How North Korea’s Cryptocurrency Theft Supports Foreign Policy Goals – Georgetown Journal

Introduction

North Korea’s launch of yet another intercontinental ballistic missile (ICBM) in February of 2023 displays unprecedented advancements in technological capability, defying expectations for a country under strong United Nations (UN) sanctions. North Korea has developed such capabilities in part by stealing billions in cryptocurrency. In 2022, North Korea executed more cryptocurrency theft and digital asset acquisition than ever before. North Korea’s targeted theft of cryptocurrency contributes to its foreign policy goal of ballistic missile proliferation, which would likely otherwise remain unattainable without comprehensive political and economic reform. The United States should deter North Korea by organizing a coalition and supporting the cyber defense capabilities of the states that are often targeted by North Korea’s cyberattacks.

The Development of North Korea’s Cyber Capability

Conventional assessments of North Korea often depict it as technologically underdeveloped and despotic, but such portrayals may oversimplify reality. The North Korean regime, compelled by a need for hard currency, began to develop modern cyber capabilities in the mid-1990s. Realizing the potential within the cyber realm to obtain intelligence from enemies and secure fiat currency to support its weapons programs, Kim Jong-il initiated cyber training at prestigious universities in Pyongyang. After finishing university, the trainees were sent overseas to earn money for the North Korean government. These trainees were tasked with pirating software and selling it to Chinese or South Korean customers. 90 percent of this was siphoned off to the Kim Jong-il regime.

North Korean cyber capability transformed in 2009 with the establishment of the Reconnaissance General Bureau (RGB). The RGB is the North Korean government’s primary foreign intelligence agency and consolidates various government intelligence groups into a single intelligence agency. Entrusted with cyber intelligence collection and clandestine operations, the RGB has played a key role in orchestrating cyberattacks. Since 2009, the RGB has established multiple hacking groups, the most well-known being the Lazarus Group. Other groups include Andariel, BlueNoroff, ScarCruft, and Kimsuky. Talented cyber actors in these groups have illicitly acquired cryptocurrency through ransomware attacks, website breaches, and infiltrations into cryptocurrency exchanges. These funds are then funneled to the North Korean government and spent on weapons.

North Korea illicitly acquires cryptocurrency by hacking into cryptocurrency exchanges and pilfering cryptocurrency and other digital assets. Cryptocurrency exchanges serve as platforms for digital currencies with minimal oversight. The pinnacle of North Korea’s illicit cryptocurrency acquisition unfolded in 2022. A leaked UN report estimated that North Korea-linked cyber actors stole USD 630 million in digital assets that year. However, independent cybersecurity experts from Chainalysis found that North Korea-linked cybercriminals, most notably those associated with the Lazarus Group, had stolen an estimated USD 1.7 billion in 2022.

Also in 2022, North Korean hackers breached Harmony, a blockchain that facilitates the exchange of tokens, stablecoins (a cryptocurrency that is pegged to a reference asset such as USD), and non-fungible tokens (NFTs). This breach resulted in the theft of a staggering USD 100 million worth of cryptocurrency. The hackers used Uniswap, a decentralized exchange that enables direct peer-to-peer cryptocurrency transactions, to convert Ethereum-based assets into 85,837 Ether (ETH). Subsequently, this ETH underwent a process known as “Tornado,” a cryptocurrency mixer service often used to obscure the origin and ownership of funds and launder the proceeds of a crime.

Cybersecurity firm Elliptic linked the attack to the Lazarus Group, noting that the methods employed to hack and launder the stolen funds bore the distinctive signature of the group. Early in 2023, the US Federal Bureau of Investigation released a detailed report confirming the involvement of the Lazarus Group in the theft of USD 100 million worth of Ether from Harmony’s Horizon Bridge, corroborating Harmony’s initial report made on June 24, 2022.

Cryptocurrency Theft to Achieve Foreign Policy Goals

North Korea, as highlighted by Kim Jong-un in his 2023 New Year’s Address, has a paramount policy objective: increase nuclear weapons production and develop new solid-fueled ICBMs as delivery systems. However, acquiring the fiat currency necessary to facilitate this pursuit has been difficult. Since 2006, North Korea has been subject to UN sanctions. Such sanctions have caused macroeconomic issues for North Korea. According to the Heritage Foundation, North Korea’s foreign direct investment (FDI) inflow in 2022 was a mere USD10 million, while its GDP (at purchasing power parity) witnessed a concerning -1.9 percent compound growth over the past five years. South Korea’s Bank of Korea reported a 0.1 percent contraction in North Korea’s GDP in 2021.

