Crypto crash threatens North Korea’s stolen funds
Hermit Kingdom craves funds by fair means or foul as it ramps up weapons tests, writes Josh Smith
The nosedive in cryptocurrency markets has wiped out millions of dollars in funds stolen by North Korean hackers, digital investigators say, threatening a key source of funding for the sanctions-stricken country and its weapons programmes.
North Korea has poured resources into stealing cryptocurrencies in recent years, making it a potent hacking threat and leading to one of the largest cryptocurrency heists on record in March, in which almost US$615 million (21.9 billion baht) was stolen, according to the US Treasury.
The sudden plunge in crypto values, which started in May amid a broader economic slowdown, complicates Pyongyang’s ability to cash in on that and other heists, and may affect how it plans to fund its weapons programmes, two South Korean government sources said. The sources declined to be named because of the sensitivity of the matter.
It comes as North Korea tests a record number of missiles — which the Korea Institute for Defense Analyses in Seoul estimates have cost as much as $620 million so far this year — and prepares to resume nuclear testing amid an economic crisis.
Old, unlaundered North Korean crypto holdings monitored by the New York-based blockchain analytics firm Chainalysis, which include funds stolen in 49 hacks from 2017 to 2021, have decreased in value from $170 million to $65 million since the beginning of the year, the company said.
One of North Korea’s cryptocurrency caches from a 2021 heist, which had been worth tens of millions of dollars, has lost 80% to 85% of its value in the last few weeks and is now worth less than $10 million, said Nick Carlsen, an analyst with TRM Labs, another USbased blockchain analysis firm.
A person who answered the phone at the North Korean embassy in London said he could not comment on the crash because allegations of cryptocurrency hacking are “totally fake news”.
“We didn’t do anything,” said the person, who would only identify himself as an embassy diplomat. North Korea’s foreign ministry has called such allegations US propaganda.
North Korea is under widespread international sanctions over its nuclear programme, giving it limited access to global trade or other sources of income and making crypto heists attractive, the investigators say.
KEY TO NUCLEAR PROGRAMME
Although cryptocurrencies are estimated to be only a small portion of North Korea’s finances, Eric PentonVoak, a coordinator of the United Nations panel of experts that monitors sanctions, said at an event in April in Washington, DC, that cyberattacks have become “absolutely fundamental” to Pyongyang’s ability to evade sanctions and raise money for its nuclear and missile programmes.
In 2019, sanctions monitors reported that North Korea had generated an estimated $2 billion for its weapons of mass destruction programmes using cyberattacks.
One estimate from the Geneva-based International Campaign to Abolish Nuclear Weapons says North Korea spends about $640 million per year on its nuclear arsenal. The country’s gross domestic product was estimated in 2020 to be around $27.4 billion, according to South Korea’s central bank.
Official sources of revenue for Pyongyang are more limited than ever under self-imposed border lockdowns to combat Covid-19. China — its biggest commercial partner — said in 2021 that it had imported just over $58 million in goods from North Korea.
North Korea already only gets a fraction of what it steals because it must use brokers willing to convert or buy cryptocurrencies with no questions asked, said Aaron Arnold of the RUSI thinktank in London. A February report by the Center for a New American Security (CNAS) estimated that in some transactions, North Korea only gets one-third of the value of the currency it has stolen.
After obtaining cryptocurrency in a heist, North Korea sometimes converts it to Bitcoin, then finds brokers who will buy it at a discount in exchange for cash, which is often held outside the country.
CONVERTING TO CASH
According to Chainalysis, North Korea has turned to sophisticated ways of laundering stolen cryptocurrency, increasing its use of software tools that pool and scramble cryptocurrencies from thousands of electronic addresses — a designator for a digital storage location.
The contents of a given address are often publicly viewable, allowing firms such as Chainalysis or TRM to monitor any that investigations have linked to North Korea.
Attackers have tricked people into giving access or hacked around security to siphon digital funds out of internetconnected wallets into North Koreacontrolled addresses, Chainalysis said in a report this year.
The sheer size of recent hacks has strained North Korea’s capacity to convert cryptocurrency to cash as quickly as in the past, Mr Carlsen said. That means some funds have been stuck even as their value drops.
Bitcoin has lost about 54% of its value this year and smaller coins have also been hit hard, mirroring a slide in equities prices linked to investor concerns about rising interest rates and the growing likelihood of a global recession.
“Converting to cash remains a key requirement for North Korea if they want to use the stolen funds,” said Mr Carlsen, who investigated North Korea as an analyst at the FBI. “Most of the commodities or products the North Koreans want to buy are only traded in USD or other fiat, not cryptocurrencies.”
Pyongyang has other, larger sources of funding that it can rely on, Mr Arnold said. UN sanctions monitors have said as recently as December 2021 that North Korea continues to smuggle coal, usually to China, and other major exports banned under Security Council resolutions.
VOLATILE CURRENCIES
North Korean hackers sometimes appear to wait out rapid dips in the value or exchange rates before converting to cash, said Jason Bartlett, the author of the CNAS report.
“This sometimes backfires as there is little certainty in predicting when the value of a coin will rapidly increase and there are several cases of highly depreciated crypto funds just sitting in North Korea-linked wallets,” he said.
Sectrio, the cybersecurity division of Indian software firm Subex, said there are signs North Korea has begun ramping up attacks on conventional banks again rather than cryptocurrencies in recent months.
The firm’s banking sector-focused “honeypots” — decoy computer systems intended to attract cyberattacks — have seen an increase in “anomalous activities” since the crypto crash, as well as an increase in “phishing” emails, which try to fool recipients into giving away security information, Sectrio said in a report last week.
But Chainalysis said it had yet to see a major change in North Korea’s crypto behaviour, and few analysts expect North Korea to give up on digital currency heists.
“Pyongyang has added cryptocurrency into its sanctions evasion and money laundering calculus and this will likely remain a permanent target,” Mr Bartlett said.