Earlier this year, a senior engineer at Axie Infinity, a Vietnamese company that runs a popular blockchain-based play-to-earn game, was prompted to apply for a lucrative job through LinkedIn.
But after an engineer opened a job offer letter document, the network of Ronin Bridge, a platform created by Axie Infinity to transfer cryptocurrencies, was suddenly compromised. Spyware embedded in the file allowed hackers to infiltrate the Ronin network and steal $625 million worth of cryptocurrency in March.
Although it may sound like fiction, this is exactly how the Lazarus Group penetrated the IT infrastructure of the Ronin Bridge and hacked the validator’s private keys to steal cryptocurrencies. The US Federal Bureau of Investigation confirmed in April that the Lazarus Group was responsible for one of the biggest cryptocurrency heists of all time.
The Lazarus Group is an army of state-sponsored North Korean hackers trained for life to seize illegal assets to finance the nuclear ambitions of the heavily sanctioned regime that keeps leader Kim Jong-un in power. The $625 million the hackers stole from the Ronin Bridge was equivalent to what it cost Pyongyang to launch 31 ballistic missiles in the first half of this year, according to Seoul.
The Axie Infinity case is just the tip of the iceberg in North Korea’s decades-long history of financial crime. They no longer steal from banks, but now break into cyberspace manipulating people and stealing money from online financial systems with sophisticated technological know-how.
Millie Kim, researcher at the North Korea Cybernetics Working Group, an initiative of the Korea Project at Harvard University’s Belfer Center for Science and International Affairs, said: “North Korea’s state-sponsored hackers are adept at monitoring developments in the crypto space, particularly when it comes to identifying vulnerabilities in the latest blockchain technologies.”
“Part of it has to do with open access to information on the Internet, and another part is the strategic deployment of overseas workers in IT and cryptocurrency companies to impart specialized knowledge to hackers,” Kim said.
“Cultivating talent and training cyber agents in government institutions and other foreign countries provides another key means through which North Korea can experience and gain information about rapidly developing blockchain technology.”
North Korean state-sponsored cryptocurrency theft is generally categorized into three stages: illegally accessing the network or obtaining prohibited information, laundering the illicitly acquired cryptocurrency, and monetizing the illicitly acquired cryptocurrency. (The Korea Herald)
Park said the “BlueNoroff group contacted the victim through social media to gain trust” and then “delivered sophisticated malware with multi-step infection stages.” Next, the North Korean hackers “collect the victim’s general information and monitor the victim’s handling of the cryptocurrency for a sufficient period of time.”
In general, North Korean cybercriminals “gather organizational information, identify vulnerable individuals and infrastructure weaknesses, and analyze the behavior of their targets” before deploying advanced social engineering tactics, according to a Chainalysis report published in the Panel of Experts’ midterm report. September.
In addition, cyber threat actors associated with the Lazarus Group have mastered and perfected the techniques of creating false personas, establishing shell companies and carefully guarding digital identities to “communicate and gain the trust of their targets.”
North Korean threat actors created “fake accounts that look legitimate” on social media platforms such as LinkedIn and Twitter, regularly uploading content and engaging in personal and curated conversions with their targets. Next, North Korean hackers launch a spear-phishing attack through various channels, including sending emails with malware attachments or malicious links, inviting collaboration through SharePoint, and sharing Google Docs links.
North Korean impersonator Kim Hyon-woo was used to attack Sony Pictures Entertainment, carry out cyber robberies against financial institutions including Bangladesh Bank and target US defense contractors, according to a US criminal complaint released in 2018.
Chart 1 contains links between (1) the Chosun Expo account used by PARK, (2) the account used by the pseudonym “Kim Hyon Woo”, and (3) some accounts that were used as part of the subjects’ attack infrastructure. Not all attack infrastructure accounts discovered during the investigation are included, but only those with specific links to Chosun Expo accounts linked to PARK. (US Department of Justice)
North Korean state-sponsored hackers have mainly used two off-chain tactics: social engineering and malware. Hacking groups have generally used traditional espionage tactics such as advanced social engineering attacks to break into cryptocurrency systems by tricking and luring victims into inadvertently allowing access to their network and confidential information or downloading malware files.
Social engineering is a technique of psychological manipulation that exploits human nature and forces people to divulge confidential information and bypass security procedures.
One example might be a spear-phishing campaign that deceives a specific person or group by sharing information known to be of interest to the target through email or electronic communications that appear legitimate.
