SO WHAT?

North Korea has made over $3B from Web3 hacks—here’s how

Terminal 3

Terminal 3

6 min read
North Korea has made over $3B from Web3 hacks—here’s how
Web3 is flushed with cash and without the robust security of traditional finance—ideal conditions for hackers from the isolated nation

GM,

$3 billion.

That’s an estimation of just how much money North Korea has made from cryptocurrency hacks between 2017 and 2023.

There’s no sign that the regime is slowly down, however. Last month, North Korea was thought to be the attacker that stole $235 million from India-based cryptocurrency exchange WazirX. Cryptocurrency hacking is part of a broader cyber push that has seen North Korea raid governments across the world for information whilst its hacker collector Lazarus Group is credited with numerous ransomware assaults on companies across the world.

This issue is dedicated to delving into the North Korean hacking efforts.

Best,

Jon and Gary

PS: After a few weeks of irregular publishing on account of the summer break, we are back to our regular schedule again—thanks for your patience!

What’s going on?

Hacking has become an important income stream for North Korea. Consider that the country exported an estimated $1.6 billion in goods to China, its top trading partner, in 2022. Income it makes from hacks and phishing amounts to a significant portion of that but it is pure profit.

North Korea has always been an active hacker. But it has gone from being a pest that irritates or embarasses other governments and corporations with hacks such as the 2014 attack on Sony, which released information and data from the entertainment giant or multiple DDoS attacks on the South Korean government, to one that generates much-needed revenue for its government and acquires state secrets. Advancing the country’s nuclear program is thought to be a key goal.

In economic terms, North Korea can’t compete with the best in the world. But the internet is a more level playing field where it is finding more success.

SO WHAT?

1. Flushed with cash and without robust security

North Korea and crypto were in the headlines recently after the country’s hackers were linked with the hack on WazirX that saw $235 million in various assets stolen.

That’s a huge amount of money for an attack, but no means the largest North Korea has been linked with. The country’s largest crypto hack to date was the attack on Web3 gaming firm Axie Infinity in 2022 which is thought to have reaped more than $620 million. 

North Korea never claimed credit for either attack—as is common—but the FBI concluded the Axis attack was carried out by Lazarus Group, a hacker collective that is sponsored by the North Korean government. Lazarus has been known by other names and it has been active for more than a decade, with plenty of high-profile attacks.

Before it set its sights on crypto targets, Lazarus regularly attacked banks with some success:

  • Banco del Austro (Ecuador) hacked for $12 million in 2015
  • Tien Phong Bank (Vietnam) hacked for $1 million in 2015
  • Bangladesh Bank hacked for $81 million in 2016
  • Far Eastern International Bank (Taiwan) hacked for $60 million in 2017, though most funds were recovered

Those are significant sums but they are dwarfed by the more recent crypto heists conducted by Lazarus. In 2023 alone, it was said to have nabbed $300 million from attacks on Web3 firms including Atomic Wallet (over $100 million), Stake.com ($41 million), CoinsPaid ($37 million) and Alphapo ($60 million).

As mentioned earlier, Lazarus and other North Korean hacking outfits have made over $3 billion from crypto hackers since 2017, according to a report by cybersecurity firm Recorded Future.

“The regime views cryptocurrency theft as a major revenue source, particularly for funding military and weapons programs. While the exact amount used for ballistic missile launches is unclear, both the volume of stolen cryptocurrency and missile launches have risen,” Recorded Future wrote ominously.

2. North Korea loves LinkedIn and huge salaries

North Korea’s hackers used to focus on hijacking the SWIFT network (Society for Worldwide Interbank Financial Telecommunications) which powers traditional international money transfers between banks and other financial institutions. But the rise of Web3 and cryptocurrencies offered not only a young industry flush with cash but one without the robust security of banking and traditional finance to protect it.

The weakest part of cyber security is employees, the very people working at companies. Phishing attempts, attacks that focus on access networks via employees or infecting their systems, are commonplace and LinkedIn—the work-focused social network—is its most fertile ground.

