North Korean leader Kim Jong-un vowed last night to ramp up his country's nuclear arsenal. Such weapons don't come cheap, especially for a state targeted by stringent sanctions and with a stagnating economy. So where does the money actually come from? Kim Jong-un appears to be using cyberspace – and stolen cryptocurrency – to pay for his expensive habit.
Pyongyang's global army of hackers are often labelled as technologically backward. The reality is rather different. Unfortunately for the country's victims in the West, Kim's cyber crooks are as sophisticated as they come. A UN report earlier this year concluded that the country has used stolen cryptocurrency to fund its weapons programmes. But this spotlight has done little to persuade the country to change its ways; in the months since, North Korea has simply doubled down on this lucrative approach.
The state has a dedicated clandestine cyberwarfare agency, the Cyber Warfare Guidance Unit, informally known as Bureau 121. Running nearly all of its internet through China, one of the North’s most notorious state-run hacking syndicates, known as the Lazarus Group, has increased the sophistication of its operations with time, netting nearly $2 billion (£1.5 billion) from its cryptocurrency endeavours. The group’s most recent assault targeted a cryptocurrency network, Ronin Bridge, which hosts an NFT-based video game – Axie Infinity – played by over eight million gamers worldwide. Setting its eyes on players’ assets as they were transferred between blockchains, the groups seized at least $620 million (£480 million) in Ethereum during the raid, which came to light last week.
The latest heist testifies to Pyongyang’s habit of extorting cash through new means. Over time, it has moved beyond targeting conventional financial institutions such as banks, for cash, to platforms involving blockchain and cryptocurrency. Despite the economic cataclysms of 2021, Pyongyang’s seven known cyberattacks that year – almost double the number in 2020 – wrested nearly $400 million (£310 million) in digital assets. A further $170 million (£130 million) unlaundered cryptocurrency assets remain stored for a rainy day. Much like its missile systems, the North has diversified its cryptocurrency preferences, ranging from ERC-20 tokens and Ethereum to Bitcoin, although the latter seems to be declining in popularity amongst North Korean hackers. But whatever the currency, the goal is clear: seize as much cash as possible to fund Kim's missile programme, wherever the targets may be located, and avoid detection.
Extending beyond its borders, Pyongyang’s cyberwarfare network involves middlemen in countries including China, India, and Russia, many of whom have not escaped international sanctioning. The US sanctioned two Chinese nationals in March 2020 for aiding Lazarus in laundering stolen cryptocurrency, amounting to over $90 million (£70 million), in a single attack two years earlier, in which the hackers accessed private virtual currency wallets. A further attack in September 2020 saw Lazarus steal hundreds of millions worth of cryptocurrency from the Hong Kong-based KuCoin exchange. North Korea’s revenues look only set to increase.
Why should we be surprised? The North has a history of money laundering. In 2005, it stored $24 million (£19 million) in the Macau-based bank, Banco Delta Asia, an institution accused of aiding the regime in money laundering and producing counterfeit dollars. The US subsequently ordered the bank to freeze the funds, enforced sanctions on the North, but returned the cash to Pyongyang’s coffers following its feigned steps taken towards denuclearisation. Still Pyongyang wanted more. Leaping at the opportunity of cyberspace, 2009's 'Operation Troy' saw the North disrupt between 20,000 and 50,000 governmental and financial websites in South Korea and the United States. Pyongyang’s more recent penetrations however amount to much more than mere disruption.
North Korea refuses to adapt politically and economically, yet the DPRK is rapidly acclimatising to the evolving domain of cyberspace. Pyongyang has learnt lessons from over a decade of cyberattacks to apply to its cryptocurrency forays. The Lazarus Group’s malware attack on South Korean bitcoin users in 2017, from which it gained at least $7 million (£5.5 million), involved the same malware as two infamous previous attacks. The global ransomware WannaCry attack of May 2017 afflicted over 300,000 computer systems worldwide, including 70,000 devices on the UK’s National Health Service. Three years earlier, the North targeted Sony Pictures for its release of the fictional comedy, 'The Interview', whereby two US journalists meet and eventually kill Kim Jong-Un. Self-identifying under the euphemistic banner, 'Guardians of Peace', Lazarus proceeded to leak compromising personal data of Sony employees, future film scripts, and threatened to terrorise cinemas that showed the movie. It was one of the North’s first revealed crypto-worm attacks; an omen for what was to come.
The international community has hit a sticky wicket as the North’s unconventional warfare arsenal and tactics expand. That the US Treasury Department recently sanctioned the Lazarus Group for March’s theft will not deter Kim, the master of sanctions evasion. Pyongyang will continue to leverage the anonymity that comes with cyberspace. Though many, including the elusive Park Jin Hyok – the alleged mastermind behind the Sony Pictures hack – have been placed on the FBI’s most wanted list, North Korean authorities simply deny their existence.
North Korea’s latest heist warns us that if it so chooses, the state can adapt with the times. A nuclear state in all but name, North Korea’s cyber adventures are only just beginning.