Since 2017, threat actors from the Democratic People’s Republic of Korea (DPRK) have been targeting the cryptocurrency sector as a major revenue generator in order to bypass international sanctions. According to cybersecurity firm Recorded Future, these actors have “privileged access to resources, technologies, information, and sometimes even international travel”.
This is evident from the US Treasury Department’s recent sanction of a virtual currency mixer used by the North Korea-linked Lazarus Group to launder funds. The same group is estimated to have stolen $3 billion worth of crypto assets over the past six years, with $1.7 billion taken in 2022. Most of these funds are used to finance the country’s weapons of mass destruction and ballistic missile programs.
Chainalysis revealed that $1.1 billion of the total was stolen from DeFi protocols, making North Korea a major factor in the DeFi hacking trend that has been on the rise since 2022. The US Department of Homeland Security also highlighted the Lazarus Group’s exploitation of DeFi protocols in its Analytic Exchange Program report.
DeFi exchange platforms allow users to transition between cryptocurrencies without the platform ever taking custody of the customer’s funds. This makes it difficult to attribute and trace the stolen cryptocurrency. North Korean cyber threat actors are known to employ social engineering tactics to target employees of online cryptocurrency exchanges and lure them with the promise of lucrative jobs in order to spread malware.
The group has also been found to use mixing services to conceal the financial trail, as well as airdrop scams and rug pulls. As long as cryptocurrency firms lack stronger regulations, cybersecurity requirements, and investments in cybersecurity, Recorded Future believes North Korea will continue to target the cryptocurrency industry.
