Just days after North Korea launched three ballistic missiles into the sea in January, a group of South Korean spies and American private investigators met in secret at the South Korean intelligence service.
They had been tracking $100 million stolen from Harmony, a cryptocurrency company in California, for months, hoping that North Korean hackers would transfer the stolen cryptocurrency into accounts where it could be later exchanged for dollars or Chinese yuan, hard currencies that could be used to finance the country’s nefarious missile program.
The spies and sleuths, operating out of a government office in Pangyo, South Korea’s Silicon Valley, would only have a short window of time to assist in the seizure of the funds before they could be laundered to safety through a network of accounts and made unreachable.
Finally, in late January, the hackers temporarily gave up control of their windfall by moving a portion of it to a cryptocurrency account tied to the dollar. The spies and detectives pounced, alerting US law enforcement personnel waiting to freeze the funds about the transaction.
That day, the team in Pangyo contributed to the seizure of just over $1 million. It was the kind of seizure that the US and its allies will need to prevent significant payouts for Pyongyang, even though the majority of the $100 million that was stolen is still out of reach in cryptocurrency and other assets that North Korea controls.
The sting operation offers a rare window into the shadowy world of cryptocurrency espionage — and the growing effort to shut down what has developed into a multibillion-dollar industry for North Korea’s authoritarian regime.
According to estimates from the United Nations and private companies, North Korean hackers have stolen billions of dollars from banks and cryptocurrency companies over the past few years. According to US authorities and private analysts, the North Korean dictatorship has been seeking more complex methods to convert the stolen digital money into actual currency.
For the US and South Korea, cutting off North Korea’s crypto pipeline has swiftly become a matter of vital national security. According to a senior US official, the capacity of the regime to exploit the stolen digital currency—or remittances from North Korean IT employees abroad—to fund its weapons programs is a regular set of intelligence products delivered to senior US officials, sometimes including President Joe Biden.
The newest weaponry of the dictatorship were on show at a military parade where Kim Jong Un and his daughter were present to commemorate the founding anniversary of the North Korean army. Roger Sinmun
The insider told that the North Koreans need money, so they’re going to keep being creative. Because of the totalitarian government and the severe restrictions imposed on it, he doesn’t think [they] will ever stop looking for illicit ways to extract funds.
At a meeting on April 7 in Seoul, US, Japanese, and South Korean diplomats expressed concern about North Korea’s cryptocurrency hacking and expressed dismay that Kim Jong Un’s government continues to pour its limited resources into its WMD [weapons of mass destruction] and ballistic missile programs.
The trilateral statement used the abbreviation for the North Korean government to say, They are also deeply concerned about how the DPRK supports these programs by stealing and laundering funds as well as as well as gathering information through malicious cyber activities.
Similar accusations have already been refuted by North Korea.
North Korea Inc. now operates online
Beginning in the late 2000s, US officials and its partners searched international waterways for evidence that North Korea was continuing to violate sanctions by smuggling in weapons, coal, or other valuable cargo. A very contemporary version of that competition is currently taking place between hackers and money-launderers in Pyongyang and intelligence services and law enforcement authorities from Washington to Seoul.
In the US, that work has been led by the FBI and Secret Service. The $100 million that was taken from Harmony was announced in janaury by the FBI to have been frozen.
Experts assert that the successive generations of Kim family members who have dominated North Korea for the past 70 years have all exploited state-owned corporations to enrich the family and maintain the regime’s rule.
Scholar John Park refers to it as “North Korea Incorporated,” and it is a family enterprise.
Stealing cryptocurrency is significantly less labor- and capital-intensive than the coal trade that North Korea has traditionally relied on for income, according to Park. And the earnings are enormous.
According to Chainalysis, a record $3.8 billion worth of cryptocurrencies were stolen globally last year. According to the company, hackers with ties to North Korea were responsible for over half of it, or $1.7 billion.
The joint analytical area of the National Intelligence Service of South Korea’s National Cyber Security Cooperation Center. – From the National Intelligence Service of South Korea
Unknown amounts of North Korea’s billions in stolen cryptocurrencies have apparently been converted into actual currency. A US Treasury representative with expertise on North Korea declined to provide an estimate in an interview. According to the Treasury official, the public record of blockchain transactions aids US agents in following the movements of cryptocurrencies by alleged North Korean operatives.
