It was a remarkable interview for hiring manager Elliott Garlock. In February, when interviewing prospective developers for a crypto company, Garlock came across one candidate who aroused practically every possible red signal.
The interviewee entered the Zoom session without turning on his camera, and it took some convincing to get him to do so. He felt as though he was crammed into a small, packed room due to the frequent background noise. When asked, he claimed to be from San Francisco but couldn’t give a more specific place than “Bay Area.”
It was an odd and fruitless interview. The worst part was that it was just the start. The founder of Stella Talent Partners, Garlock, quickly came across a second, practically similar prospect. then another, then yet another, etc.
Garlock remarked, he grew upset after a while since it was a complete waste of time. The victim added, At first, he thought the scam was that they were offshore and were trying to use remote employment to just get paid for not working.
A fresh theory has emerged: the job applicants were North Koreans seeking to smuggle cash into the isolated country. That’s in line with cautions issued by the FBI and the Treasury Department over the growing risk North Korea poses to the cryptocurrency sector.
The threat is real, as demonstrated by a disastrous hack in March. The Lazarus Group, a hacker group linked to the government of North Korea, was successful in stealing over $600 million in cryptocurrency from a blockchain that the NFT game Axie Infinity employed. According to some sources, North Korean hackers stole $840 million in the first five months of 2022, more than $200 million more than they had stolen in total in 2020 and 2021.
That has huge ramifications. According to Anne Neuberger, a deputy national security adviser in the Biden administration, almost a third of the cryptocurrency North Korea steals is used to fund its arsenal, which includes nuclear weapons. Additionally, it goes toward the nation’s espionage activities. It was discovered that two South Koreans had been paid in bitcoin when they were found to have stolen military data for a North Korean spy earlier this year.
According to Nick Carlsen, a former FBI North Korea specialist who currently works for the crypto security company TRM Labs, “Crypto is undoubtedly now crucial to North Korea.” They are a crypto superpower by any measure.
A nuclear-armed crypto superpower, that is. North Korea analysts claim that a nation with strong cryptocurrency capabilities is directly supporting the development of those nuclear weapons, and the likelihood of a second nuclear weapons test is rising. In the last 10 days, the rogue country has increased the number of ballistic missile tests: After North Korea fired a missile over the island of Hokkaido on Wednesday, authorities in Japan advised nearly 5 million people to take immediate cover. It’s very likely that this was also financed, at least in part, by cryptocurrency that was stolen.
Since the pandemic started, the Democratic People’s Republic of Korea, as North Korea is officially known, has been more dependent on cryptocurrency. In the past, it relied on illicit trade, selling coal, meth, cigarettes, and labour to China, Russia, and Southeast Asia. However, Kim Jong Un’s zero COVID approach has resulted in border closures, which have reduced the nation’s already meagre earnings. China is by far North Korea’s largest trading partner, but trade with China dropped by 80% in 2020, and there are numerous reports of food shortages. At the same time, the value of cryptocurrencies has rocketed.
Despite the current cryptocurrency crash, the price of bitcoin is 250% greater than it was prior to the outbreak. The second-largest cryptocurrency, ether, has increased by approximately 700%.
One bad click
Between February and April, according to Garlock’s estimation, he came across twelve potential candidates who he now views as North Korean agents. Fortunately, none of them were recommended to one of his customer companies. North Korean hackers have demonstrated that if they can trick just one person, they can do a great deal of damage.
A single corrupted file has the potential to be disastrous. A contaminated PDF served as the basis for the Axie Infinity breach, which earned North Korea almost $600 million in cryptocurrency.
The Axie creatures you battle in Axie Infinity are owned as NFTs and may be exchanged for cryptocurrency, unlike Pokemon. Developer Sky Mavis built its own blockchain called Ronin just to execute Axie Infinity transactions in order to enable this digital economy. In August 2021, when it peaked, the game was bringing in more over $15 million every day. According to a story by The Block, North Korean agents contacted a senior engineer who worked on Ronin earlier this year via LinkedIn. The engineer received a formal job offer through PDF after going through many rounds of interviews.
