The Korea Herald


Game of mouse and cat: why war on NK hacking is still losing battle

Combating NK hackers on decentralized, deregulated cyber space is mission impossible, but a few things can be done as deterrence, experts say

By Ji Da-gyum

Published : Dec. 19, 2022 - 15:12

    • Link copied

This is the final installment of a three-part series shedding light on North Korea’s cryptocurrency thefts and their links to the hermit regime’s nuclear ambitions. -- Ed.

The financially-isolated North Korean regime is behind one of the biggest cryptocurrency heists of all time. The North Korean state-run Lazarus Group, for instance, stealthily raked in hundreds of millions of dollars with only one cryptocurrency theft this year which appears to be directly linked to their astronomical spending on nuclear missile development.

But are there ways to stop North Korean hackers? Experts remain gloomy.

“Stopping cyberattacks is impossible. Every cyber threat actor is strongly motivated. They fully understand what kind of benefits they can acquire through cyberattacks,” Park Seong-su, lead security researcher of Kaspersky’s Global Research and Analysis Team, told The Korea Herald. “Although we can’t stop cyberattacks, we should do our best to slow down and minimize the cyber threat.”

North Korean hackers will be persistent because they have a strong, shared goal.

“North Korea has a clear goal: to generate funds and foreign currencies for the regime and missile and nuclear programs. North Korea leaves no stone unturned to that end,” said Moon Jong-hyun, director at South Korean cybersecurity firm EST Security. “As long as Kim Jong-un is alive and North Korea needs funds for the regime’s ruling, the country will continue to hack and steal cryptocurrencies routinely.”

There are countries that conduct state-sponsored, systemic cyberattacks such as China and Russia. North Korea is known to be the only country in the world that supports cyber hacking against financial institutions to earn foreign currencies, Moon explained.

“As long as cryptocurrency remains opaque and the survival of the regime rests on asymmetric capabilities, North Korea is likely to continue exploiting the murky regulatory landscape to make gains,” said Millie Kim, a researcher with the North Korea Cyber Working Group, an initiative of the Korea Project at Harvard University’s Belfer Center for Science and International Affairs.

“North Korea has little to lose and much to gain from a loosely regulated market, especially as cryptocurrency can purchase increasingly more goods and services.”

But Moon said that it would be almost impossible to “thoroughly block North Korea from earning foreign currency” through cryptocurrency theft in light of the decentralized nature of blockchain which enables the existence of cryptocurrency.

“Blockchain is not supposed to be under control. Putting blockchain in control is such an oxymoron,” Moon said. “If we understand the system and structure of blockchain infrastructure, we can easily come to realize why North Korea has conducted cyber-enabled crimes, especially on blockchain platforms.”

In a nutshell, North Korean hackers have exploited the decentralized structure of blockchain that ensures that cryptocurrency exists outside of the control of central governments and financial authorities and no single individual or entity has control of cryptocurrency.

“Right now what we’re seeing is a cat-and-mouse game between US investigators and the North Korean hackers,” said Jean Lee, a fellow at the Wilson Center in Washington and a co-host of the “Lazarus Heist” podcast from the BBC World Service.

“US Treasury sanctions are designed to stop and disrupt the North Koreans from stealing cryptocurrency and converting it into hard currency but authorities have acknowledged that the Lazarus Group of North Korean hackers has already made off with hundreds of millions of US dollars in cryptocurrency this year alone,” Lee added.

Preemptive deterrance
To deter hacking attacks, experts underscored that cryptocurrency markets should improve cybersecurity maturity and cyber defenses.

Erin Plante, vice president of investigations at New York-headquartered Chainalysis, said that “hackers are always looking for the newest and most vulnerable services to attack,” citing increasing attacks on DeFi protocols including cross-chain bridges as an example.

“Cryptocurrency services – including but not limited to bridges – should invest in security measures and training,” Plante said. “For example, with North Korean-linked hackers in particular, sophisticated social engineering tactics that take advantage of the trusting and carelessness of human nature to gain access to corporate networks has long been a favored attack vector. Teams should be trained on these risks and warning signs.”

Echoing this view, Nick Carlsen, a blockchain analyst at TRM Labs and a former FBI analyst, underlined the importance of preemptively deterring North Korea’s cryptocurrency theft rather than responding to it.

Carlsen assessed that the US Treasury Department’s sanctioning of two cryptocurrency mixers was a “preemptive step.” A cryptocurrency mixer is a software tool that pools and scrambles cryptocurrencies from thousands of addresses to obfuscate and conceal the flow of transactions.

The US Treasury Department sanctioned two decentralized, non-custodial cryptocurrency mixers, and Tornado Cash, for providing mixer services to the North Korean state-sponsored Lazarus Group respectively in May and August. The Lazarus Group was notably accused of using Tornado Cash and to respectively process over $455 million and $20.5 million illicit proceeds from the Ronin Bridge heist netting $625 million in March.