In addition, North Korean cyber actors have targeted individuals and organizations, including cryptocurrency exchanges and financial services, to steal cryptocurrency by spreading malware-laden cryptocurrency trading applications, according to a US Joint Cybersecurity Advisory issued in 2021.
North Korean cybercriminals are “using identity theft, social networking and social engineering techniques to lure users into downloading malware” that the US government has dubbed “AppleJeus”.
Generally, legitimate-looking companies advertise and distribute a modified, trojanized version of a cryptocurrency trading application on their websites.
In 2020, North Korean cyber actors targeted energy, financial, government, industrial, technology, and telecommunications institutions to steal cryptocurrencies with the AppleJeus malware in more than 30 countries.
“The move to cryptocurrency plays to the strengths of North Korean cyber operators, as it leverages skills from ‘traditional’ intrusion pools as well as those individuals doing IT/freelance work online,” said Joe Dobson, senior principal analyst at Virginia-based Mandiant.
Countries Targeting AppleJeus by North Korean State-Sponsored Advanced Persistent Threat (APT) Actors as of 2020 (US Cybersecurity and Infrastructure Security Agency)
But getting away with cryptocurrency is just the beginning. North Korea has engaged in multi-stage and sophisticated laundering processes to cash in illegally acquired cryptocurrencies.
“The Kim regime has become adept at commingling and laundering funds to try to conceal the origin of its stolen funds,” said Annie Fixler, deputy director of the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies in Washington.
North Korean state-sponsored cyber threat actors have used a variety of tactics to conceal or obscure the source of ill-gotten cryptocurrencies and illicit transactions without providing identification or “Know Your Customer” data.
“To launder funds, they use obfuscation techniques such as commingling, using services like Tornado Cash to create a disconnect between the cryptocurrency they deposit and withdraw, and chain hopping, which is the process of switching between several different types of cryptocurrency in one transaction,” Erin said. Plante, vice president of investigations at New York-based Chainalysis.
In general, North Korea launders stolen cryptocurrencies mainly through chain hopping tools, mixers and chain removal techniques.
Chain hopping is a tactic of moving between different types of cryptocurrencies often in quick succession. Peel chain is a technique of laundering a large amount of cryptocurrency through a long series of small transactions.
A cryptocurrency mixer is a software tool that collects and encrypts cryptocurrencies from thousands of addresses to obfuscate and hide the flow of transactions.
“North Korea tends to rely on mixers and hope for blockchain. However, they will always take the path of least resistance,” said Allison Owen, a research analyst at London’s Royal United Services Institute. “The key is to keep looking to the horizon to limit any new areas that can be exploited.”
Two Chinese nationals have been charged with laundering more than $100 million in cryptocurrency — stolen from cryptocurrency exchanges by the Lazarus Group — between 2017 and 2019. (US Treasury Department)
Cybersecurity experts and blockchain analysts also stressed that more attention should be paid to North Korea’s cooperation with foreign countries and nationals at every stage of the cryptocurrency heist.
North Korea also has a history of conspiring with foreign nationals, including Canadian-American and Nigerian partners to launder funds from cyber heists perpetrated by North Korea.
Nick Carlsen, a blockchain analyst at TRM Labs and a former FBI analyst, said such cooperation with foreign nationals is more important in the stages of laundering and cashing stolen funds.
For example, over-the-counter brokers “play a major role at every stage” of laundering stolen funds through layered schemes to move and transfer ill-gotten cryptocurrency into different wallets and currencies, according to a report released in May by the Belfer Center for Science and International Affairs.
The OTC system enables parties to buy and sell securities outside official exchanges and through decentralized networks of dealers.
Two Chinese nationals have been charged with laundering more than $100 million in cryptocurrency — stolen by the Lazarus Group from cryptocurrency exchanges — between 2017 and 2019, the US Treasury and Justice Department said in 2020. One Chinese national transferred more than $34 million in ill-gotten cryptocurrency through a Chinese bank account and transferred about $1.4 million in bitcoins to Apple iTunes gift cards.
Robert Potter, co-founder and co-CEO of Australian-American cyber security firm Internet 2.0, also noted that “Russia and China were content to turn a blind eye” to North Korea’s cryptocurrency theft.
“Hackers linked to North Korea have used services located in countries around the world, including China and Russia, to try to cash in on their ill-gotten gains,” Chainalysis’ Plante said.
By Ji Da-gyum ([email protected])