North Korea is the most isolated country on the planet, but it still finds ways to steal billions of dollars
The Department of Justice said last month that North Korea has used cyberattacks to steal over $1 billion since 2015 to fund its nuclear weapons program.
Heavy sanctions, imposed by both the US and the UN, prevent North Korea from participating in the formal global economy. The regime often circumvents these sanctions, mostly through secretive ship-to-ship transfers of luxury goods, chemicals, and coal, which is North Korea’s primary export.
North Korea’s nuclear program is essential to the Kim regime, and it devotes all the resources it can to increasing and improving its arsenal. The rise of digital currencies has created new opportunities to acquire funds for that effort.
To understand how the regime perpetrates financial crimes online and the threat it poses, Insider spoke with Jason Bartlett of the Center for a New American Security.
Insider: Let’s start with an overview of how North Korea avoids sanctions. In my mind, there are three main ways: Through traditional over-land means, hacking, and cryptocurrency.
Jason Bartlett: Over the years we’ve seen a heavier focus on cyber-enabled financial crime that benefits North Korea’s nuclear weapons.
That includes hacking of cryptocurrencies like Bitcoin and more distribution of malware. There was the WannaCry cyber attack, there was the online bank heist in 2016 of a Bangladesh bank. South Korea experiences numerous cyber attacks against its ATMs and other financial institutions.
What we’ve seen in recent years, North Korea has been upping the ante of its targets. The leaked FinCEN files from 2020 indicated that North Korea was able to launder money through the US financial system.
We’re also seeing reports coming out that North Korea may have been able to hack cryptocurrency through DeFi, decentralized finance platforms, which is a new field for them.
Insider: Has the proportion of sanctions evasions through online means, compared to overland and ship-to-ship transfers, increased recently, especially after coronavirus?
Bartlett: Time will tell. One of the issues with cybercrime is it is very high gains with low risk, because it is hard to be detected, as we see some of the most high-profile attacks. The SolarWinds attack, by allegedly Russia, we found out about that very late, so there might be other hacks that North Korea has already been doing that we’re unaware of.
I would not be surprised if we see that there has been an increase in North Korean state-sponsored cybercrime during coronavirus. One, because of the original track that North Korea was making already with increased online activity, increased cyber-enabled financial crime. Just because of the nature of the world today there’s more financial transactions, more people are shifting to conducting their business online and more financial institutions and services are adopting BitCoin and other cryptocurrencies.
But I’m sure that this shift has also been heavily contributed [to] by coronavirus in terms of people relying more on virtual transactions and digital currencies.
Insider: How does North Korea target crypto exchanges?
Bartlett: As far as we know, North Korea has several different cyber-crime forces within its intelligence bureaus. There’s the Lazarus group, and there’s sub-units within that. Some are just cyber, and some within the cyber field focus more on things like espionage, compared to petty financial crime. We don’t know exactly which groups are primarily responsible for which ones — we have ideas.
When it comes to smaller transactions, there are so many loopholes in the cryptocurrency exchanges, and in DeFi because it is not regulated. These transactions never go through human hands or human scrutiny. Everything is automated. If you’re able to break into that system, and you’re able to manipulate the currency price, which is what North Korea allegedly did recently, then you’re able to hack as many of these transactions as you like, and you can up and lower the price of the cryptocurrency that you’re using to get as much money as possible.
The thing with smaller transactions is that it typically can be easier to steal, because there might not be as many eyes on it, as opposed to some large exchange in New York, or in Bangladesh, or South Korea … if you’re targeting hundreds and hundreds or even thousands of smaller transactions that are all happening at the same time, and then you’re able to just shift the currency as you’re hacking it for money laundering, it’s a very successful way to hack a lot of money at the same time while keeping it below a notification threshold, which is what North Korea tends to be doing.
Insider: How successful is North Korea with this?
Bartlett: They’re successful usually in the hack itself. With North Korea what tends to be more impressive is its money-laundering ability. Just because they hack a certain amount of money doesn’t necessarily mean they will have access to all of that. Sometimes we’re able to freeze the assets, [and] we’re able to get the exchange back.
