- Jan 17, 2017
- 15,949
- 26,827
| How Hackers Stole Billions in Crypto to Keep North Korea's Regime Afloat -- WSJ |
By Patricia Kowsmann in Singapore and Timothy W. Martin in Seoul
At 11:49 a.m. on July 18, North Korean hackers pounced on a major cryptocurrency exchange handling hundreds of millions of dollars.
The hackers slipped into the exchange's virtual vault, took control and then started pilfering cryptocurrency tokens. Within a little more than an hour, the hackers had disappeared -- and with them, more than $200 million for the Kim Jong Un regime.
The shocking theft at WazirX, India's largest cryptocurrency exchange, along with several other major recent heists, has made it clear: North Korea is now the world's most dangerous crypto thief.
It has swiped more than $6 billion in cryptocurrency over the past decade -- a sum so large that no one else compares.
The country's hackers are both patient and brazen, according to investigators. To get into companies' computers, they comb through employees' Facebook and Instagram pages and invent tailor-made stories to trick them into clicking on links with viruses. Some North Korean hackers have even become employees themselves, fooling U.S. companies into hiring them as remote IT workers and gaining access to their networks.
After grabbing their bounty, North Korean hackers are masters at escaping. At WazirX, investigators believe they used algorithms to spread funds through global crypto networks faster than any human could, making it almost impossible for authorities to catch up. Once the crypto is dispersed, North Koreans often lie low until investigators lose interest and move on, waiting months or years to convert their haul into traditional money that can be spent.
"North Korean hackers are playing a different game than anyone else," said Nick Carlsen, a former Federal Bureau of Investigation analyst who is now an investigator at TRM Labs, a blockchain-analytics firm.
Pyongyang's crowning achievement came in February with a $1.5 billion raid of Bybit, one of the world's biggest cryptocurrency exchanges, in the largest-ever such heist. That followed several hackings in 2024, when North Korea stole more than $6 out of every $10 lost by the cryptocurrency industry, according to Chainalysis, which tracks crypto theft.
The illicit money helps fund the Kim regime's nuclear program and prop up the country's sanctions-strapped economy.
North Korea's success reflects the major resources dedicated to the task. The regime commands more than 8,000 hackers as though they were in a military unit, with the country's brightest minds. State support means its hackers can wait months or years to exploit a single slip in a company's digital security. Pyongyang's desperation for cash, and its lack of concern for diplomatic blowback, have fueled its drive to be better than anyone else.
"The North Koreans are very pragmatic and just want to get things done -- that's what makes them special," said Joon Kim, owner of Seoul-based Naru Security, which works with South Korea's intelligence agency and national police on cyber issues.
Pyongyang hasn't commented publicly about the latest crypto hackings. It has denied involvement in other cyber offensives in the past, which U.S. authorities said included the 2014 email hack of Sony Pictures Entertainment, 2016's theft of $81 million from Bangladesh's central bank and the WannaCry ransomware attack in 2017.
U.S. officials and private investigators said North Koreans leave behind digital crumbs making it clear they are the culprits, including familiar malware code and crypto wallets that were reused from prior heists attributed to Pyongyang.
Anatomy of a theft
The theft from WazirX, the Indian crypto exchange, showcased many of North Korea's go-to moves.
At the time, company officers were conducting a routine operation: moving $625,000 in crypto from a WazirX "cold wallet," a digital vault where exchanges keep their reserves, to a so-called "hot wallet," used to fulfill client transactions and withdrawals.
The transfer required three WazirX officials and an external service provider to sign off. Once those approvals were done, North Koreans somehow took control of the cold wallet and drained all the money in it -- more than $200 million -- and dispersed it without being caught.
It worked like this:
With almost half of its assets gone, WazirX had to shut down its exchange. Only around $3 million of the stolen crypto has been frozen, in this case by Tether, the company that issues a cryptocurrency bearing its own name. A representative for WazirX said it is trying to maximize recovery for users and reactivate its platform as quickly as possible.
The Wall Street Journal wasn't able to determine how the North Koreans got access to WazirX's cold wallet or modified the necessary approvals to take control.
But it was clear they were highly skilled. The North Koreans used more than 400 transactions -- all in a little over an hour -- to move WazirX crypto tokens to a wallet they controlled, suggesting the use of automation, according to Benedict Hamilton, a managing director at Kroll, the firm WazirX hired to help trace the funds and restructure its debt.
Most of the funds have likely already been converted to cash, Hamilton said.
'Computer wars'
North Korea spent decades cultivating its elite hacking capabilities, with the current dictator's late father, Kim Jong Il, once professing, "All wars in future years will be computer wars."
The country's cyber-attacking operation, according to South Korean officials, comprises six groups and roughly a dozen supporting organizations.
Youths who show aptitude for math and science are quickly enlisted for training. Cyber operatives do little other than work on improving their skills, and are subject to physical punishment, said Elma Duval, a co-author of a report by PScore, a Seoul-based advocacy group that interviewed former North Korean IT workers. Still, they live more comfortably than most North Koreans.
The reason for North Korea's focus is obvious: It needs roughly $6 billion a year to fund its various government activities, South Korea's spy agency has said, including hundreds of millions of dollars estimated to be earmarked for its nuclear program.
International sanctions have limited North Korea's take from its traditional cash cows, including arms sales, coal smuggling and overseas labor. Crypto theft offers a low-risk way for Pyongyang to fill its coffers, said Eric Penton- Voak, who served as coordinator of the U.N. panel overseeing sanctions enforcement of North Korea from 2021 to 2023.
"North Korea has to pay more for everything, so they have to steal more than anyone else," he said. "It's very expensive to be a sanctioned country."
IT warriors
The country's expanding cyber-theft capabilities are especially worrisome to global regulators because they coincide with an explosion of consumer interest in crypto.
In September, the FBI issued a warning that North Korean hackers were conducting research on companies associated with exchange-traded funds that hold crypto instead of stocks. This corner of the financial market attracted around $37 billion in net inflows last year, from everyday U.S. investors to such giants as BlackRock and Fidelity Investments.
The FBI added that North Korea is using difficult-to-detect phishing campaigns featuring advanced malware. The hackers often target people working in the crypto industry and look for details about them on social media and websites. They then customize fictional scenarios that appeal to their victims, such as job offers or investment opportunities, the agency said.
Once the victims click on shared links for virtual calls or job applications, the hackers gain access to systems, potentially enabling them to tap users' crypto.
In December, a U.S. court indicted 14 North Korean nationals for allegedly using false, stolen or borrowed identities of U.S. citizens to get remote jobs at U.S. companies and nonprofit organizations. North Koreans involved in the campaign, who referred to themselves as "IT warriors," allegedly pocketed at least $88 million in salaries for the Kim regime, and got access to the companies' computer networks. Several crypto firms have fallen prey to North Koreans who pose as job candidates, according to industry insiders.
"The sense we get is that North Korean hackers are increasingly around us," said Ben Turner, head of engineering at Cloudburst Technologies, a crypto intelligence data firm.
