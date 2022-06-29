SEOUL, June 29 (Reuters) - The nosedive in cryptocurrency
markets has wiped out millions of dollars in funds stolen by
North Korean hackers, four digital investigators say,
threatening a key source of funding for the sanctions-stricken
country and its weapons programmes.
North Korea has poured resources into stealing
cryptocurrencies in recent years, making it a potent hacking
threat and leading to one of the largest cryptocurrency heists
on record in March, in which almost $615 million was stolen,
according to the U.S. Treasury.
The sudden plunge in crypto values, which started in May
amid a broader economic slowdown, complicates Pyongyang's
ability to cash in on that and other heists, and may affect how
it plans to fund its weapons programmes, two South Korean
government sources said. The sources declined to be named
because of the sensitivity of the matter.
It comes as North Korea tests a record number of missiles -
which the Korea Institute for Defense Analyses in Seoul
estimates have cost as much as $620 million so far this year -
and prepares to resume nuclear testing amid an economic crisis.
Old, unlaundered North Korean crypto holdings monitored by
the New York-based blockchain analytics firm Chainalysis, which
include funds stolen in 49 hacks from 2017 to 2021, have
decreased in value from $170 million to $65 million since the
beginning of the year, the company told Reuters.
One of North Korea’s cryptocurrency caches from a 2021
heist, which had been worth tens of millions of dollars, has
lost 80% to 85% of its value in the last few weeks and is now
worth less than $10 million, said Nick Carlsen, an analyst with
TRM Labs, another U.S.-based blockchain analysis firm.
A person who answered the phone at the North Korean embassy
in London said he could not comment on the crash because
allegations of cryptocurrency hacking are "totally fake news."
"We didn't do anything," said the person, who would only
identify himself as an embassy diplomat. North Korea's foreign
ministry has called such allegations U.S. propaganda.
The $615 million March attack on blockchain project Ronin,
which powers the popular online game Axie Infinity, was the work
of a North Korean hacking operation dubbed the Lazarus Group,
U.S. authorities say.
Carlsen told Reuters that the interconnected price movements
of different assets involved in the hack made it difficult to
estimate how much North Korea managed to keep from that heist.
If the same attack happened today, the Ether currency stolen
would be worth a bit more than $230 million, but North Korea
swapped nearly all of that for Bitcoin, which has had separate
price movements, he said.
"Needless to say, the North Koreans have lost a lot of
value, on paper," Carlsen said. "But even at depressed prices,
this is still a huge haul."
The United States says Lazarus is controlled by the
Reconnaissance General Bureau, North Korea's primary
intelligence bureau. It has been accused of involvement in the
"WannaCry" ransomware attacks, hacking of international banks
and customer accounts, and the 2014 cyber-attacks on Sony
Pictures Entertainment.
Analysts are reluctant to provide details about what types
of cryptocurrency North Korea holds, which might give away
investigation methods. Chainalysis said that Ether, a common
cryptocurrency linked to the open-source blockchain platform
Ethereum, was 58%, or about $230 million, of the $400 million
stolen in 2021.
Chainalysis and TRM Labs use publicly available blockchain
data to trace transactions and identify potential crimes. Such
work has been cited by sanctions monitors, and according to
public contracting records, both firms work with U.S. government
agencies, including the IRS, FBI and DEA.
North Korea is under widespread international sanctions over
its nuclear programme, giving it limited access to global trade
or other sources of income and making crypto heists attractive,
the investigators say.
'FUNDAMENTAL' to NUCLEAR PROGRAMME
Although cryptocurrencies are estimated to be only a small
portion of North Korea's finances, Eric Penton-Voak, a
coordinator of the United Nations panel of experts that monitors
sanctions, said at an event in April in Washington, D.C., that
cyberattacks have become "absolutely fundamental" to Pyongyang's
ability to evade sanctions and raise money for its nuclear and
missile programmes.
In 2019, sanctions monitors reported that North Korea had
generated an estimated $2 billion for its weapons of mass
destruction programmes using cyberattacks.