(123rf) (123rf)
Claw back
After two designations, the US also seized over $30 million worth of cryptocurrency stolen by the Lazarus Group from the Ronin Bridge, Chainalysis said in September, adding it marks the first such case.

Carlsen underscored that the US and international regulators should focus on clawing back stolen cryptocurrency.

“The big technique is to limit the ability to launder and cash out stolen funds. Cryptocurrency thefts are inevitable due to their nature, but if North Korea can’t extract (the money), it doesn’t do them any good,” said Dr. Nicholas Weaver, a senior researcher at the nonprofit International Computer Science Institute in Berkeley, California.

“That is why the OFAC sanctions on Tornado Cash and other such systems are important, they don’t stop the theft but if you stop the ability to profit then North Korea won’t bother with the thieving anymore,” he added, referring to the Office of Foreign Assets Control of the US Treasury Department, which administers and enforces US economic and trade sanctions.

Moon from EST Security pointed out that regulators and blockchain companies should take it a step further from blockchain and cryptocurrency forensics in tracking down cryptocurrency transactions and cryptocurrency criminals.

Moon suggested the idea of the public and private sectors working together to track down North Korean agents and their fake identities used for cryptocurrency heists and build databases. The repository of personal information will enable investigators to unearth and track cryptocurrency wallets which North Korean hackers possessed with fake identities.

Punitive steps
Bruce Klingner, a senior research fellow at the Heritage Foundation, pointed out that “there have been very few United Nations or US sanctions imposed or legal actions taken against North Korean cyber groups.”

“The US should fully enforce existing laws and assess whether additional legislative and executive actions are needed, including enhanced regulations of cryptocurrency exchanges,” Klingner said. “Washington should determine a range of punitive steps, both cyber and kinetic, for responding to attacks deemed detrimental to national security.”

Eric Penton-Voak, a coordinator at the UN Security Council’s Panel of Experts which monitors the enforcement of sanctions on North Korea, also elucidated in April that UNSC sanctions resolutions have not established any provisions that forbid cryptocurrency theft.

Annie Fixler, deputy director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, underscored that “preventing North Korea’s malicious cyber activity also requires escalating economic penalties against the financial and digital networks that help North Korean hackers launder stolen cryptocurrencies and other funds.”

“To prevent, mitigate, and thwart North Korean crypto heists requires a combination of better cyber defense from companies themselves as well as better collaboration between the cryptocurrency ecosystem and law enforcement and financial regulators. These two steps will help strengthen security and block that ability of hackers to launch these attacks,” Fixler said.

International collaboration
Intergovernmental and cross-sector coordination is essential to map out strategies for stopping North Korea’s cryptocurrency robberies, according to experts. Coordination is also needed to outstrip hackers who seek to develop their techniques and tactics to outpace regulations and security in cryptocurrency markets.

Joe Dobson, senior principal analyst at Mandiant based in Virginia, underscored that “tackling North Korea’s cyber crime activities will require a multi-pronged effort.”

“Communication and collaboration between governments, cyber threat intelligence teams, and cryptocurrency communities/companies will go a long way at the strategic level.”

For instance, South Korea and the US have stepped up efforts to deter and stop North Korea from exploiting cryptocurrency.

“It may be a long time before we see international regulation of cryptocurrency, but in the meantime, governments such as South Korea and the United States need to work together by sharing information and pursuing a joint strategy on how to disrupt, slow and stop the Lazarus Group,” Lee from the Wilson Center said.

South Korea and the US had the first and second working group meetings on North Korean cyber threats in August and November. The two countries discussed policy coordination and strategies to address North Korea’s malicious cyber activities, including cryptocurrency heists and laundering. They also held a joint symposium on countering North Korean threats to cryptocurrency exchanges in Seoul in November, where government officials from 16 countries and around 200 personnel from cryptocurrency exchanges, blockchain companies and think tanks.

“Hackers will always be one step ahead when it comes to exploiting emerging blockchain technology,” Allison Owen, a research analyst at the London-based Royal United Services Institute, said. “To slow this process, it is up to public and private sectors to work together to identify gaps and adapt risk mitigation strategies.”

Experts underscored that governments and cybersecurity and cryptocurrency-related companies should carry out long-term, multi-pronged strategies to address hidden and systemic risks inherent in cryptocurrency markets and blockchain platforms.

“In the long run, North Korea may seek to leverage emerging technologies such as artificial intelligence to augment cyber operations targeting cryptocurrency exchanges. While distant and uncertain, this would further complicate the detection and mitigation of state-sponsored crypto heists,” Kim from Harvard University’s Belfer Center said.

“It is critical for key actors in both the public and private sectors, including banks, crypto exchanges and intergovernmental organizations, to discuss and develop a security framework for crypto that can parallel the rigor and posture taken by traditional financial institutions.”