How Kim Jong-un uses crypto to hack through the pandemic

Poor, isolated and heavily sanctioned, North Korea has long resorted to illicit activities to gin up badly needed cash. It has trafficked in weapons, illegal drugs and counterfeit US$100 bills. Its workers have dug tunnels for the Myanmar military and built statues and monuments for African dictators. It has unleashed hackers to disrupt foreign websites and steal from corporations and banks.

Vital foreign currency

More recently, with its borders shut because of the pandemic and traditional banks strengthening their firewalls against hackers, cryptocurrency theft has become an increasingly vital source of foreign currency for the regime. Its hackers are accused of stealing $US571 million from cryptocurrency exchanges between January 2017 and September 2018 and $US316 million from 2019 to November 2020.

North Korean hackers may have walked away with nearly $US400 million in cryptocurrency last year, according to the crypto data company Chainalysis. This year, North Korea’s haul is up to a little under $US1 billion. To put those figures into context, the country earned only $US89 million in official exports in 2020, according to South Korea’s government-run statistical agency.

Cryptocurrencies are hardly a stable source of funding. Over the last two months, the market has crashed spectacularly, erasing hundreds of billions of dollars in investments and sending the price of Bitcoin below $US20,000 for the first time since late 2020.

North Korea had crypto holdings worth $US170 million at the end of last year, according to Chainalysis – funds that the country had stolen but not converted into cash. That stash was worth only $US65 million as of last week.

But at a time when North Korea has locked itself down for fear of the pandemic, hacking crypto exchanges has allowed it to generate income in ways that are both COVID-safe and harder to trace in an industry subject to limited government oversight.

As its hackers roam cyberspace launching devastating attacks, North Korea runs little risk of being targeted itself because most of the country is offline. “For North Korea, it’s a low-cost, low-risk but high-return criminal enterprise,” said Yoo Dong-ryul, a former chief anti-terrorism analyst at the South Korean national police agency.

Cyberwarrior army

North Korea barely has enough electricity to run building lifts in Pyongyang, and most people do not have computers, much less access to the internet. Yet, the country has long been home to many of the world’s savviest and most aggressive hackers.

North Korean students have rivalled their peers from the world’s top universities in international computer-programming competitions. By 2013, Mr Kim called his hackers “an all-purpose sword” parallel to his nuclear weapons and missiles in their “ruthless targeting capabilities,” according to South Korea’s National Intelligence Service.

“They are unique in that they are trained and deployed and operate under a government program,” Mr Yoo said. By one South Korean estimate, North Korea runs an army of about 6800 cyberwarriors – 1700 hackers in seven different units and 5100 technical support personnel.

Talented students are carefully screened and groomed from an early age. The best of them join the hacker training programs at the Moranbong University, run by the Reconnaissance General Bureau, North Korea’s main spy agency, or at the military-run Mirim College, South Korean officials say. After graduation, most are assigned to the Reconnaissance General Bureau’s cyberwarfare arm, Department 121.

In North Korea, only a small number of workers whose loyalty is vetted by the regime are allowed to work abroad. Hackers are among them, operating in China, Russia, Belarus and Southeastern Asian countries like Singapore, the Philippines and Malaysia, often posing as freelance computer engineers.

Like other North Korean workers abroad, the hackers operate under the watchful eyes of their political minders sent from Pyongyang.

Usually, North Korean hackers breach foreign crypto wallets through phishing attacks, according to Chainaysis. Then the hackers use a complex set of financial instruments to transfer the stolen funds, moving the loot through cryptocurrency “mixers” that combine multiple streams of digital assets.

The final step is turning the crypto into cash. Generally, North Korea uses offshore exchanges, converting the stolen cryptocurrency into Chinese yuan. “It’s a really powerful tool for them in evading sanctions,” said Erin Plante, senior director of investigations for Chainalysis.

Axie Infinity, the video game targeted in the cryptocurrency heist this spring, was created by Sky Mavis, a company founded in Vietnam in 2018. The game allows participants to accumulate cryptocurrency the more they play. By last year, it had more than 2.5 million daily users. The game’s popularity made the company a target: Employees at Sky Mavis were under constant advanced spear-phishing attacks on various social channels.

The company was hacked after an employee downloaded a Word document, said Aleksander Leonard Larsen, a founder of Sky Mavis. The employee no longer works at the company, he said.

This article originally appeared in The New York Times.