The proof-of-authority approach used by the Ronin blockchain gives control over validation to nine carefully chosen accounts. Five of these nine validator accounts needed to be under the hands of bad actors in order to take over the blockchain. The senior programmer unknowingly provided North Korean hackers access to four of those validators when he opened the malicious link. Hackers were able to obtain the keys for a fifth once they were inside Axie Infinity’s computer system. The $600 million was quickly gone.
A comment from Sky Mavis was not forthcoming. However, the company reported in a post-mortem that was released in April: “One employee of Sky Mavis was penetrated by ongoing sophisticated spear-phishing assaults on multiple social media channels. The hacker was able to use that access to breach the security of Sky Mavis’ IT system and obtain entry to the validator nodes.”
It’s probable that the North Korean agents used a middleman business to plan the phishing scam using a fake employer. They did it in 2019 by hiring a performer to pose as an executive in phoney job interviews with the aim of hacking Chile’s Redbanc’s computer systems. (North Korea was prevented from robbing the bank, thanks to an alert IT professional who noticed suspicious behavior on the network.)
It’s tempting to dismiss the Ronin attack as the result of someone exploiting an unorganised crypto firm. However, the same strategies have been successful against well-known targets. Similar tactics were used in the notorious Sony hack of 2014, which was a reaction to the studio’s release of Seth Rogan’s comedy The Interview, which is about an assassination attempt on Kim. In order to enter Sony’s computer network, hackers had to pose as a businessman, according to former US assistant attorney Tony Lewis.
The businessman sent emails purporting to be about his desire to engage with Sony but actually included a malicious link that at least one employee clicked. Two months later, the Lazarus Group—North Korea’s most infamous hacking group—made its presence known when the computers at Sony’s corporate headquarters went dark. (The perpetrators at the time referred to themselves as the Guardians of Peace.)
It was an expertly planned heist. Hackers spent a year studying the bank’s IT infrastructure before planning the robbery for a Thursday that fell on a Friday-Saturday weekend in Bangladesh and a Monday public holiday in the Philippines, delaying alarms on both ends. However, it was hindered by a misfortune. Following a number of successful transactions, the Federal Reserve barred the following $851 million. The assailants paid money to a Jupiter Street-based Philippine bank. By pure coincidence, an unrelated Greek company called Jupiter Seaways Shipping was already on the Fed’s sanctions watch list for assisting Iran in dodging oil restrictions, which set off an alarm.
They’re effectively bringing all of the knowledge they’ve gained to crypto, according to Soo Kim, a former CIA analyst who is currently employed by the think tank Rand Corporation.
The substantial cyber capabilities of North Korea are paradoxical. In a rare UN survey conducted in 2017, it was discovered that only 1% of North Korean households have internet connectivity. In spite of this, the DPRK has amassed a powerful army of hackers.
When children from wealthy families are assigned to elementary schools, they essentially conduct a talent search, according to Rand’s Kim. “They send these children to Russia so they may learn [hacking] skills; this is how they patriotically serve the nation.” They manage to snoop around networks.
Approximately 7,000 North Koreans are thought to be employed by the country’s cyber programme. In the past, Kim Jong Un has referred to his highly skilled cyberattackers as “warriors” who are capable of “penetrating any sanctions for the creation of a powerful and affluent nation.”
These cyber armies’ clear goal is cryptocurrency. Decentralization is the whole premise of cryptocurrencies, therefore there is no Federal Reserve to block $851 million. For North Korea, the Ronin hack proved advantageous. Of course, it didn’t end there.
A technology called Harmony Bridge enables traders to transfer cryptocurrency between blockchains. In June, it was taken advantage of, and $100 million was lost. According to the FBI, North Korea is to blame. Like all other hacks, this one began with a single person making a sincere error.
Jack Chan, a member of the Harmony core team, said in August, “We suspect the hackers… utilised phishing tactics to deceive at least one software engineer into installing dangerous malware on their laptop.”
Over 10 times as much cryptocurrency was taken by North Korea in just two operations as it was from Bangladesh Bank. Additionally, it exceeds the $650 million that North Korea is thought to have spent on missile testing between January and June, according to the Korea Institute for Defense Analyses.
