Friday, October 16, 2020
Back To Cointelegraph News
SUBSCRIBE
Cointelegraph Magazine
No Result
View All Result
  • Features
  • NFT WeekNEW!
    • All About NFTs
    • William Shatner Interview
    • Japan’s NFT Head Start
    • Gen Z and the NFT
    • Play2Earn Economies
    • Beyond In-Game Assets
    • Investing in Blockchain Gaming
    • Blockchain To Billions
  • Hodler’s
  • Immersive Reads
    • All Immersive Features
    • Crypto Art Week
    • NFT & Gaming Week
  • Columns
    • Journeys in Blockchain
    • Epic Fail vs Nailed It
    • 6 Questions For…
  • About
    • About Cointelegraph Magazine
    • Cointelegraph News
    • Subscribe
    • Contact
Cointelegraph Magazine
  • Features
  • NFT WeekNEW!
    • All About NFTs
    • William Shatner Interview
    • Japan’s NFT Head Start
    • Gen Z and the NFT
    • Play2Earn Economies
    • Beyond In-Game Assets
    • Investing in Blockchain Gaming
    • Blockchain To Billions
  • Hodler’s
  • Immersive Reads
    • All Immersive Features
    • Crypto Art Week
    • NFT & Gaming Week
  • Columns
    • Journeys in Blockchain
    • Epic Fail vs Nailed It
    • 6 Questions For…
  • About
    • About Cointelegraph Magazine
    • Cointelegraph News
    • Subscribe
    • Contact
No Result
View All Result
Cointelegraph Magazine
No Result
View All Result

North Korean crypto hacking: Separating fact from fiction

"The small IP space/access to the internet in the DPRK, as well as its less connected nature to global/online systems, arguably offers it an asymmetric advantage in relation to cyber operations."

Alex Cohen by Alex Cohen
October 9, 2020
in Features
Share on FacebookShare on TwitterShare on RedditShare on TelegramShare via Email

The Democratic People’s Republic of Korea is widely considered to be a state sponsor of cryptocurrency hacking and theft. While multiple United States presidents have attempted to stifle the growth of North Korean nuclear energy development through a series of economic sanctions, cyber warfare is a new phenomenon that can’t be dealt with in a traditional way. 

Unfortunately for the crypto industry, DPRK has taken a liking to digital currencies and seems to be successfully escalating their operations around stealing and laundering cryptocurrencies to bypass crippling economic sanctions that have led to extreme poverty in the pariah state.

Some evidence suggests that Pyongyang has racked up well over two billion U.S. dollars from ransomware attacks, hacks, and even stealing crypto directly from the public through a spectrum of highly sophisticated phishing tricks. Sources explain that the regime employs various tactics to convert the stolen funds into crypto, anonymize it and then cash out through overseas operatives. All this activity has been given a name by the United States authorities — “hidden cobra.”

To achieve all this, not only does the operation need to be backed by the state, but many highly trained and skilled people have to be involved in the process to pull off the heists. So, does the DPRK indeed have the means and capability to engage in cyber warfare on a global scale, even as the country’s leadership openly admits that the country is in a state of economic disrepair?

How much exactly have the hackers stolen?

2020 continues the pattern of multiple updates on how much money the DPRK-backed hackers have allegedly stolen. A United Nations report from 2019 stated that North Korea has snatched around $2 billion from crypto exchanges and banks. 

Most recent estimates seem to indicate that the figure is around the $1.5 to $2.5 billion mark. These figures suggest that, although the exact data is hard to come by, the hacking efforts are on the rise and are bringing in more funds each year. Furthermore, multiple reports of new ransomware, elaborate hacks and novel ransomware methods, only supports this data.

Madeleine Kennedy, senior director of communications at crypto forensics firm Chainalysis told Cointelegraph that the lower estimate is likely understated:

We are confident they have stolen upwards of $1.5B in cryptocurrency. It seems likely that DPRK invests in this activity because these have been highly successful campaigns.

However, Rosa Smothers, senior vice president at KnowBe4 cyber security firms and a former CIA technical intelligence officer, told Cointelegraph that despite the recent accusations from the United States Department of Justice that North Korean hackers stole nearly $250 million from two crypto exchanges, the total figure may not be as high, adding: “Given Kim Jong Un’s recent public admission of the country’s dismal economic situation, $1.5B strikes me as an overestimate.”