So if North Korea were to steal $3 million in cryptocurrency, doesn’t necessarily mean that then they’ll be able to turn that into $3 million of cash that they can use for weapons. It needs to go through money laundering, and that’s when the signals can be more detectable. North Korea has gotten significantly better. It’s also received help from abroad. We have the case of the two Chinese nationals that were offering professional money laundering services on behalf of North Korea.
North Korea has incredibly sophisticated hacking techniques, but as a country in itself, economically and technologically, it is not advanced, yet it’s able to perform all these tasks. It’s very impressive, especially when it’s targeting more technologically advanced nations such as the US, the UK, and South Korea.
Insider: In what ways do other countries support these North Korean efforts?
Bartlett: This is also a developing field, but China has had a history of hosting North Korean hackers and hacking groups. There were several hotels in China allegedly hosting North Korean hackers until recently. They were apparently closed down and the hackers were repatriated. But that’s very difficult to check. China doesn’t necessarily abide by all the UN and US resolutions, especially the ones regarding North Korean sanctions.
Russia and China also have a history of evading sanctions targeting North Korean workers abroad. North Koreans have been able to circumvent sanctions, specifically a US resolution that took effect in December 2019 that required UN member states to repatriate all North Korean workers back to their country due to findings that their earnings were going to the nuclear development program.
But recent UN panels, expert reports have shown that these IT workers are still very active in China and Russia. And in the case of the WannaCry attack, there was a North Korean hacker, Park Jin Hyok, who worked in an IT company in China while he was also conducting these cyberattacks against the UK, the US, and various other nations on behalf of North Korea.
There’s also talk of technology exchange. Prior to Covid, there was a lot of student exchange between China and Russia, which obviously doesn’t necessarily mean that there will be information-sharing, but we see [it] at very high-level science and technology universities. China and Russia have a history of providing North Korea with technological infrastructure, internet connection, so there’s both direct and indirect facilitation.
Insider: How do we go from cryptocurrency to, for example, mid-range nuclear missiles?
Bartlett: Just because they hack a very substantial amount of cryptocurrency doesn’t mean they get all the cash. Typically, they’ll turn it into Bitcoin or very commonly used, commonly transacted cryptocurrency. Then they’re able to transfer that into funds, and then they take those funds out and it’s cash.
And from that money, after they go through different money-laundering services — which is basically a way of changing the currency and changing the tracking so that it’s harder to tell where the money’s coming from, where it’s going to, what currency is being used — they’re able to go through exchanges and withdraw that money in cash. Then they’re able to purchase nuclear weapons, pay off other countries or companies that are either helping ship their coal, helping ship some technology to them, or helping ship different parts or chemicals, and pay for oversea exchange.
There are also luxury goods, we see that a lot with Kim Jong Un having these, I think they’re some form of a white stallion, Mercedes-Benz, and things like that. It’s not just unique to North Korea. There’s also countries in Latin America and across the world that hide funds from money laundering in luxury goods that they’re able to keep and then sell.
I believe sometime last year, the Treasury issued one of its first statements about a North Korean art exhibit, and how some of this money that they were receiving for this art exhibit was then being used for its nuclear weapons, or they were hiding money in very expensive art. So it’s a way of holding onto a reserve, and you can just sell this when you need more funds.
Insider: How are nations like the US, the UK, and the Five Eyes tracking these projects and these crimes?
Bartlett: The Treasury Department — so FinCEN — as well as the Department of Justice, have been working very hard to track the efforts and, for example, to issue charges against North Korean or other nationals that are supporting North Korea’s cyber-enabled financial crime. It’s very difficult, because cyber crime is directly connected to North Korea’s intelligence bureau and its nuclear development program, to know just how sophisticated and just how successful it is.
It’s unique in that it’s one of the only cyber programs in the world that its main goal is not necessarily espionage — that’s only one of them. It’s more about funds for its nuclear program, because nuclear development is a key aspect of North Korea’s political identity.
I think there is starting to be more conversation regarding cyber within the counterproliferation field in the United States. It’s a little overdue, but it’s definitely a step in the right direction. I think, before then, it was separated, or maybe North Korea wasn’t taken as seriously because there’s cyber giants, like China and Russia, that have done successful election intervention and espionage attacks. But stealing money to build up nuclear weapons is a grave national-security concern … I think now [the] US government is beginning to get more research to focus on that field.