Difficult interviews
Speaking with a purported North Korean agent was “one of the most embarrassing things he have ever done, according to William Burleson. Burleson, who is responsible for Up Top Search’s growth, was creating the company’s Discord channel in order to do recruitment on the well-liked chat service.
Burleson found three suspect candidates during his first week of work, which led him to later conclude that they were North Korean operatives.
The applicants were wary about activating their cameras, just like in Garlock’s cases. Burleson occasionally heard whispering, as if the candidate were being instructed to respond to Burleson’s questions in real time by someone off-screen.
Burleson described the interviews as “just really odd, delayed reactions, hearing the same words or phrases consistently.” “Because of the time zone difference, he was aware that they weren’t based in the United States as they said. On Discord, he only noticed them active throughout the Eastern Asia time zone.”
Although the English proficiency of these applicants is often subpar, this is not the main cause of the stilted nature of these interviews. Engineers and developers who speak English as a second language are common in the crypto industry, but there was something peculiar about these specific prospects.
This group of people “had these incredibly flat affects, according to Garlock. They don’t show signs of happiness or sadness on their faces. Talking to them, according to Burleson, was disturbing. From a human perspective, it is clear that something is off.
He observed that numerous dubious applicants would post links to purportedly worked-on protocols on Discord in place of a résumé. These linkages consistently failed the safety assessment when Burleson put them through the wringer.
Although it’s not always so clear, infected URLs are a dead giveaway of suspicious activity. The owner of Up Top Search, Dan Eskow, believes he can identify these North Korean operators.
“You start off by asking him, “How’s the weather in Kansas?” rather than delivering your pitch. How are things going today?” Eskow clarified. “They blow up. They become anxious because their teacher or whoever is directing them hasn’t given them any practise responding to inquiries like “How’s the weather?””
Burleson claimed that once a candidate hung up after being asked an off-topic question. Frequently, tangential inquiries are just met with an uneasy blank stare.
Operations that are attributed to North Korea range in complexity. According to Mandiant, a cybersecurity company, there are probably many groups operating within North Korea to extract money from crypto to the regime. Mandiant previously issued a warning about rising North Korean activity in cryptocurrency in July. Although The Lazarus Group is the most well-known hacker group, there are many others.
Different teams have different levels of expertise. Mandiant finds a lot of careless work. Bad actors have displayed screenshots of allegedly developed code, only for these images to be revealed as having been taken from freelance job forums. These agents frequently steal resumes without even bothering to change the names and references.
According to Joe Dobson, senior principal analyst at Mandiant, there are probably thousands of these operators trying to get hired all over the world, and each guy can run numerous profiles at the same time.
Crypto companies are particularly susceptible to infiltration by North Korea for a number of reasons. Bad actors operating out of China or North Korea can seem to be from the US or Canada because of the normalisation of remote work. Also valued in the cryptoculture is anonymity. Personal information is frequently disregarded philosophically as irrelevant — Satoshi Nakamoto, the person who invented bitcoin, is still using a pseudonym. According to Garlock, although tech companies frequently hire people to build their businesses around, cryptocurrency companies take a more experimental approach to hiring: hire widely, keep people if they’re good, fire them if they’re not.
Young, inexperienced CEO entrepreneurs manage a large number of cryptocurrency businesses, according to Garlock. People with little to no experience running a business but who frequently know a lot about cryptocurrencies. They are also very financed, he continued. You have, say, a 25-year-old CEO of a cryptocurrency with capital made up of cash and crypto assets ranging from $25 million to $500 million.
It is clear why North Korea targets the cryptocurrency sector. But what happens after the money is taken is less clear.
Following the theft
Authorities and experts are carefully piecing the specifics of North Korea’s crypto-related operations together, but certain essential elements are still lacking. We are aware that North Korea doesn’t sell all of the stolen cryptocurrency at once. Instead, over the course of months or years, it sells batches of bitcoin and ether, trickling millions of cash to the government at a time. For instance, cryptocurrency that was taken from the Ronin blockchain in March is still being offloaded.
Nick Carlsen, a former FBI researcher who is currently with TRM Labs and monitors North Korea’s blockchain activity, says this. It would be much simpler to trace if all of the cryptocurrency was sold at once or at more frequent periods.
