News

Hackers working on behalf of North Korea have redoubled their efforts to siphon and launder cryptocurrency from firms in South Korea and other nations as part of a broader cybertheft operation that began by 2016, according to U.N. investigators.

In a 142-page report, the U.N. Security Council found that North Korea has devised “increasingly sophisticated” strategies for hacking into and stealing funds from banks, cryptocurrency exchanges and other financial institutions and is using a variety of methods to launder the proceeds, including dividing the spoils across thousands of payments.

The report made public Thursday notes that the country’s hacking efforts, which now primarily consist of large-scale attacks on cryptocurrency exchanges, have generated as much as $2 billion in stolen proceeds to date. A branch of the North Korean military has also sought to professionally mine, or generate, digital assets as another source of revenue, the U.N. claimed.

North Korea’s apparent cybertheft campaign spans several countries but has focused more this year has on cryptocurrency exchanges in South Korea, where hackers have targeted banks and government agencies since at least 2008.

One of those exchanges, Bithumb, has been infiltrated on at least four separate occasions since February 2017, losing an estimated $65 million in the process.

Youbit, another South Korean exchange, collapsed after losing nearly one-fifth of its assets in a similar attack in December 2017. Five other countries have also had cryptocurrency exchanges targeted by North Korea, including Bangladesh, India and Slovenia, according to the U.N.

At least 35 North Korean hacks have led to investigations, including 10 in South Korea, three in India, two in Bangladesh, two in Chile, and others in Malta, Poland, Nigeria and Vietnam, according to the U.N. The total appears to include the $81 million stolen three years ago from an account held by Bangladesh’s central bank at the Federal Reserve Bank of New York.

Between two attacks in 2017 and 2018, North Korean operatives known as the Lazarus Group tricked ATMs in more than 20 countries into dispensing vast sums of cash in just five hours, according to independent research and U.S. officials cited in the report.

“That operation required large numbers of people on the ground, which suggests extensive coordination with Democratic People’s Republic of Korea nationals working abroad and possible cooperation with organized crime,” U.N. officials concluded in the report.

After hacking into an unspecified cryptocurrency exchange last year, conspirators working on behalf of North Korea transferred funds in 5,000 separate transactions to multiple countries before converting them to conventional assets, according to the U.N., which did not disclose further details on the transactions in question.

Those transfers, which appear to be a layering technique, make it nearly impossible for a targeted cryptocurrency firm to identify the larger motive behind a portion of the transactions, a compliance officer for a cryptocurrency exchange on the West Coast told ACAMS moneylaundering.com.

There are few, if any, available typologies that are specific to North Korean efforts to launder stolen digital assets, the compliance officer said. “The scary thing about this [report] is, state actors always have greater resources and patience than your typical criminal element.”

North Korean illicit finance also intersects with more traditional financial institutions.

U.N. officials reported in March 2018 that amid a near-comprehensive ban on its access to the global banking system, North Korea has gained control of accounts in Italy, Tunisia, Austria and other countries through intermediaries who took advantage of weak compliance programs.

The impact of North Korea’s sanctions evasion was underscored again in May of this year, when U.S. prosecutors claimed in a forfeiture complaint that a bank with U.S. operations unwittingly processed at least $750,000 in maintenance costs tied to a North Korean vessel, the Wise Honest.

Contact Daniel Bethencourt at dbethencourt@acams.org