Key Takeaways from the CNAS Report on North Korean Cyber Attacks

CNAS issues report on following cryptocurrency in North Korea cyberattacks

Last week, the Center for a New American Security (CNAS) published a paper titled “Following the Crypto: Using Blockchain Analysis to Assess the Strengths and Vulnerabilities of North Korean Hackers.” The report, produced in collaboration with TRM, focuses on the way North Korea attacks cryptocurrency businesses and launders the stolen funds. According to the report, “Since 2014, the Pyongyang-led cybercrime organization known as the Lazarus Group has transformed from a rogue team of hackers to a masterful army of cybercriminals and foreign affiliates, capable of compromising major national financial networks and stealing hundreds of millions of dollars’ worth of virtual assets.” We know that North Korea has taken to the digital battlefield and that cryptocurrency is the target. We know that North Korea engages in sophisticated hacking techniques and relies on social engineering to evade cybersecurity controls. But what can we learn from the report about the ways in which DPRK cybercriminals launder stolen funds?

Key Takeaways:

• North Korea cyber actors are attacking cryptocurrency businesses in order to fund weapons proliferation and other destabilizing activity.
• The goal of an attack, and the money laundering associated with it, is to turn the stolen cryptocurrency into usable fiat, often as quickly as possible.
• North Korean cybercriminals have grown more sophisticated at laundering stolen funds with each hack they perpetrate. They now commonly **use multiple mixing services and other obfuscation techniques, yet they still make mistakes that can be capitalized upon by law enforcement.

North Korea is increasingly targeting and attacking crypto businesses

North Korean cybercriminals are actively engaging in cyberattacks on cryptocurrency businesses with unprecedented speed and scale. In fact, as discussed in **a recent TRM blog post, the infamous Lazarus Group has been executing on a sophisticated strategy to target small and mid-sized cryptocurrency businesses in a campaign called “SnatchCrypto.” According to a report by cybersecurity firm Kaspersky, North Korean operators are stalking and studying successful cryptocurrency startups to carry out these attacks.

The attacks against crypto exchanges and other businesses are not new. According to Nick Carlsen, a former FBI expert on North Korea and now part of TRM’s Global Investigations team, “North Korea is, in most respects, cut off from the global financial system by a long sanctions campaign by the U.S. and foreign partners. As a result, they have taken to the digital battlefield to steal crypto. These campaigns are essentially bank robbery at the speed of the internet, and have been used to fund weapons programs, nuclear proliferation and other destabilizing activities.”

The economic incentives for North Korea to ignore international norms and continue these thefts are powerful. In recent years, these heists have earned hundreds of millions of dollars of, essentially, pure profit. This revenue represents an enormous share of North Korea’s overall hard currency earnings, especially in its post-COVID period of heightened trade isolation. These operations often take months to play out, with hackers carefully observing a target’s activities and waiting till the opportune moment to strike.

Unlike their counterparts in other parts of the world, North Korean hackers face no real threat of arrest or extradition and are able to take risks that would be unimaginable for others. For example, while we see them use mixing services, non-compliant exchanges, and other on-chain obfuscation techniques, often times Lazarus will simply move funds in the open as quickly as possible. The key for North Korean crypto thieves is obfuscation good enough only to allow them to convert the crypto to fiat fast enough and securely enough to avoid interdictions by exchanges or law enforcement.  So how can a compliant cryptocurrency exchange thwart this threat? If the exchange, through its blockchain intelligence tool, labels an address as controlled by a hacker, the exchange can screen and reject transactions from that address. In a fast-moving scenario like a cyberattack there is often data sharing between investigators at exchanges to black-list addresses linked to hackers in close to real-time.

DPRK cybercriminals optimize for speed over obfuscation

In an April 2018 hack of Gate.io — a case in which the U.S. Department of Justice (DOJ) indicted and filed a civil forfeiture action against DPRK cybercriminals - North Korean hackers stole nearly $230 million worth of crypto assets. In this specific hack, North Korean actors programmed “automated scripts to rapidly launder and reconsolidate stolen funds into exchanges before transferring them into Lazarus-affiliated wallets,” which was evident due to the large number of simultaneous transactions. While we saw automation and other obfuscation techniques such as peeling chains — a series of smaller transactions of dispersion followed by consolidation in order to obfuscate larger transactions — the real key to this operation was to off ramp the cryptocurrency to fiat currency as quickly as possible, even at the expense of potential future attribution to the hack.

The key for Lazarus is, as has been repeatedly demonstrated, to turn the funds quickly into fiat, which can be used to fund the regime and its destabilizing activities. Lazarus seems to only ever employ as much obfuscation as is necessary to accomplish that goal. In the KuCoin hack, arguably the most sophisticated of the three hacks studied in this report, ”the North Korean hackers elected not to use the more anonymity-preserving features of Tornado Cash, which would have required a transaction fee, likely because they sought to maintain the highest amount of stolen Ethereum for eventual liquidation.”

North Korean cybercriminals have become more sophisticated over time

Since the 2018 attack, North Korean cybercriminals have become more sophisticated in on-chain laundering. These improvements occurred in tandem with the increasing sophistication of US investigators and blockchain analytics - and were likely driven by them. In the 2019 DragonEx hack, Lazarus “funneled stolen crypto assets through mixing services, which suggests increased knowledge of the cryptocurrency environment and its tools.” While Lazarus expended substantial effort to anonymize the BTC stolen in the DragonEx hack, other assets, including Ethereum and TRON, were laundered only to a minimal extent.

This trend continued with the 2020 KuCoin hack, which resulted in the theft of $280 million worth of various cryptocurrencies. According to the report, “The laundering of KuCoin’s stolen assets diverged sharply from prior Lazarus operations. Instead of partially haphazard obfuscation efforts during past intrusions, this time North Korean hackers showed more rigor through employing several advanced techniques to try to comprehensively obscure their activity.” Specifically, the report explains that Lazarus Group used three mixing services — including Tornado Cash — to wash the stolen funds and engaged with decentralized finance (DeFi) protocols in order to obfuscate the flow of funds on chain.

Even trained North Korean cybercriminals slip-up - and that’s okay (for them)

While each of the attacks succeeded in stealing cryptocurrency, mistakes were made that could be instructive for law enforcement and cryptocurrency businesses and it is clear that DPRK actors are relatively more advanced in hacking than in laundering funds. TRM’s blockchain intelligence also indicated that DPRK actors were willing to cash out non-BTC and non-ETH assets without fully anonymizing their transactions, eschewing mixing services and using only simple methods to attempt to liquidate funds. Even in the more sophisticated KuCoin hack, DPRK actors elected not to use certain anonymizing features of Tornado Cash and, as a result, “investigators were able to link the post-Tornado withdrawals together and, given the size of the KuCoin theft, ultimately connect them to the original hack.”

Conclusion

The CNAS report is significant in that it provides analysis of the hacks but also leverages TRM to track and trace the flow of funds in order to provide color, not only on the fact that North Korean actors launder funds, but how they do so through a web of increasingly sophisticated on-chain money laundering techniques. Still, the goal is simple - to move the stolen funds from the hacked exchange to usable fiat as quickly as possible. As long as DPRK cybercriminals, and the regime which controls them, face no real consequences for these heists, we will continue to see them proliferate. However, the nature of the blockchain allows investigators to track and trace the flow of funds resulting in a race to the off ramps. As DPRK cybercriminals become more sophisticated so do the next generation blockchain intelligence tools and the investigators that use them.

‍