TRM Talks recap: the North Korea threat
Last month TRM’s Global Head of Policy Ari Redbord was joined by Dr. Jung H. Pak, Deputy Assistant Secretary for Multilateral Affairs and Deputy Special Representative for the DPRK at the US Department of State, Dr. John Park, Director of the Korea Project and adjunct lecturer in Public Policy at the Harvard Kennedy School’s Belfer Center, and former FBI analyst and North Korean expert Nick Carlsen of TRM’s Global Investigations team, to discuss the evolving North Korean threat and how to mitigate it.
We rounded up our key takeaways from the discussion.
Attacks on the crypto ecosystem are the latest “frontier” in North Korea's illicit revenue-generation activities
In recent years, there has been a marked rise in the size and scale of cyber attacks against cryptocurrency-related businesses by North Korea. This has coincided with an apparent acceleration in the country’s nuclear and ballistic missile programs. In addition, there has been a pivot away from North Korea’s traditional revenue-generating activities, indicating that the regime is increasingly turning to cyber attacks to fund its weapons proliferation activity.
Another nascent revenue channel for North Korea is its use of freelance IT workers abroad. Hired by foreign organizations - using fraudulent identification documents - these workers make significant earnings and gain systems access in order to steal funds and engage in further criminality.
North Korea’s coal trade with China previously provided a “sustainable and growing revenue stream for the regime” after the late 2000s, explained Dr. Park. Yet a shift occurred after 2016 as tougher international sanctions began to bite, giving the regime less room to maneuver. With the arrival of Covid-19 and the associated border closures in 2020, North Korea’s traditional income streams further dried up, prompting the regime to seek alternatives.
Deriving income via crypto theft has obvious appeal for North Korea, according to Mr. Carlsen: as that activity yields higher profit margins than mining and trading coal. With potential targets throughout the world, the regime also has an opportunity to reduce its (still overwhelming) reliance on China.
This shift is reflected in the types of North Korean criminality being tracked by US law enforcement. Traditional trade-based money laundering schemes were previously “the beating heart and soul of the North Korean financial system,” according to Mr. Carlsen. However, investigators are increasingly probing laundering activity linked to cyber attacks and cryptocurrency theft.
North Korean cybercriminals are a small, brazen group unhindered by threat of arrest or extradition
Despite the global scale of the problem, Mr. Carlsen observed that the criminal pool in North Korea itself is strikingly small, with only a “couple of thousand people that are really worth tracking and knowing.” “Working on these investigations, I’m struck by how tight this all still is,” he explained.
Mr. Carlsen referenced a recent case from April 2023, when the US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a North Korean bank representative for the Korea Kwangson Banking Corp. The bank had featured at the center of more traditional trade-based money laundering cases from a decade ago. In essence, while the regime’s methods have evolved, the actors behind the illicit activity have remained the same.
Yet unlike their jet-setting international peers, North Korean criminals almost always remain in-country, giving them less reason to fear arrest or extradition. Effectively immune to external pressure, they are less concerned about protecting their anonymity and more brazen in their criminality. Instead, their priority is speed - rushing toward off ramps and converting stolen funds to more usable fiat currencies as quickly as possible.
According to Mr. Carlsen, this reflects a larger problem – North Korea currently lacks an incentive to scale back its malicious activity. Instead, the attacks are a growing revenue-spinner with infinite possibilities, particularly as the crypto-economy grows and cyber controls are weak or nascent.
International cooperation is key to mitigating the DPRK threat
All panelists agreed on the global nature of the threat. North Korean attacks – like crypto itself – are borderless and touch economic and national security issues on a global scale.
Dr. Pak cited recent examples of successful interagency and cross-border collaboration in this space. These include the June 2023 publication – by the US National Security Agency, other US government agencies and their South Korean counterparts – of a cybersecurity alert on North Korea’s use of social engineering and malware to target think tanks, academia and news media. She also cited the sanctioning, by OFAC and South Korea’s Ministry of Foreign Affairs, of four North Korean entities and one individual involved in revenue-generation and malicious cyber activities for the North Korean regime, in May 2023.
However, Dr. Pak observed that, “we are as strong as our weakest communities,” describing China and Russia – where much of the illicit North Korea-related activity is taking place – as “the two elephants in the room.” Despite diplomatic efforts to engage these countries, both can and should do more to counter sanctions-busting by North Korea. Without this missing piece of the jigsaw, the regime effectively views both countries as safe havens for illicit activity.
Public-private collaboration is essential to add friction to DPRK money-laundering
The panelists also agreed on the importance of public-private partnerships. Efforts to counter North Korean attacks have suffered from what Dr. Park described as the desire of many in the crypto space – from gaming platforms to venture capital – to place the user experience ahead of cybersecurity making it easier for North Korea to exploit vulnerabilities. He noted that while public authorities are attempting to add more friction – via cybersecurity defenses and anti-money laundering regulations – it is still early and cybersecurity and AML are often deprioritized in certain sectors in favor of user experience.
“They know what they’re doing is a trade-off,” Dr. Park said, highlighting the $625 million hack of the Ronin bridge in 2022 as one example.
There are ways to counter the North Korea threat
Agreeing that there is no final destination in sight when it comes to countering North Korean cybercrime, the panelists identified several key strategic priorities for government agencies, national governments and international organizations:
- Track the ever-evolving activities, techniques and innovations of malicious actors to enhance understanding of their modus operandi and likely future targets, in order to identify effective means of disruption.
- Enhance regulations and create commercial incentives to harden cyber defenses to reduce opportunities for cyber-theft and money laundering.
- Raise awareness among industry players and the wider public of how North Korean criminals operate, and encourage them to report attacks. Spear phishing remains a hallmark and all-too-common entry point for North Korean malware, while intelligence suggests that the pool of potential targets for criminals is almost limitless.
- Identify ways to break the current geopolitical dynamic, in order to close down “safe havens” for North Korean criminals abroad and incentivize the regime to walk away from the cyber and crypto sphere as a revenue-generating industry.
These strategies have one thing in common: Their success depends on close collaboration and cross-border information-sharing between governments and across the public and private spheres.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.