How do the hacking groups operate?

It’s not very clear how exactly those North Korean hacking groups organized and where they are based, as none of the reports paint a definitive picture. Most recently, the U.S. Department of Homeland Security stated that a new DPRK-sponsored hacking group, BeagleBoyz, is now active on the international scene. The agency suspects the gang to be a separate, but affiliated entity to the infamous Lazarus group, which is rumored to be behind several high profile cyber attacks. DHS believes that BeagleBoyz have attempted to steal almost $2 billion since 2015, mostly targeting banking infrastructure such as ATMs and the SWIFT system.

According to Ed Parsons, managing director UK of F-Secure, “The ‘BeagleBoyz’ appears to be the U.S. government name for a recent cluster of activity targeting financials in 2019/2020,” adding that it’s unknown if the unit is new or “a new name attached to an initially unattributed campaign that was then later linked to DPRK activity.” He further told Cointelegraph that the malware samples were associated with those under the “hidden cobra” codename, which is a term used by the U.S. government to identify DPRK online activity. 

According to the U.S. Security & Infrastructure Security Agency, the hidden cobra-related activity was flagged in 2009 and initially aimed to exfiltrate information or disrupt the processes. The main vectors of attack are “DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware,” targeting the older versions of Microsoft’s Windows and Adobe software. Most notably, the hidden cobra actors make use of the DDoS botnet infrastructure, known as the DeltaCharlie, which is associated with over 600 IP addresses.

John Jefferies, chief financial analyst at CipherTrace, a blockchain forensics company, told Cointelegraph that there are several prominent hacking groups and it’s extremely difficult to differentiate between them. Anastasiya Tikhonova, head of APT Research at Group-IB, a cybersecurity company, echoed the sentiment saying that regardless of the group name attached, the attack vectors are very similar:

“Initial access to targeted financial organizations is gained using spear phishing — either via emails with a malicious document masquerading as a job offer or via personal message on social media from a person pretending to be a recruiter. Once activated the malicious file downloads the NetLoader.”

Additionally, several experts have outlined JS-sniffers as the latest thread to emerge, most commonly linked to the Lazarus group. JS-sniffers is a malicious code which was designed to steal payment data from small online stores, an attack in which all the parties who engaged in the transaction would have their personal information exposed.

 

The best of blockchain, every Sunday

Subscribe for thoughtful explorations and leisurely reads from Magazine.


By subscribing you agree to our Terms of Service and Privacy Policy

 

Overall, the hacking groups seem to be perfecting the use of a very specific set of malicious tools that center around phishing, whereby unknowing company employees install the infested software which then spreads across the enterprise system targeting the core functions. Most notable examples of suspected activity are the 2014 hack of Sony Pictures and the spread of the WannaCry malware in 2017. 

According to various sources most attacks are executed to a high standard with evidence of lengthy preparations. The latest examples from 2020 include a fake trading bot website built to lure in DragonEX crypto exchange employees which raked in $7 million in crypto.

In late June, a report warned that the Lazarus Group will seek to launch a COVID-19 specific attack in which the hackers would impersonate government offices in countries that are issuing pandemic-related financial relief to direct unwary email recipients to a malicious website that would siphon financial data and ask for crypto payments. Additionally, crypto industry job seekers also appear to be under threat as according to a recent report, the hackers are using LinkedIn-like emails to send fake job offers containing a malicious MS Word file.

Most notable are the attacks on the crypto exchanges. Although the exact amount stolen from trading platforms is unknown, several reports by cybersecurity firms and various government agencies put the estimated amount at well over a billion dollars. However, DPRK is only suspected of being behind some of those hacks with only a handful of cases having been tracked back to the regime. The best known example is the hack of the Japanese-based Coincheck exchange during which $534 million in NEM tokens was stolen.

In late August 2020 a statement from the U.S. Department of Justice outlined the details of an operation to launder stolen funds through crypto, which was traced back to 2019. It is believed that the North Korean-backed hackers initiated the heist with the support of a Chinese money laundering ring. The two Chinese nationals in question used the “peel chain” method to launder $250 million through 280 different digital wallets, in an attempt to cover the origin of the funds.

According to Kennedy, DPRK-linked hacking groups are indeed becoming more sophisticated at hacking and laundering: “Specifically, these cases highlighted their use of “chain hopping,” or trading them into other cryptocurrencies such as stablecoins. They then convert the laundered funds into Bitcoin.” Chain hopping refers to a method where traceable cryptocurrencies are converted into privacy coins such as Monero or Zcash.