However, it is “incredibly concerning” when North Korea receives assistance from other nations in the money-laundering process, the official added. They choose not to specify which nation, but the US charged two Chinese individuals in 2020 for allegedly laundering more than $100 million for North Korea.
According to a February confidential United Nations assessment, Pyongyang’s hackers have also searched the networks of numerous international governments and corporations for crucial technical data that would be beneficial for its nuclear program.
The crackdown
According to a spokesperson for South Korea’s National Intelligence Service, the agency is searching for innovative ways to prevent stolen the digital currency from being transported into North Korea and has devised a “rapid intelligence sharing” plan with allies and private businesses to address the danger.
Recent efforts have concentrated on North Korea’s use of mixing services, which are readily accessible instruments used to conceal the origins of crypto.
On March 15, the Justice Department and European law enforcement organizations announced the closure of a mixing service called ChipMixer, which the North Koreans are alleged to have used to conceal a sum of money from the approximately $700 million in cryptocurrency that hackers have stolen in three separate hacks, including the $100 million theft from the California cryptocurrency company Harmony.
To determine when stolen money leaves North Korean hands and may be recovered, private detectives employ blockchain tracking software and, when the program notifies them, their own eyes. However, in order to act quickly enough to seize the assets, those investigators need to have solid ties with law enforcement and cryptocurrency companies.
In August, the Treasury Department sanctioned Tornado Cash, a cryptocurrency “mixing” business that was reportedly used to launder $455 million for North Korean hackers. This was one of the greatest US countermoves to yet.
Because Tornado Cash had more liquidity than other services, North Korean money could be hidden among other sources of funding more easily, making it particularly desirable. As a result of the Treasury sanctions forcing the North Koreans to seek out alternative mixing providers, Tornado Cash is currently completing fewer transactions.
According to report, suspected North Korean agents sent $24 million in December and January using the new mixing service Sinbad, although there are currently no indications that Sinbad will be as successful at moving money as Tornado Cash.
Roman Semenov, the creator of Tornado Cash, and other mixing service creators frequently identify as privacy advocates and maintain that the tools they create for cryptocurrencies can be used for good or bad just like any other technology. However, that hasn’t stopped law enforcement organizations from taking harsh action. The unnamed Tornado Cash creator was detained by Dutch authorities in August on allegations of money laundering.
In order to follow Pyongyang’s money laundering, private crypto-tracking companies like Chainalysis are increasingly hiring former US and European law enforcement officers. These individuals are using the skills they developed in the classified realm.
The Harmony attack resulted in the theft of $1.4 million from North Korea, according to Elliptic, a London-based company with former law enforcement officers on board. The experts were able to track the money in real-time in February as it briefly migrated to two well-known cryptocurrency exchanges, Huobi and Binance. The experts claim they immediately contacted the exchanges, who immediately froze the funds.
Elliptic co-founder Tom Robinson compared it to extensive drug importations. The North Koreans are ready to lose some of it, but the majority probably passes anyhow due to the sheer volume, speed, and sophistication of what they accomplish.
The North Koreans are attempting to steal directly from other crypto thieves as well as cryptocurrency companies.
Elliptic reports that after an unidentified hacker stole $200 million from the British company Euler Finance in March, suspected North Korean agents attempted to set a trap by sending the hacker a message on the blockchain that was laced with a vulnerability and may have been an attempt to access the money. (The ruse was unsuccessful.)
According to Nick Carlsen, a former FBI intelligence specialist who worked exclusively on North Korea until 2021, the number of North Koreans dedicated to using cryptocurrencies to avoid sanctions may only number a few hundred.
Carlsen is concerned that North Korea may use less obvious fraud methods in response to a worldwide campaign to sanction rogue cryptocurrency exchanges and retrieve stolen money. He argued that Pyongyang’s agents could build up a Ponzi scheme that gets significantly less attention rather than stealing half a billion dollars from a crypto exchange.
However, despite lower profit margins, Carlsen, who currently works for fraud-investigating company TRM Labs, claimed that cryptocurrency theft is still wildly profitable. They are therefore in no position to halt.