North Korea flag on screen with code showing North Korean hackers and Russian crypto exchanges

Chainalysis: North Korean Hackers Forming Stronger Ties With Russian Crypto Exchanges

A new report from blockchain security firm Chainalysis finds that state-backed North Korean hackers are more reliant than ever on illicit crypto exchanges in Russia to move money. While this does not create a direct link between the two governments, these exchanges largely exist due to the Russian government’s longstanding tacit approval of domestic cyber crime groups that stick to targeting foreign rivals.

North Korean hackers are thought to have stolen $3.54 billion in cryptocurrency over the last seven and a half years, and much of this winds up sent to dodgy Russia-based crypto exchanges with reputations for accepting the spoils of cyber attacks.

North Korean hackers rely on Russian criminals to cash out stolen funds

North Korean hackers are believed to be extremely active in targeting crypto exchanges as a means of funding the country’s nuclear weapons program, something that it otherwise has very few avenues of income for. Chainalysis believes that illicit Russian crypto exchanges have been the favored means of laundering stolen money since at least 2021.

The report cites the movement of $21.9 million stolen in the Harmony Protocol breach of 2022, something that was eventually attributed to North Korean hackers (specifically Lazarus and APT38) by the FBI in early 2023. Though not the only piece of evidence, the Harmony money movement provides a clear example of how these threat actors make use of multiple addresses at illicit Russian crypto exchanges.

Prior to 2021, the North Korean hackers actually used more mainstream and legitimate crypto exchanges that would respond to law enforcement requests to investigate or freeze suspicious transfers. These exchanges have faced more pressure from law enforcement since then due to increasing boldness by petty criminal groups in targeting critical infrastructure and government agencies, which very likely factored into North Korea’s new banking arrangements.

The North Korean hackers have also done quite a lot to paint a target on themselves, however, going on a spree of thefts from DeFi platforms over roughly the past year. Their primary modus operandi is to attempt to swipe the reserve funds that these platforms use for liquidity, often getting in the door with very advanced social engineering approaches and draining most or all of what is available once they gain access.

The North Korean hackers had their best year in 2022, stealing about $1.65 billion in total. They are at $340 million for 2023 thus far, a more modest total but one that is roughly in line with what they stole each year from 2018 to 2021.

Russian government turns blind eye to illicit crypto exchanges

Having a reliable means of “cashing out” crypto thefts is an invaluable resource for North Korean hackers. The nation’s state-backed threat groups tend to make up a disproportionate amount of all cyber theft across the globe every year; in 2019 and 2020 they were responsible for about half, and about a third in both 2018 and 2022 (the latter of which was a banner year for funds being stolen from crypto exchanges). They are on pace to potentially account for about a third again in 2023.

The issue is tied to the long-running problem of the Russian government not pursuing criminal hacking groups in its territory so long as they do not attack domestic targets or allies. There are occasional flashes of cooperation when one of these groups gets too big for its britches and begins to cause problems for the government, such as the raids on and arrests of members of the REvil group in early 2022 at the request of the US government. But in terms of illicit crypto exchanges, Chainalysis CEO Michael Gronager observes that Russia is already sanctioned about as much as it can be in this area and thus there is no impetus to dismantle them.

North Korean hackers are not only a major driver of theft, but are a special case in that the theft is being used to fuel a rogue nuclear weapons program. This has drawn the attention of the United Nations, which said in an August report that the country’s crypto thefts were a form of sanctions evasion. This is an area in which the Russian government can be seen as taking a more direct role in promoting the situation, as it and China are essentially the lone members of the UN that push for North Korean sanctions to be eased.

Another unique wrinkle of the situation is that North Korea also focuses heavily on the DeFi space, which stands apart from government regulation (and protection) by design. This has left tech mavens in the space scrambling to improve security and find better built-in defense mechanisms for crypto exchanges that cannot count on consistent law enforcement assistance.

The situation is very unlikely to change anytime soon, with no real way for the international community to shut North Korea’s APT groups down so long as they are state-sanctioned and protected. Most nation-state advanced threat groups do not engage in theft as it is seen as too provocative (and usually unnecessary for developed economies), but the world already has North Korea pinned into a corner. The country’s hacking teams have had two high-profile thefts in September alone, hitting Stake for $40 million and CoinEx for $70 million.