentum. Given the creativity needed for North Korea to successfully evade growing economic sanctions, Pyongyang’s decision to dive deep into cyber-enabled financial crime targeting cryptocurrency during this period was likely not just a coincidence.

North Korea and Cryptocurrency

The utility of cryptocurrency to support a variety of North Korean operations continues to evolve. For example, North Korean hackers have stolen hundreds of millions of dollars-worth of digital assets from cryptocurrency exchanges and DeFi platforms, including play-to-earn crypto (P2E) games that allow users to earn cryptocurrency while playing video games. Pyongyang has even used cryptocurrency as a monetary reward for espionage, as seen in recent cases revealing North Korean agents paying South Korean citizens and military personnel in cryptocurrency to sell government secrets. As such, North Korean hackers have rapidly improved their money laundering techniques and expanded financial targets to likely support its struggling economy and other national goals, such as its nuclear and ballistic weapons development program. Back in 2021, analysis of North Korean targets and past money laundering schemes indicated an probable 2022 agenda for North Korean cyber operations targeting the financial sector. Previous analysis suggested that Pyongyang would continue to invest resources in launching more email phishing campaigns to gain access to evolving financial technology and cryptocurrency exchanges, while also targeting P2E crypto games that were rising in popularity without any regulatory oversight or proper cybersecurity guarantees. Axie Infinity was one of these P2E games that Pyongyang decided to infiltrate, resulting in the loss of over $600 worth of digital assets.

In March 2022, North Korean hackers infiltrated the Ronin Network, an Ethereum-linked sidechain system that powered the financial system for Axie Infinity. This allowed Pyongyang to successfully steal massive amounts of digital assets from the P2E game. The hackers then funneled the stolen funds through a cryptocurrency mixer, Blender.io, to launder over $20.5 million worth of the stolen proceeds. Cryptocurrency mixers have several different functions, such as exchanging one type of cryptocurrency for another or mixing the funneled cryptocurrency from one wallet with the cryptocurrency from another wallet, but the goal is the same: increased obfuscation to hide the original origins of the funneled cryptocurrency. These services do not require any know-your-customer (KYC) protocols, thus preventing any practical way to trace the origin or original owners of the cryptocurrency funneled into the mixer. As a result, cryptocurrency mixers are highly attractive to cyber criminals looking for ways to help cover their tracks. Following an investigation, the FBI released a public statement announcing its attribution of the Axie Infinity hack to North Korea and the U.S. Department of the Treasury sanctioned Blender.io, marking the first-ever designation of a cryptocurrency mixer. While certainly a step in the right direction to help curb cyber-enabled financial crime, North Korea continues to use other cryptocurrency mixers, like Tornado Cash, and additional financial technologies to help launder stolen cryptocurrency from its hacks.

Pyongyang likely seeks to diversify its potential net gain profit from cyber intrusions against cryptocurrency exchanges by targeting a variety of cryptocurrencies. In recent hacks, North Korea has shown an increased interest in targeting financial technology and cryptocurrency exchanges functioning on the Ethereum blockchain, as opposed to the more traditional Bitcoin blockchain. Additional P2E crypto games, such as Coin Hunt World, SandBox, and others, remain highly vulnerable to further North Korean cyberattacks as they present a new genre of potential financial risks to both the online gaming community and the cryptocurrency industry.

Studying North Korean cyber targets reveals that the gaming community has been at a particularly high risk for intrusions and exploitation for over a decade. While mainly in South Korea, Pyongyang has sought to spread ransomware and other malware through infecting codes and software programs in video games before distributing them abroad to extort funds from panicked victims. In 2011, the Seoul Metropolitan Police Agency reported that North Korean operatives recruited several South Korean nationals to help spread infected gaming software in South Korea, which generated at least $5.3 million worth of funds for Pyongyang. When new P2E cryptocurrency video games gained massive popularity around 2021, it was only a matter of time until Pyongyang adopted this innovative way to extort crypto directly from the source, instead of relying on individual ransomware payments from victims. The Axie Infinity hack in March 2022 equaled roughly $600 million worth of cryptocurrency, which when added along with the estimated $400 million worth of digital assets stolen from several cryptocurrency exchanges in 2021, totals approximately $1 billion worth of stolen cryptocurrency from 2021 to March 2022. While it is unclear how much of these stolen funds will be successfully laundered and converted into fiat currency, these are massive numbers for the North Korean economy.

As long as Pyongyang views the potential gains of cyber operations against financial institutions and technologies greater than the potential risks and necessary resource expenditure to conduct these operations, North Korea will likely maintain its status as the greatest state-sponsored threat to the financial services sector in years to come.