What Will North Korean Cybercrime Look Like in 2022?

Recent Features

Flashpoints | Security | East Asia

What Will North Korean Cybercrime Look Like in 2022?

The COVID-19 pandemic has contributed to increased online spending which Pyongyang and other illicit actors will likely continue to exploit.

What Will North Korean Cybercrime Look Like in 2022?
Credit: Illustration by Catherine Putz

The international community often incorrectly correlates North Korea’s lack of public access to modern computer hardware within its borders with its inability to successfully execute software-reliant cyberattacks. 

Over the years, however, North Korea has demonstrated remarkable growth in the breadth, success, and sophistication of its cyberattacks, ranging from hacking government websites and cryptocurrency exchanges to crippling national healthcare services and global financial networks. However, the most unique aspect of North Korean hacking is its focus on targeting financial institutions, a likely result of sustained U.S. and U.N. economic sanctions on the country.

The United Nations Panel of Experts on the DPRK assessed in its March 2021 report that North Korea-sponsored cybercrime both directly and indirectly supports the country’s weapons of mass destruction programs, which signals an urgent need for responsible nations to cooperate on mitigating this cyber-enabled global security threat. For 2022, recent analysis and developments in North Korean hacking suggest that Pyongyang will expand its cyber operations with increased focus in the following areas: phishing campaigns, ransomware attacks, foreign OTC brokers, and decentralized finance (DeFi) platforms. 

More Phishing Campaigns

Most North Korea-sponsored hacks begin with some form of an email phishing campaign that targets untrained employees and vulnerabilities in a network’s operating system. Despite calls for greater company-wide cyber hygiene practices, Pyongyang continues to enjoy tremendous success in gaining access to financial networks by sending infected links in emails. Given its proven success across a wide range of platforms, North Korean hackers will likely continue to employ more phishing campaigns in the future while tailoring their level of obfuscation based on the target’s sophistication.

For example, the North Korea-based Lazarus Group created several fake social media accounts and websites to convince a cryptocurrency exchange that the information provided in a fraudulent email was correct. After clicking on the infected links, the hackers gained access to the target’s network and stole over $7 million worth of crypto assets from the exchange.

More Ransomware Attacks

The Lazarus Group has successfully employed ransomware attacks in the past and will likely continue to use this form of malware as long as it can extort funds from its victims. The 2017 WannaCry ransomware attack compromised over 200,000 computers and disrupted banks, hospitals, and communication companies in 150 countries by targeting a vulnerability in the Microsoft Windows operating system. While the total number of funds generated from the ransom payments is unclear, this attack caused an estimated $4 billion in losses across the globe. Although Microsoft issued a patch that would have prevented the infection, hundreds of thousands of systems were not updated by the time of the hack, signifying a massive security oversight and need for mandatory company-wide computer system updates following the release of a security patch. The recent Russian cybercriminal-led ransomware attack on Colonial Pipeline also calls for significant attention and action from responsible nations to strengthen their national cyber resilience against ransomware attacks.

More Foreign OTC Brokers, But Perhaps Less China?

Since U.S. and U.N. sanctions have effectively cut off North Korea from the global financial system by restricting its access to the U.S. dollar, Pyongyang must rely on foreign partners and affiliates abroad to cash out stolen cryptocurrency funds into fiat currency through financial systems they can no longer legally access themselves. Over the counter (OTC) brokers specialize in facilitating cryptocurrency transactions and transfers, often using accounts on exchanges to hold and move crypto on behalf of their clients.

While not inherently illicit, OTC brokers can provide North Korea with valuable money laundering capabilities as seen in the indictment of two Chinese OTC brokers charged with laundering over $100 million in cryptocurrency for Pyongyang. However, North Korea may have to look elsewhere for OTC brokers as Beijing continues to crackdown on cryptocurrency exchanges, such as outlawing crypto trading and mining. While these regulations only apply to Chinese crypto users operating within the legal jurisdiction of China, meaning that willing Chinese OTC brokers abroad can still aid North Korea, Pyongyang will likely seek to diversify its usage of foreign OTC brokers by enlisting help from additional jurisdictions. Given that the Lazarus Group may have preexisting ties with Eastern European cybercrime groups, North Korea may look farther west than usual for assistance in its illicit cyber operations.

More Money Laundering Efforts Through New Financial Technologies

As cryptocurrency technology innovation continues to outpace regulation of the crypto space, North Korean hackers will likely expand cyber operations targeting evolving financial platforms, such as decentralized finance (DeFi). The lack of custody and regulatory practices in DeFi, which allows individual crypto users to swap one type of cryptocurrency for another without a centralized platform ever facilitating the swap, often results in the poor collection of user-specific information that can help law enforcement identify cybercriminals, and their techniques, responsible for crypto hacks.

The Lazarus Group has already successfully exploited this vulnerability as recently as May 2020 in which they used DeFi platforms to launder a portion of the roughly $280 million worth of cryptocurrency stolen from a Singapore-based cryptocurrency exchange. Pyongyang will likely continue to exploit DeFi and other evolving financial technology that mostly remains outside mainstream regulation and U.S. law enforcement.

The ongoing COVID-19 pandemic has contributed to increased online activity and more digital transactions, which Pyongyang and other illicit actors will likely continue to exploit to their financial benefit. In response, the Biden administration has taken several steps to improve national cybersecurity strategy with its allies and partners, such as a virtual counter-ransomware initiative meeting with 30 countries, a bilateral partnership with Israel to combat ransomware, an agreement to combat ransomware efforts with South Korea, and the creation of broad policy initiatives to disrupt ransomware networks. However, the international community has yet to create a comprehensive cybersecurity strategy to confront a state-sponsored hacking organization like the Lazarus Group, which will likely remain a major vulnerability for financial institutions into the new year.