At one time they were openly using more mainstream exchanges, but in the past two years North Korean hackers have had to find refuge at illicit Russian crypto exchanges to move their funds back home.
So says a new report from Chainalysis, which finds that ties between North Korea’s state-backed APT groups and Russian cyber criminal cartels are deepening. Though there is no direct connection between the Russian government and these illicit crypto exchanges, they are allowed to exist in the country given that cyber crime there is generally not pursued if it does not involve domestic targets or foreign allies.
Underground Russian crypto exchanges provide an option of last resort for North Korea
Crypto exchanges the world over have felt increasing pressure from the US and allied governments, and have consequently started to more aggressively watch for and move against illicit transactions. North Korean hackers need an exchange that openly and willingly consorts with thieves, and they have found this resource in Russia.
Without a way to reliably transfer funds back to a more fluid form in their home country, North Korean hackers might be out of the market entirely. That would mean anywhere from a third to half of all cyber heists each year might go away immediately. The DPRK-backed hackers have stolen over $3 billion in crypto over the last few years, with nearly half of that amount coming during a massive spree last year, and appear to be on pace to account for about one-third of 2023’s cyber theft total.
The US and other countries have at least some leverage when a Russian cyber criminal gang gets excessively bold and does something that could be construed as an act of war, such as the disruptions to critical infrastructure in 2021. Chainalysis CEO Michael Gronager says that there is virtually none left when it comes to Russian crypto exchanges, however, as they are already heavily sanctioned and will simply ignore anything else that is piled upon them.
The stolen money is being applied mostly to the North Korean nuclear weapons program. Most of that stolen money has come from DeFi platforms, which have had their security and customer confidence severely tested by this crime spree.
North Korean hackers having great success with social engineering
The Chainalysis report uses the Harmony Protocol breach of 2022 as a central example of how North Korean hackers have tended to launder money through these crypto exchanges. That theft saw the Lazarus and APT38 groups move about $21 million of funds through multiple wallet addresses in Russia. Prior to 2021, this money movement would have been through a more mainstream and legitimate exchange and thus much easier to track and claw back.
The North Korean hackers have been averaging hundreds of thousands of dollars in crypto per year since 2016, and in recent years have tended to average around $350 million (an amount they are already very close to for 2023). 2022 was a banner year for the hackers thanks mostly to some very sophisticated social engineering approaches that ensnared targets in elaborate fake job interviews.