Given such economic challenges, North Korea used the illicit acquisition of cryptocurrency to bolster weapons production. Illicit digital asset acquisition provided USD 3 billion between 2017 and 2023  to North Korea’s economy according to the United Nations Panel of Experts, particularly when compared to its foreign direct investment (FDI) inflows. Thus, it becomes increasingly evident that North Korea has in part funded its advanced weapons systems through stolen cryptocurrency.

North Korea has stated that one of its main policy goals is to further develop weapons, both nuclear and conventional to guarantee the safety of the state. The Pyongyang regime remains under a strong sanctions regime, but cryptocurrency theft offers one way to pay for the development of these weapons. Consequently, it remains likely that North Korean cryptocurrency theft will proliferate moving forward.

Deterring North Korea

Stolen cryptocurrency has become a critical revenue stream for North Korea. However, its unique properties as a financial asset that operates independently of government control in many jurisdictions make it difficult to track. In addition, the absence of a central international regulatory body for cryptocurrencies has left vulnerabilities within the cyber asset sector, which cybercriminals exploit for financial gain.

Attempts to deter North Korean cyberattacks commenced in 2017 when the United States publicly attributed the WannaCry 2.0 Ransomware attack to North Korea. In 2018, the US Department of Justice held North Korea responsible for a series of additional cyberattacks, including the 2014 cyberattack on Sony Pictures and the 2016 central bank cyber theft in Bangladesh. By naming actors, the United States and its allies hoped to deter North Korean cyber criminals. However, merely identifying the actors involved did not effectively deter cybercrime.

In 2022, the Federal Bureau of Investigations and the US Treasury Department took a more concerted approach to hinder North Korea’s illicit activities. On April 14, 2022, the US Treasury Department added three Ethereum wallets used by the Lazarus Group, including a wallet used in the Sky Mavis heist, to its list of sanctioned financial assets. In August 2022, the US Treasury sanctioned the virtual cryptocurrency mixer Tornado Cash, which had participated in the Horizon Bridge attack and had laundered over USD 455 million stolen by North Korean actors since 2019. Blender.io, another cryptocurrency mixer, was also sanctioned after helping the Lazarus Group launder USD 20.5 million from the Sky Mavis attack. Unfortunately, imposing targeted financial sanctions has a limited impact, as malicious North Korean actors do not have their assets in the United States or an ally country, as they are virtual assets. Thus, sanctions likely have no immediate financial consequences for the specific violator or hacking groups writ large.

North Korea predominantly targets businesses in the Asia-Pacific region, where most countries have limited cybersecurity infrastructure and inadequate legislative resources to respond effectively. Efforts to counter North Korea often depend on US involvement, preventing effective regional countermeasures. Even South Korea, a technologically advanced country, has struggled to counter North Korean cyberattacks (as the United Nations Panel of Experts explained) despite introducing and passing legislation to regulate cryptocurrency exchanges. Consequently, a more agile and robust approach to deterring North Korea is imperative.

The United States should collaborate with other nations to bolster cybersecurity capabilities in countries that lack them. This would require the establishment of multilateral agreements to develop global standards to combat North Korea’s cyber threats. For example, the United States could form a joint response coalition that can promptly respond to cyber intrusions in any of the states that are members. It could also include training to ensure that standards are shared across countries.

Conclusion

The illicit acquisition of cryptocurrency allows North Korea to mitigate the adverse impacts of sanctions and bankroll its ambitions in nuclear weapons and ballistic missile weapons programs. With relatively low risks associated with targeting cryptocurrency exchanges, North Korean cyber threat actors will likely continue these activities moving forward.

Hindering North Korea’s cyber-financing endeavors requires a concerted, coordinated effort involving multiple countries. Such a collaborative response should encompass smaller Asia-Pacific states, many of which may grapple with limited infrastructure and require assistance to bolster their cybersecurity capabilities. This would be a long-term endeavor, particularly in jurisdictions where maintaining a well-equipped and well-trained cyber force demands substantial investments. Many of North Korea’s cyberattacks occur in Southeast Asia or South Asia, where cyber defenses remain relatively weak. However, multi-lateral cooperation would be a critical step toward stemming the financial gains that fuel North Korea’s strategic ambitions in the cyber realm.

…

Dylan Stent is a Ph.D. candidate at Victoria University of Wellington. His doctoral study analyses South Korea’s unification policy from the founding of the country until the end of Lee Myung-bak’s presidency in 2013, arguing that policy has shown greater coherence over time than conventional wisdom suggests. Dylan has published articles on a range of South and North Korean topics ranging from North Korean cyber threats, South Korean domestic politics, and South Korea’s unification policies. He can be reached at [email protected].

Image Credit: Wikimedia Commons