Several organizations started the New Year globally with hacker intrusions and data breaches, but few cybercriminal groups benefitted from their malicious activities. A recent analysis from blockchain firm Chainalysis revealed that North Korean threat actors stole over $400 million worth of cryptocurrency in 2021 by compromising multiple crypto exchanges and investment companies. It is no surprise that hackers target the booming cryptocurrency economy after the value of cryptocurrencies like Bitcoin and Ethereum skyrocketed recently.
According to the analysis report, North Korean crypto hackers launched around seven attacks on cryptocurrency platforms by targeting investment firms and centralized exchanges.
A hot wallet allows users to store, send, and receive digital coins linked with public and private keys that help facilitate transactions. Since hot wallets are connected to the internet, they are vulnerable to cyberattacks and unauthorized intrusions. Hackers reportedly leveraged phishing lures, code exploits, malware, and advanced social engineering techniques to siphon crypto funds from hot wallets.
Lazarus Group – The Main Culprit
Researchers suspect that the infamous Lazarus group is behind these crypto hacks. Lazarus is a North Korean hacking group active since 2014 and accused of several cybercriminal activities. The group is better known for its cyberattacks on international organizations with multiple malware variants such as AppleJeus, Fileless, ThreatNeedle, and MATA. Initially, Lazarus gained notoriety from its 2017 WannaCry 2.0 global ransomware attack, but the group turned to cryptocurrency crimes.
The Rise in Cryptocurrency Crimes in North Korea
Researchers stated that North Korean hacking activity was on the rise in 2021. From 2020 to 2021, the number of cryptocurrency hacks grew by 40%.
“Interestingly, in terms of dollar value, Bitcoin now accounts for less than one-fourth of the cryptocurrencies stolen by DPRK. In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for a majority of the funds stolen at 58%,” the researchers said.
Money Laundering to Cash Out
It is found that Lazarus operators used multiple money laundering processes to cash out after stealing the funds. North Korean hackers’ typical money laundering process include:
- ERC-20 tokens and altcoins are swapped for Ether via decentralized exchange (DEX)
- Ether is mixed
- Mixed Ether is swapped for Bitcoin via DEX
- Bitcoin is mixed
- Mixed Bitcoin is consolidated into new wallets
- Bitcoin is sent to deposit addresses at crypto-to-fiat exchanges based in Asia for potential cash-out points
“These behaviors, put together, paint a portrait of a nation that supports cryptocurrency-enabled crime on a massive scale. Systematic and sophisticated, North Korea’s government—be it through the Lazarus Group or its other criminal syndicates—has cemented itself as an advanced persistent threat to the cryptocurrency industry in 2021. Nonetheless, the inherent transparency of many cryptocurrencies presents a way forward. With blockchain analysis tools, compliance teams, criminal investigators, and hack victims can follow the movement of stolen funds, jump on opportunities to freeze or seize assets, and hold bad actors accountable for their crimes,” the researchers added.