North Korea’s economic output consists mainly of manufacturing, construction, agriculture, and a thriving black market. The economy has not significantly changed in the past few decades – except for North Korea’s growing cryptocurrency operations, which have substantially lifted the recently battered economy. North Korea has conducted cryptocurrency mining and heists to make up for the COVID-19 pandemic-related economic deceleration and, more alarmingly, to support its nuclear and missile programs. Countering North Korea’s cryptocurrency operations is critical to limit the advancement of North Korea’s advanced weaponry and restore confidence in the financial system.
Recent attacks on crypto infrastructure provide clues to North Korea’s capabilities. The most successful strategy has been to hack security weaknesses in large, multiuser platforms. In March 2022, North Korean hackers breached Axie Infinity, a popular gaming platform where players can create non-fungible tokens (NFTs) of digital pets known as Axies. Axie Infinity is built on the Ronin Network, a Ethereum-based chain, and players can create or purchase NFTs using various cryptocurrencies. The North Koreans were able to penetrate Sky Mavis, the creator of Axie Infinity, and take control of the majority of the validator nodes. Hackers found a loophole to replicate private keys to dupe the nodes into approving the withdrawal of millions of dollars’ worth of Ethereum and U.S. dollar denominated coins. Once the funds left Axie Infinity, they moved to a crypto exchange, making it tougher to trace the ultimate recipient of the funds. From there, the stolen money moved to various other wallets and exchanges. Axie Infinity reported it lost approximately $625M of its customers’ money, the largest ever crypto heist in history.
The hack on Sky Mavis came through a social engineering tactic, which generally involves implanting malware within a company’s servers through employees or partners. In an attempted hack in August 2020 on defense, aerospace, and industrial companies, the North Koreans targeted company employees to download trojanized malware on their work laptops. The malware was hidden behind benign messages enticing employees with “Dream Jobs” and requesting them to download job descriptions, or other applications, to learn more about the job opportunities. Other ploys include advertising analytics tools to better manage cryptocurrency portfolios, which when downloaded execute a malicious payload. The downloaded malware can then be used to create fraudulent crypto transactions.
The other strategy is to mine cryptocurrencies. One report suggests that North Korea started to mine crypto as early as July 2017. Some speculate that mining might be focused on cryptocurrencies that have upgraded privacy settings, which are harder to track via the public blockchain.
A U.N. report in August 2019 concluded that North Korea generated approximately $2 billion in the crypto heists and other cyberattacks against corporations and institutions such as Sony and the Bangladesh Bank (that report was conducted prior to the Axie Infinity hack and before cryptocurrency prices skyrocketed in 2020). To put that into the context of North Korea’s annual economic output, estimates from the World Bank and the Bank of Korea put North Korea’s GDP between $18 billion and $27 billion. Due to the effectiveness and lucrative nature of crypto operations, North Koreas has ramped up operations significantly in the past few years and shows no intent of slowing down.
The funds support North Korea’s nuclear and missile ambitions and are also used to make illicit payments in exchange for goods or information. In fact, on April 28, Seoul announced that a South Korean army captain and a businessman had been arrested on charges of espionage for North Korea. The Associated Press reported that the men allegedly passed login credentials to the command system and military secrets, and possibly even collaborated together. The suspects were paid in cryptocurrency, and the businessman first made contact with his North Korean handler in an online cryptocurrency community.
To respond to North Korea’s growing exploitation of cryptocurrencies, the United States must take steps to improve the safety and security of the financial system. First, cryptocurrency transaction compliance must be formalized and enforced. Just as banks have implemented “Know Your Client” (KYC) rules with robust identity and fraud checks, companies dealing with cryptocurrency payments must have robust audit trails to know who is moving money in order to verify that no blacklisted entities have access to their platforms. Companies also need to track the recipients of crypto payments. The financial industry is behind on complying with various recommendations.
Second, companies must geolocate consumers and IP addresses to ensure that banned jurisdictions do not send or receive payments. This may create privacy complications and the financial industry will need to obfuscate users’ precise geolocation data. Last, the Justice Department must step up enforcement of the current regulations and track down entities or individuals who steal cryptocurrency. A recent arrest of two individuals who allegedly stole $4.5 billion in cryptocurrency from Bitfinex in 2016 is one example of deterring theft of cryptocurrency and could stem North Korea’s illicit crypto activity. All these actions need to be taken in conjunction with the existing practice to ban newly North Korean linked wallets that have perpetrated any cryptocurrency theft.