With this Ronin hack, the amount of money that can be laundered within the cryptocurrency ecosystem is being pushed to its limit, according to Carlsen.
Cryptocurrency laundering is simpler than laundering US dollars, but it still involves effort. The bad guys employ a variety of tools. The first are bridges that let merchants transmit cryptocurrency between several blockchains, such as the Harmony Bridge that North Korea breached. Then there are mixers, which conceal the source of crypto. For example, you may send 5 bitcoin from wallet A to a mixer, where it would be mixed with other people’s cryptocurrency. Then, five bitcoin are picked from that pool and delivered to Wallet B, making it more difficult to determine exactly where they came from.
Similar to how money launderers move funds between banks and institutions, cryptocurrency launderers move funds through mixers and bridges to conceal corrupted tokens within bags of clean ones. According to Chainalysis, tokens have been transferred between 12,000 different crypto addresses in order to conceal the funds taken from Ronin.
The US is attempting to make this procedure more difficult for North Korea in particular and crypto-launderers in general. The US Treasury banned the Tornado Cash and Blender bitcoin mixers in August and May, respectively, citing threats from the Kim government.
In May, Brian Nelson, the US Treasury’s undersecretary for terrorism and financial intelligence, said, “We are taking action against illicit financial behaviour by the DPRK and will not permit state-sponsored theft and its money-laundering facilitators to go unpunished.
The largest barrier may be the cryptocurrency exchanges you or your friends utilise. For blockchain tracers, exchanges like Binance and Coinbase are dead ends. The chief of research at Convex Labs, Nick Bax, stated that while it is simple to observe that money is transmitted to an exchange like Binance, it is impossible to trace those tokens within the exchange – between different user accounts, for example — without the ability to issue orders.
To refer to exchanges like Binance as safe havens would be an overstatement. They have anti-money laundering procedures in place, some of which are effective: Binance, for instance, recovered $5.8 million in cryptocurrency that Ronin had stolen in April. However, compared to mixers like Tornado Cash, exchanges’ constraints are much more difficult for researchers like Bax to overcome.
According to Bax, “about 25% of the money placed in Tornado over a specific period of time came through the Ronin hack. It simply isn’t possible to conceal that much money in such a large anonymity pool.
The centralised exchanges, such as Coinbase, Binance, and Houbi, are a mixer unless you have subpoena authority, he continued, “but we can trace the funds in and out of Tornado.”
Bax is aware of both perspectives. He notes that the same block preventing his investigations has also prevented Russian President Vladimir Putin’s administration from tracking money delivered to Alexei Navalny, a political opponent who is currently in prison.
The drawback of North Korea’s strategy is that it demands patience and time, both of which have been expensive. For instance, the $600 million loot from the Ronin robbery has decreased in value to about $250 million over the months. However, the dictatorship has the advantage of being able to hide some of its movements. While the FBI and crypto experts can frequently state with certainty that North Korea was responsible for a specific breach, it’s less obvious who is purchasing North Korea’s cryptocurrency and for how much.
Although few details are known, it is believed that a large portion of the stolen cryptocurrency from North Korea is sold to Chinese customers. Two Chinese people were found guilty of laundering some of the $100 million North Korea took from a Hong Kong-based exchange in 2020 by the Department of Justice, but that allegation was exceptional. The aftermath of dirty crypto laundering is mainly unknown.
According to Carlsen, North Korea is not going to earn 99 cents on the dollar for their crypto. He don’t think anyone has a really firm opinion on what the actual rate is. However, the type of person who would purchase stolen bitcoin for $20 million would not do it at that price.”
Mass destruction
There is little dispute about where the proceeds from North Korea’s stolen cryptocurrency are going, despite the lack of exact information about customers. Soo Kim from Rand said, It’s going to illegal weapons programmes. It will support Kim’s opulent way of living. The Treasury has also warned that illicit cryptocurrency gains are supporting North Korea’s nuclear programme.
The political spectacle of Donald Trump’s administration served to both spotlight and cast a shade over the dangers posed by Kim’s weapons programme. But on Wednesday, a ballistic missile fired by North Korea over the island of Hokkaido served as a reminder of those dangers to more than 5 million Japanese citizens. The launch sent off Hokkaido’s air-raid warnings, and everybody watching TV was advised to seek shelter right away.
