North Korean hacker group has stolen 3 billion USD in Crypto Assets over the past six years

A recent cybersecurity report revealed that over the past six years, a hacker group associated with North Korea has stolen cryptocurrency worth $3 billion.

The report points out that in just one year, this hacker organization plundered 1.7 billion dollars in Crypto Assets, likely to fund various plans in North Korea. Another blockchain data analysis company stated that 1.1 billion dollars were stolen from decentralized finance (DeFi) platforms. The U.S. Department of Homeland Security also emphasized this hacker organization's infiltration into DeFi protocols in a report released last September.

This hacker organization is known for its expertise in fund theft. In 2016, they infiltrated the Bangladesh Central Bank and stole $81 million. In 2018, they attacked a Japanese crypto assets exchange and the Central Bank of Malaysia, stealing $530 million and $390 million respectively.

Since 2017, North Korea has focused on the crypto assets industry as a key target for cyber attacks. Prior to this, North Korea had hijacked the international banking financial telecommunications association (SWIFT) network to steal funds, drawing significant attention from the international community. Financial institutions subsequently enhanced their cybersecurity defenses.

After the rise of Crypto Assets in 2017, North Korean hackers shifted their targets from traditional finance to this emerging field, initially focusing on the South Korean market and then expanding globally.

In 2022, North Korean hackers were accused of stealing $1.7 billion in Crypto Assets, which is about 5% of North Korea's Gross Domestic Product or 45% of its military spending. This figure is nearly 10 times North Korea's export amount in 2021.

North Korean hackers' methods of operation in the Crypto Assets field are typically similar to traditional cybercrimes involving the use of mixers, cross-chain transactions, and over-the-counter transactions. However, due to state support, their scale far exceeds that of ordinary criminal groups. Data shows that in 2022, approximately 44% of stolen Crypto Assets were related to North Korean hackers.

The targets of North Korean hackers' attacks include not only exchanges but also individual users, venture capital firms, and other technologies and protocols. All institutions and individuals in the industry may become potential targets.

Traditional financial institutions should also closely monitor the activities of North Korean hackers. Stolen Crypto Assets are converted into fiat currency and transferred between different accounts to conceal their origin. Typically, stolen identity information and modified photos are used to bypass anti-money laundering and identity verification. Any personal information stolen by attackers may be used to register accounts and complete the money laundering process.

As North Korean hackers often initiate attacks through social engineering and phishing, organizations should train employees to recognize these activities and implement strong multi-factor authentication, such as passwordless authentication that complies with FIDO2 standards.

North Korea will continue to regard the theft of Crypto Assets as a primary source of income to fund military and weapons programs. While it is unclear how much of the stolen funds are directly used for ballistic missile launches, the amount of stolen Crypto Assets and the number of missile launches have significantly increased in recent years. Without stricter regulations, cybersecurity requirements, and investment, North Korea is likely to continue treating the Crypto Assets industry as an additional source of national revenue.

In July 2023, an American enterprise software company announced that it had been breached by North Korean hackers. Subsequently, researchers pointed out that the attack was likely carried out by a North Korean hacker organization focused on Crypto Assets. As of August 2023, the Federal Bureau of Investigation reported that the North Korean hacker organization was involved in multiple attacks, having stolen $197 million in Crypto Assets. This funding allows the North Korean government to continue operations under strict sanctions and to finance up to 50% of its ballistic missile program costs.

In 2017, North Korean hackers infiltrated several exchanges in South Korea, stealing approximately 82.7 million dollars in Crypto Assets. That same year, reports indicated that after the personal information of users from a South Korean exchange was leaked, Crypto Assets users also became targets of attacks.

In addition to theft, North Korean hackers have also started mining Crypto Assets. In April 2017, researchers discovered a Monero mining software installed in the intrusion by North Korean hackers. In January 2018, a study reported that a North Korean organization had breached a company's server for mining, obtaining about 70 Monero coins worth approximately $25,000 at the time.

In 2020, security researchers continued to report new attacks by North Korean hackers targeting the global Crypto Assets industry, using LinkedIn as an initial method to reach their targets.

2021 was the most active year for North Korea in the Crypto Assets industry, having infiltrated at least 7 institutions and stolen $400 million. In addition, North Korean hackers began targeting various tokens and NFTs.

In January 2022, researchers confirmed that $170 million in stolen Crypto Assets has been awaiting redemption since 2017. Notable attacks by North Korean Hackers in 2022 included several cross-chain bridges, resulting in huge losses.

In October 2022, Japanese police announced that North Korean hackers targeted Japanese Crypto Assets companies, with some companies successfully breached and funds stolen.

From January to August 2023, North Korean hackers reportedly stole $200 million from multiple platforms. In a July 2023 attack, the hackers may have impersonated recruiters to send emails and messages to employees of targeted companies, spending six months trying to gain network access.

To prevent attacks from North Korean hackers, it is recommended to take the following measures:

• Enable multi-factor authentication and enhance security using hardware devices.
• Enable all available multi-factor authentication settings for the exchange account
• Verify the authenticity of social media accounts
• Be cautious of any airdrops or free promotional activities
• Check official sources to confirm the authenticity of airdrops and other activities.
• Check the URL and observe the redirection to ensure access to the official website.
• Stay highly vigilant during transactions and use a hardware wallet.
• Only use trusted decentralized applications and verify smart contract addresses
• Carefully check the official website URL to avoid impersonation.
• Remain skeptical of seemingly too favorable conditions.