Money laundering with cryptocurrency
The United States accuses North Korean hackers of stealing cryptocurrencies worth more than 600 million US dollars in connection with the online game "Axie Infinity" alone. To do so, they used a blockchain network that allows users to transfer cryptocurrency in and out of the game.
The online magazine ArsTechnica explains: "Stolen funds are 'laundered' by funnelling them through a series of decentralised exchanges and so-called 'crypto-mixers'. Crypto-mixers are software tools that can mix the crypto holdings of different users and thus disguise their origin. To avoid bundled large deposits triggering alerts to crypto exchanges, the criminals use a so-called "peel chain". Put simply, this is a long chain of addresses from which small amounts of digital currency are peeled out with each transfer. According to a 2020 indictment by the US Treasury Department, two Chinese nationals, acting on behalf of North Korean hackers, successfully transferred $67 million worth of bitcoin using this method, which involved 146 separate transactions. So cryptocurrencies also offer a new way of money laundering.
According to a South Korea-based cybersecurity expert, the Axie Infinity hack shows how North Korean hackers can now "exploit new vulnerabilities in the latest blockchain technologies almost as quickly as they emerge".
Old acquaintances
Most cyberattacks are carried out by groups controlled by North Korea's main intelligence agency, the Reconnaissance General Bureau (RGB). These groups include teams such as the Lazarus Group, Kimsuky, APT38 or Andariel. For example, the so-called Unit 180 is responsible for "conducting cyber operations to steal foreign funds outside North Korea". The elite cyber unit is the grouping known as Office-121, whose members are among the highest paid in the country. The core team is said to consist of over 1800 people. The affiliation to the individual groups as well as the number of people involved is kept top secret. According to analyses by a Harvard scientist in the US magazine New Yorker, a significant number of the individuals operate outside North Korea, more precisely from other Asian countries. However, the actors basically use virtual private networks (VPNs) to access the internet from outside the country and thus disguise their location. North Korean hackers never attack facilities in China or Russia.
However, the UN report also highlights that the groups also spread malware through various methods, including phishing. One of these campaigns targeted employees of organisations and financial institutions in various countries. "Initial contact with individuals was made via LinkedIn, and once a relationship of trust was established with the targeted individuals, malicious content was transmitted in communications that continued via WhatsApp," the UN report says, according to press reports.
The aforementioned Harvard University cybersecurity researcher believes that North Korean cybercriminals have now developed a faster operational speed. They have managed to routinely carry out attacks on smaller financial institutions without much hassle and burden.
Author: Uwe Sievers