It was North Korea’s seventh launch in a week; earlier missiles had made landfall in the seas off the coasts of Japan and Korea. The Kim dictatorship has resumed a strong stance against the US and South Korea, its longtime foe, after remaining relatively quiet during the outbreak. A new rule indicating nuclear missiles would be deployed if South Korea or the US attempted to murder Kim was approved by the North Korean parliament in September.
The DPRK dictatorship refused Yoon Suk-offer yeol’s of financial incentives for Kim to denuclearize South Korea. Yo Jong, Kim’s sister, stated that Yoon “should stop his mouth” and was “still childish.”
She said, “No one trades their fate for corn cake.
The Bulletin of Atomic Scientists names North Korea as one of the probable hot spots for nuclear conflict. The Bulletin, which Albert Einstein founded after atomic bombs destroyed Hiroshima and Nagasaki, keeps track of the Doomsday Clock. Your 6 a.m. alarm is annoying, but this one is even worse: The closer to midnight the Doomsday Clock is set, the closer Bulletin experts believe we are to extinction.
It makes sense that recent nuclear war concerns have been focused on Ukraine. Putin has made more direct nuclear threats as a result of the war’s embarrassing battlefield setbacks. Iran, which is progressively increasing its nuclear capability, is another problematic nation. Iran has been subject to the same economic restrictions as North Korea. But flowing oil reserves support the Khamenei government. The way North Korea uses cryptocurrencies to get around the sanctions related to its nuclear programme is unusual.
It is believed that North Korea’s recent missile tests are in part a reaction to US Vice President Kamala Harris’ September visit to South Korea. They could be the first nuclear weapons test since September 2017, according to experts like Rand’s Soo Kim.
Some people believe it to be bluffing, and to some extent, there will be some of that, Kim added. However, if Kim [Jong Un] were not serious about utilising the weapons, he would not be parading them or flaunting them in such a public manner.
According to Kim, nuclear weapons serve as a lucrative deck of cards for North Korea. The regime has the ability to use that hand when necessary, even if it has no intention of giving up its weapons programme. Officials in Washington and Seoul are compelled to pay notice because the stakes are so high. In the meanwhile, working with China, North Korea’s largest unofficial trading partner, would be the most efficient approach to fight it. The issue, according to Soo Kim, is that China uses North Korea as a negotiating chip. It might be able to control its rowdy neighbour, but what is Washington prepared to give back?
The Doomsday Clock continues to run while this game is being played.
Educate a man in poverty
The US government’s options for stopping North Korea’s crypto heists are limited. By outlawing Tornado Cash and Blender, the Treasury Department is actively attempting to dull the laundering tools utilised by the government. More significantly, the FBI has been attempting to retrieve money that has been stolen. The FBI froze $30 million in cryptocurrency taken from Ronin in September in collaboration with blockchain analytics company Chainalysis.
In a catch-up game, Soo Kim remarked, you’re never quick enough to actually meet North Korea at the destination; instead, you’re just trailing them.
Bax from Convex Labs believes that preventing hacks from occurring in the first place is a more efficient approach. He claimed, “We always pursue the money after it has been stolen, taking a reactive manner. Criminal enterprises are reinvesting that money. Before anything happens, we must stop it. The only option is that.
Helping individuals recognise phishing assaults should be a top concern, according to Bax, who notes that North Korea specialises in phishing scams. He estimates that almost half of all crypto phishing schemes originate from North Korea. He also supports security audits that are funded by the government. Ronin’s money may have been emptied with just one engineer falling victim to phishing, but attackers only need two signatures to take $100 million from Harmony Bridge.
Significant hacks related to North Korea have decreased recently. There has been a hiring freeze as a result of the crypto winter, when the value of bitcoin and ether fell amid recession fears. Additionally, the dictatorship is still working hard to launder the money it took in the first part of the year. But the business has proven to be too profitable for North Korea to shut down.
It will take a catastrophic incident that shocks everyone for things to go very bad, and then there will be a lot of pressure to act, Carlsen added. It is a never-ending waiting game.
There will be one more on the way.
