- DPRK threat actors increasingly target the cryptocurrency sector for revenue generation, leveraging privileged access and skilled computer science professionals.
- Approximately $3 billion in crypto assets have been stolen by DPRK hackers in the past six years, with $1.7 billion stolen in 2022 alone to fund weapons programs.
- Tactics employed by DPRK threat actors include social engineering, phishing attacks, exploitation of DeFi protocols, and the use of mixing services to obfuscate financial trails.
In recent years, threat actors from the Democratic People’s Republic of Korea (DPRK) have increasingly targeted the cryptocurrency sector as a primary means of revenue generation, bypassing international sanctions imposed against the country. This trend has been observed since at least 2017 and has raised serious concerns within the cybersecurity community.
Privileged Access and Cyber Attacks
According to a report by cybersecurity firm Recorded Future, despite the strict restrictions on movement and isolation of the general population, the ruling elite of the DPRK and their highly skilled computer science professionals have privileged access to new technologies and information. This privileged access, combined with their expertise in mathematics and computer science, equips them with the necessary skills to conduct cyber attacks against the cryptocurrency industry.
The DPRK threat actors’ motivation lies in the fact that the stolen cryptocurrency assets can be used to fund the country’s weapons of mass destruction (WMD) and ballistic missile programs. Over the past six years, it is estimated that these threat actors have managed to steal around $3 billion worth of crypto assets, with a staggering $1.7 billion stolen in 2022 alone.
DeFi Hacking and Exploitation of Protocols
One of the key findings in the 2023 Crypto Crime Report published by Chainalysis is that North Korea is one of the driving forces behind the decentralized finance (DeFi) hacking trend that escalated in 2022. Approximately $1.1 billion of the total stolen funds were acquired through hacks of DeFi protocols. This highlights the evolving tactics and adaptability of DPRK hackers when it comes to targeting the cryptocurrency industry.
The U.S. Department of Homeland Security (DHS) also released a report under its Analytic Exchange Program (AEP) earlier this September, shedding light on the exploitation of DeFi protocols by the DPRK-linked Lazarus Group. DeFi platforms allow users to transition between different cryptocurrencies without the platform holding custody of the funds during the transition. This feature provides an advantage to DPRK cyber actors, making attribution and tracing of stolen funds more difficult.
Targeting Cryptocurrency Exchanges and Users
DPRK hackers have successfully employed various tactics to target both cryptocurrency exchanges and individual users. Social engineering techniques are adeptly utilized to trick employees of online cryptocurrency exchanges. These employees are enticed with offers of lucrative job opportunities, only to fall victim to malware distribution that grants remote access to the exchange’s network. Once inside, the threat actors drain all available assets and transfer them to DPRK-controlled wallets.
Phishing attacks represent another common approach employed by the DPRK cyber threat actors. Users are tricked into downloading trojanized cryptocurrency applications, enabling the hackers to steal their assets. Additionally, watering hole attacks, also known as strategic web compromises, are utilized as an initial access vector.
Concealing Financial Trails and Attribution
To further complicate the tracing of stolen funds and conceal their activities, the DPRK threat actors employ mixing services available on cryptocurrency exchange platforms that do not enforce stringent know your customer (KYC) policies or anti-money laundering (AML) regulations. These services enable the threat actors to obfuscate the financial trail and cloud attribution efforts.
Future Outlook and Recommendations
Recorded Future’s assessment, based on past success, suggests that North Korea will likely continue targeting the cryptocurrency industry to extract additional revenue and support the regime. In light of this ongoing threat, it is crucial for cryptocurrency firms to strengthen their cybersecurity measures and invest in comprehensive security frameworks. Stronger regulations, cybersecurity requirements, and increased investments in cybersecurity are necessary to combat the persistent threat posed by DPRK threat actors.
Conclusion
In conclusion, the DPRK threat actors’ increasing focus on the cryptocurrency sector as a revenue generation mechanism is a significant concern. Their privileged access to resources, technologies, and information, coupled with their expertise in cyber attacksand mathematics, enables them to conduct successful attacks against the industry. These attacks have resulted in the theft of billions of dollars’ worth of crypto assets, which are used to fund the country’s weapons programs.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from cryptonewsbytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