Addressing the apparent success of the hackers, Parsons believes that:

The small IP space/access to the internet in the DPRK, as well as its less connected nature to global/online systems, arguably offers it an asymmetric advantage in relation to cyber operations.

Speaking to Cointelegraph, Alejandro Cao de Benos, a special delegate of the Committee for Cultural Relations with Foreign Countries of DPRK refuted claims that the country is behind the crypto cyber attacks, stating that it’s a “big propaganda campaign” against the government:

“Usually the DPRK is always portrayed in the media as a backward country without internet access or even electricity. But at the same time they always accuse it of having higher capacity, faster connectivity, better computers and experts than even the best banks or US government agencies. It does not make sense just from a basic logical and technological point of view.”

What’s the size of the alleged cyber force and where are they based?

Another number that various reports and studies fail to agree upon is the size of the cyber force that the North Korean government allegedly backs. Most recently, The U.S. Army report “North Korean Tactics” stated that the figure stands at 6,000 operatives, mainly spread across Belarus, China, India, Malaysia, Russia and several other countries, all united under the leadership of a cyber warfare unit called “Bureau 121.”

Parsons believes that the number was most likely derived from previous estimates obtained from a defector who fled DPRK in 2004, although conceding that: “The figure may also have been generated from internal U.S. intelligence that is not publicly attributable.” Tikhonova agreed that it’s hard to assess the size of the force: “Different reports can give a clue to the regime’s ‘hiring’ strategy,” she said, continuing that: 

“The North Koreans have been allegedly attracting students from universities. In addition, some of the North Korean hackers were recruited while working for IT companies in other countries. For example, Park Jin Hyok, an alleged member of the Lazarus APT wanted by the FBI, worked for the Chosun Expo IT company based in Dalian, China.”

Smothers was more skeptical of the report’s conclusion, however stating that: “This is consistent with reporting from South Korea’s Defense Ministry who had, just a few years ago, estimated their number at 3,000,” adding that if anyone has such information, it would be South Korea. Addressing the question of how the set cyber force is organized and where it’s based, she also agreed that most hackers would be stationed around the world “given the limited bandwidth in North Korea.”

Jefferies also believes that “North Korean hackers are based all around the world — a privilege afforded to very few in the country,” also adding that in most cases, hacks attributed to North Korea are not conducted by hackers-for-hire. Tikhonova provided a possible reason behind both assertions, saying: 

It is unlikely that they would give someone access to their list of potential targets or their data given the sensitivity of the operations, so those are carried out by North Koreans themselves.

What can be done to stop the hackers?

It seems that, so far, identifying the movement of money and uncovering some of the third parties is the only thing that has been done successfully — at least in public. One report by BAE systems and SWIFT has even outlined how the funds stolen by the Lazarus Group are processed through East Asian facilitators, eluding the Anti-Money Laundering procedures of some crypto exchanges.

Jeffreries believes that more needs to be done in that regard: “Authorities need to enact and enforce crypto anti-money laundering laws and Travel Rule regulation to ensure that suspicious transactions are reported.” He also stressed the importance of authorities ensuring that virtual asset service providers deploy adequate Know Your Customer measures:

“One known tactic used by North Korean-backed professional money launderers was the use of fake IDs to create accounts at multiple exchanges. The exchanges with stronger KYC controls were better able to detect these fraudulent accounts and prevent the abuse of their payment networks.”

According to the information revealed by the U.S. DOJ, those laundering the money target exchanges with weaker KYC requirements. Although no platforms have been named, these are likely smaller exchanges operating solely in the Asian market. There’s also the issue of some authorities being unable to do take action when it comes to companies that are not under their jurisdiction, as Smothers points out:

“The global nature of these exchanges, as well as the Chinese OTC (over-the-counter cryptocurrency trading) actors, limits our Justice Department’s ability to take swift action. For instance, the DOJ filed a civil action in March, but the Chinese OTCers pulled all funds out of the target accounts within hours of the DOJ’s filing.”

But what complicates things even further is that according to a Chainalysis report from 2019, those laundering the funds may take months — if not years — to complete the process. According to the authors supported the notion that attacks were for financial benefit as the stolen crypto could sit idle in wallets for up to 18 months prior to being moved due to fear of detection.