One estimate from the Geneva-based International Campaign to
Abolish Nuclear Weapons says North Korea spends about $640
million per year on its nuclear arsenal. The country's gross
domestic product was estimated in 2020 to be around $27.4
billion, according to South Korea's central bank.
Official sources of revenue for Pyongyang are more limited
than ever under self-imposed border lockdowns to combat
COVID-19. China – its biggest commercial partner - said in 2021
that it had imported just over $58 million in goods from North
Korea, amid some of the lowest level of official bilateral trade
in decades. Official numbers do not include smuggling.
North Korea already only gets a fraction of what it steals
because it must use brokers willing to convert or buy
cryptocurrencies with no questions asked, said Aaron Arnold of
the RUSI think-tank in London. A February report by the Center
for a New American Security (CNAS) estimated that in some
transactions, North Korea only gets one-third of the value of
the currency it has stolen.
After obtaining cryptocurrency in a heist, North Korea
sometimes converts it to Bitcoin, then finds brokers who will
buy it at a discount in exchange for cash, which is often held
outside the country.
"Much like selling a stolen Van Gogh, you’re not going to
get fair market value," Arnold said.
CONVERTING TO CASH
The CNAS report found that North Korean hackers exhibit only
"moderate" concern over hiding their role, compared to many
other attackers. That allows investigators to sometimes follow
digital trails and attribute attacks to North Korea, though
rarely in time to recover the stolen funds.
According to Chainalysis, North Korea has turned to
sophisticated ways of laundering stolen cryptocurrency,
increasing its use of software tools that pool and scramble
cryptocurrencies from thousands of electronic addresses - a
designator for a digital storage location.
The contents of a given address are often publicly viewable,
allowing firms such as Chainalysis or TRM to monitor any that
investigations have linked to North Korea.
Attackers have tricked people into giving access or hacked
around security to siphon digital funds out of
internet-connected wallets into North Korea-controlled
addresses, Chainalysis said in a report this year.
The sheer size of recent hacks has strained North Korea's
capacity to convert cryptocurrency to cash as quickly as in the
past, Carlsen said. That means some funds have been stuck even
as their value drops.
Bitcoin has lost about 54% of its value this year and
smaller coins have also been hit hard, mirroring a slide in
equities prices linked to investor concerns about rising
interest rates and the growing likelihood of a global recession.
"Converting to cash remains a key requirement for North
Korea if they want to use the stolen funds," said Carlsen, who
investigated North Korea as an analyst at the FBI. "Most of the
commodities or products the North Koreans want to buy are only
traded in USD or other fiat, not cryptocurrencies."
Pyongyang has other, larger sources of funding that it can
rely on, Arnold said. U.N. sanctions monitors have said as
recently as December 2021 that North Korea continues to smuggle
coal - usually to China - and other major exports banned under
Security Council resolutions.
VOLATILE CURRENCIES
North Korean hackers sometimes appear to wait out rapid dips
in the value or exchange rates before converting to cash, said
Jason Bartlett, the author of the CNAS report.
"This sometimes backfires as there is little certainty in
predicting when the value of a coin will rapidly increase and
there are several cases of highly depreciated crypto funds just
sitting in North Korea-linked wallets," he said.
Sectrio, the cybersecurity division of Indian software firm
Subex, said there are signs North Korea has begun ramping up
attacks on conventional banks again rather than cryptocurrencies
in recent months.
The firm's banking sector-focused “honeypots” – decoy
computer systems intended to attract cyberattacks – have seen an
increase in “anomalous activities” since the crypto crash, as
well as an increase in "phishing" emails, which try to fool
recipients into giving away security information, Sectrio said
in a report last week.
But Chainalysis said it had yet to see a major change in
North Korea's crypto behaviour, and few analysts expect North
Korea to give up on digital currency heists.
"Pyongyang has added cryptocurrency into its sanctions
evasion and money laundering calculus and this will likely
remain a permanent target," Bartlett said.
(Reporting by Josh Smith. Editing by Gerry Doyle)