Why are North Korean hackers such good crypto-thieves?

Mint

3 days ago

FEBRUARY 21st was a typical day, recalls Ben Zhou, the boss of ByBit, a Dubai-based cryptocurrency exchange. Before going to bed, he approved a fund transfer between the firm's accounts, a 'typical manoeuvre" performed while servicing more than 60m users around the world. Half an hour later he got a phone call. 'Ben, there's an issue," his chief financial officer said, voice shaking. 'We might be hacked…all of the Ethereum is gone."
Independent investigators and America's Federal Bureau of Investigations (FBI) soon pointed the finger at a familiar culprit: North Korea. Hackers from the hermit kingdom have established themselves as one of the biggest threats to the crypto-industry—and as a crucial source of revenue for Kim Jong Un's regime, helping it to weather international sanctions, to pamper its elites and to fund its missile and nuclear-weapons programmes.
In 2023 North Korean hackers made away with a total of $661m, according to Chainalysis, a crypto-investigations firm; they doubled the sum in 2024, racking up $1.34bn across 47 separate heists, an amount equivalent to more than 60% of the global total of stolen crypto. The ByBit operation indicates a growing degree of skill and ambition: in a single hack, North Korea swiped the equivalent of $1.5bn from the exchange, the largest-ever heist in the history of cryptocurrency.
North Korea's plunder is the payoff from a decades-long effort. The country's first computer-science schools date back to at least the 1980s. The Gulf War helped the regime recognise the importance of networked technology for modern warfare. Talented maths students were put into special schools and given reprieves from mandatory annual countryside labour, says Thae Yong Ho, a senior North Korean diplomat who defected in 2016. Originally envisaged as a tool for espionage and sabotage, North Korea's cyber-forces began to focus on cybercrime in the mid-2010s. Mr Kim is said to call cyberwarfare 'an all-purpose sword".
Stealing crypto involves two main phases. The first is breaching a target's systems—the digital equivalent of finding an underground passageway to a bank's vaults. Phishing emails can insert malicious code. North Korean operatives pose as recruiters and entice software developers to open infected files during fake job interviews. Another approach involves using fake identities to get hired at remote IT jobs with foreign companies, which can be a first step to accessing accounts. 'They've become really good at finding vulnerabilities through social engineering," says Andrew Fierman of Chainalysis. In the ByBit case, hackers compromised the computer of a developer working for a provider of digital wallet software.
Once stolen, the cryptocurrency has to be laundered. Dirty money is spread across multiple digital wallets, combined with clean funds and transferred between different cryptocurrencies, processes known in the industry as 'mixing" and 'chain hopping". 'They're the most sophisticated crypto launderers we've ever come across," says Tom Robinson of Elliptic, a blockchain-analytics firm. Finally, the stolen funds need to be cashed out.
A growing array of underground services, many linked to Chinese organised crime, can help with this. Fees and interdictions by law enforcement reduce the overall take, but North Korea can expect to receive 'definitely 80%, maybe 90%" of the funds it steals, says Nick Carlsen, a former FBI analyst now with TRM Labs, a blockchain-intelligence firm.
North Korea has several strengths. One is talent. This could appear counterintuitive: the country is desperately poor and ordinary citizens have severely restricted access to the internet or even computers. But 'North Korea can take the best minds and tell them what to do," says Kim Seung-joo of the school of cybersecurity at Korea University in Seoul. 'They don't have to worry about them going to work at Samsung." At the International Collegiate Programming Contest in 2019, a team from a North Korean university came eighth, beating those from Cambridge, Harvard, Oxford and Stanford.
Those talents are also exploited. North Korean hackers work around the clock. They are unusually brazen when they strike. Most state actors seek to avoid diplomatic blowback and 'operate like they're in Ocean's 11: white gloves, get in without anyone noticing, steal the crown jewel, get out without being noticed," says Jenny Jun of the Georgia Institute of Technology. North Korea does not 'place a premium on secrecy—they're not afraid to be loud."
For the North Korean regime, stolen crypto has become a lifeline, especially as international sanctions and the covid-19 pandemic crimped their already limited trade. Crypto-thievery is a more efficient way to earn hard currency than traditional sources, such as overseas labourers or illegal drugs. The United Nations Panel of Experts (UNPE), a monitoring body, reported in 2023 that cyber-theft accounted for half of North Korea's foreign-currency revenue. North Korea's digital plunder last year was worth more than three times the value of its exports to China, its main trade partner. 'You take what took millions of labourers, and you can replicate that with the work of a few dozen people," says Mr Carlsen.
Those funds prop up the regime. Hard currency is used to purchase luxury goods to keep elites in line. It also probably funds weapons. The majority of North Korea's stolen crypto is thought to flow into its missile and nuclear-weapons programmes.
Cryptocurrency investigators are getting better at tracking stolen funds along the blockchain. Mainstream cryptocurrency exchanges and stable-coin issuers often co-operate with law enforcement to freeze stolen funds. In 2023 America, Japan and South Korea announced a joint effort aimed at countering North Korean cybercrime. America has sanctioned several 'mixing" service providers that North Korea has used.
Yet authorities remain a step behind. After America sanctioned North Korea's favoured mixers, the hackers switched to others offering similar services. Tackling the problem requires multilateral efforts across governments and the private sector, but such collaboration has been fraying. Russia used its UN veto to gut the UNPE last year. President Donald Trump's cuts to American development aid have hit programmes aimed at building cyber-security capacity in vulnerable countries.
By contrast, the North Korean regime is throwing ever more resources at cybercrime. South Korea's intelligence services reckon its cybercrime force grew from 6,800 people in 2022 to 8,400 last year. As the crypto-industry expands in countries with weaker regulatory oversight, North Korea has an increasingly 'rich target environment", says Abhishek Sharma of the Observer Research Foundation, an Indian think-tank. Last year, Mr Sharma notes, North Korea attacked exchanges based in India and Indonesia.
North Korea is already known to be making use of artificial intelligence in its operations. AI tools can help make phishing emails more convincing and easier to produce at scale across many languages. They can also make it easier to infiltrate companies as remote tech workers. Bad days like Mr Zhou's may become increasingly typical.