However, researchers believe that since 2019, the tactics employed by the criminals have changed to accommodate faster withdrawals through the extensive use of cryptocurrency mixers to obscure the source of the funds. Kennedy explained further:

“We can’t speak to the reasons behind their techniques, but we have noticed that these actors often move money around from one hack, then stop to concentrate on moving money around from another hack, and so on. […] Cryptocurrency exchanges were critical in the investigations, and the public and private sectors are working together to address the threats posed by these hackers.”

How serious is the issue?

When discussing DPRK, it’s hard to avoid the topics of human rights violations and the nuclear program that the country reportedly continues to run, despite tightening economic sanctions. 

In that sense, the dynastic government guided by supreme leader Kim Jong Un is seen to be of considerable threat to the world: But now, it’s not just because of the regime’s nuclear aspirations. Even though cybersecurity attacks in most cases are not directly harmful to a human life, these efforts provide a steady stream of income for the state to continue strengthening its ideals and goals.

But, perhaps more worryingly, is that, according to several commentators cited in this article, the hacking groups that seem to be backed by the North Korean regime continue to expand and branch out their operations since their methods are proving to be exceedingly successful. Jefferies for one believes that: “It’s not a surprise that they would continue to build upon and invest in their cyber capabilities.”


 

The best of blockchain, every Sunday

Subscribe for thoughtful explorations and leisurely reads from Magazine.


By subscribing you agree to our Terms of Service and Privacy Policy
ShareTweetShareShareSend
Alex Cohen

Alex Cohen

Alex is the senior news editor at Cointelegraph. Despite holding a bachelor’s degree in political science and a master’s in management, he was attracted to a career in journalism and soon ended up in fintech and blockchain. He is passionate about all new technology and old wine.

Related Posts

Game theory tokenomic design DeFi Bounce Finance

Game theory meets DeFi: Bouncing ideas around tokenomic design

October 15, 2020
Blockchain Social Media Topple Facebook Zuckerberg House Judiciary

Facing Down Big Tech: How Blockchain Social Media Will Topple Zuckerberg

October 7, 2020
WTF Happened in 1971 Bretton Woods Gold Standard

WTF happened in 1971 (and why the f**k it matters so much right now)

September 24, 2020
Programmable Money Crypto Tokens IBM Patent Jonathan Rosenoer

Programmable money: How crypto tokens could change our entire experience of value transfer

September 16, 2020
Is Ethereum left and Bitcoin right?

Is Ethereum left and Bitcoin right?

August 31, 2020
Crypto Mass Adoption When does Blockchain go Mainstream?

Crypto mass adoption will be here when… [fill in the blank]

August 24, 2020

ABOUT US

Cointelegraph Magazine is a new publication that goes beyond the daily news and delves much more deeply into the stories, trends, and personalities that inspire cryptocurrency and blockchain conversations around the world.

We are people-centric, delving into *why* the true believers of blockchain feel they can change the world (and why they think it needs to be changed).

Through long-form features, thoughtful analysis, and a little humor and satire, we illustrate how the implementation of this technology is affecting the lives of countless people — today, right now, not at some distant point in the future.

Terms / Privacy

Follow us

EXPLORE MAGAZINE

  • Features
  • Journeys
  • Immersive Features
  • Hodler’s Digest
  • Epic Fail vs Nailed It
  • 6 Questions For…
  • Art Week
  • NFT Week
  • Cointelegraph News

SUBSCRIBE NOW


By subscribing you agree to our Terms of Service and Privacy Policy

© 2020 Cointelegraph Magazine. All Rights Reserved.

No Result
View All Result
  • Home
  • Features
  • NFT Week
    • All About NFTs
    • William Shatner Interview
    • Japan’s NFT Head Start
    • Gen Z and the NFT
    • Play2Earn Game Economies
    • Beyond In-Game Assets
    • Investing in Blockchain Gaming
    • Blockchain To Billions
  • Hodler’s Digest
  • Immersive Features
    • All Immersive Features
    • Crypto Art Week
    • NFT & Gaming Week
  • Columns
    • Journeys
    • 6 Questions For…
    • Epic Fail vs Nailed It
  • About
    • About Cointelegraph Magazine
    • Contact
    • Subscribe
  • Cointelegraph News

© 2020 Cointelegraph Magazine. All Rights Reserved.