The private sector has continued to be very vigilant of North Korean cyber crime. They tend to also be a large target of it. Hopefully now, with this new presidency and a seemingly strong focus on cyber following the SolarWinds hack, following even the GameStop scandal, I think that’s something that the US government is going to be incredibly aware of and how important but how fragile and easy to manipulate virtual currencies can be if they don’t have the proper regulations and if there’s not proper consensus on how these transactions should be conducted.
Insider: How do we keep crypto out of the hands of malicious actors?
Bartlett: I think there needs to be a greater consensus of not just the threat but what resources we already have available to us. I’m not exactly sure how informed cryptocurrency exchanges and companies are of what resources they have available to them … The government and private sector need to come up with a stronger framework to train each other.
Training that financial institutions and banks that work with fiat currency have for anti-money laundering and hacking — I’m not exactly sure if cryptocurrency companies receive that same level of training, in terms of red-flag indicators of financial crime or suspicious activity, how to report, how to freeze, how to track. That would be the first thing, more of an assessment of what do you know, what can you do?
One of the bigger issues is compliance, having not just US companies but also foreign companies being compliant. If US companies are compliant with law, then North Korean actors and other illicit actors will just go to countries and regions that aren’t or don’t have the legal framework.
Once we establish our own protocols and our own way of doing things, and strengthen our own collaboration with the private sector, then we can export that knowledge, not just to our common actors in the Five Eyes but also with countries predominantly in Southeast Asia where there’s a lot of North Korean hackers. I think it’ll be very difficult to persuade China and Russia to abide by UN and US sanctions, especially cyber, because you have plausible deniability.
Insider: Is there anything we’re doing in terms of retaliation?
Bartlett: A cyberattack against Russia’s online infrastructure in retaliation to SolarWinds, or in retaliation against China — and I’m not condoning this — I’m just saying that attacks like that would typically be a little bit more plausible because the countries are connected to the internet.
That’s not the case for North Korea. North Korea has an intranet; only select individuals, typically in Pyongyang, typically have access to this intranet and cell phones.
So, a direct attack on North Korea’s internet infrastructure won’t really have the same effect that it would on us. That’s not to say it wouldn’t have any effect, but it wouldn’t be as strong as it could against other countries. I think the majority of our retaliation efforts tend to be more of freezing funds and freezing assets, which then ultimately affect the economy, making it harder for North Korea to divest more resources into expanding its cyber crime.
Insider: It seems like North Korea is always working to stay a little bit ahead of sanctions, so assuming that regulations come in under this administration and security is much tighter, how are they going to get around that?
Bartlett: For the past couple years, the US has been playing catch-up with cyber crime, as opposed to “build up against,” so I’m very realistically optimistic in that now, because we have seen, over the years, that the various targets — so, not just North Korean, but Russian and Chinese actors — have on our cyberspace. It ranges from our financial institutions to the security of our citizens and our government, and this is a major threat.
And I think that COVID, because of the shift to more online transactions, more virtual interactions, more widespread adoption of virtual currencies as legitimate forms of payment, there will continue to be a large increase in North Korean cyber crime.
I’m not exactly sure how it will be possible for us to be more ahead of them, because this is a national initiative of North Korea … nuclear weapons, sanctions evasion, and cyber, because it’s high gains with very, very low risk, easy plausible deniability, and you can receive an enormous amount of funds very, very quickly, relatively easily. So I think the next step for us is to really re-evaluate our cyber strategy in general, and our cybersecurity — what does cybersecurity really mean for the US …
On the DeFi platform, that is most likely going to be a new field that will have a high level of risk, because there is no human interaction, there’s no regulation, and it’s not surprising that North Korea has already started to exploit that, but it is shocking that they’re able to do so.
And it shows that North Korea’s also thinking ahead, so I wouldn’t be surprised if, in the coming months, there is at least talk of ways to introduce legislation or ways to regulate the DeFi platform, or try to have more coordination with the private sector and with the cryptocurrency companies. In terms of DeFi, in terms of SolarWinds, and as well as GameStop, I’m sure that now the US government is realizing that this is a major threat that we have to address now, because these illicit actors have already begun to exploit this.
This interview was edited and condensed for clarity.
Article credit: https://www.businessinsider.com/how-north-korea-uses-hacking-and-cryptocurrency-to-avoid-sanctions-2021-3?r=US&IR=T