Lazarus and other North Korea-affiliated hacking units create alluring fake job openings on LinkedIn which it uses as bait to lure in employees within target organizations. Once a connection is established, they fool the employee into downloading malicious documents which give them a foot in the door enabling them to monitor internal activity and locate vaults or fund deposits to steal.

There’s significant patience. The Axie Infinity attack, for example, took nearly a year. It started when an employee was sent a job description with a high salary from a contact acting as a headhunter. After several rounds of interviews, mimicking the process of a real job, the target was sent a job offer that included an "extremely generous compensation package" and came via a PDF document. 

That document was the Trojan horse. It included malicious code which, once downloaded, deployed spyware on the Axie employee’s machine. From there, they were able to gain control of four of Axie Infinity’s nine node validators, who process all transactions on the network. They found a way to access a fifth, without detection, and with a majority of validators under their control, were able to move funds from the Ronin Bridge, a platform that connects the Ethereum network with the Ronin Network that Axie Infinity runs on.

That process happened gradually over a week, but when a user tried to withdraw a massive 5,000 ETH (worth around $17 million at the time) in one way, suspicions were raised. Picking on exchanges like WazirX is far easier because they can simply access company vaults without needing to infiltrate validator networks, as was the case with Axie Infinity.

3. A broader internet hacking culture

These hacking exploits and vast sums are impressive, but North Korea’s hacking initiative goes a lot deeper than Lazarus and stealing from Web3. The nation is a secretive one, but accounts from former insiders and experts paint a picture of a rabbit warren of cybersecurity organizations and potentially as many as 6,8000 trained hackers on the payroll, according to estimates from South Korea’s Defense Ministry.

North Korea’s cyber attack history began not just with digital heists on banks but cyber espionage, ransoming companies and even just contract work for tech companies.

Lazarus Group is part of a broader military-intelligence division called Reconnaissance General Bureau, or RGB, which does more than just online heists. It is believed that there are numerous divisions, which specialize in military intelligence, operations, training and, of course, online activities that include: 

  • Corporate espionage—including a major effort to nab unclear and defense intelligence from at least five countries this year
  • Stealing state secrets and sensitive information—South Korea is often a target, such a 2017 hack that obtained the South Korea-US contingency plan in the event of a Korean war
  • Ransom attacks—the Wannacry ransomware bug in 2017 is estimated to have infected 200,000 computers including FedEx, Honda, Nissan, and the UK's National Health Service (NHS)
  • Causing chaos—through website defacing and DDoS attacks, or ‘revenge’ attacks like the hacking of Sony Pictures after it released a North Korea film that enraged Kim Jong-un
  • Corporate work—there’s evidence that some overseas-based cells carry out design and development work for companies, according to accounts from defectors 

The advent of Web3 may be a boon for North Korea’s hacking efforts, but the industry is pushing back, too. Security experts and sleuths are uncovering and tracking what they believe to be North Korea affiliated wallets or accounts belonging to hackers. That means exchanges and even stablecoin issues can return funds in the event of malicious activity. 

Following the Axie Infinity hack, around $30 million of stolen assets were returned thanks to the efforts of law enforcement and security firms. That figure accounted for less than 5% of what was stolen but it did represent the first time that funds taken by North Korea had been returned, and that’s progress.

But North Korea has a polished system for developing talent. That runs from identifying prodigious mathematicians at a young age, and providing access to materials and tutors to develop them into world-class talents—North Korean teams routinely win medals at the International Mathematical Olympiad, for example.

Those who reach the top are given a good life at home in the capital city Pyongyang or allowed to live overseas, typically in China or parts of Southeast Asia.

This is a very unique game of whack-a-mole: North Korea’s race to arm its cybersecurity hackers versus the industry’s increased awareness and efforts to thwart them.

News bytes

That’s all for this week!

Share your feedback, questions or requests via email to: sowhat@terminal3.io

Read more