North Korean cybercriminals launched at least seven attacks against cryptocurrency platforms last year. These attacks, per blockchain analytics firm Chainalysis, netted almost $400 million worth of digital assets.

“Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out,” the Chainalysis team said in a blog post. 

In 2020, there were only four North Korea-affiliated hacks—as opposed to 2021’s seven. The value of these hacks, per Chainlaysis, also grew by 40% between 2020 and 2021. It’s worth noting, however, that the price of Bitcoin from 2020 to 2021 itself grew by 303%, and the price of Ethereum—the second largest crypto asset by market cap—grew by 472%.

North Korea’s lucrative 2021

Per Chainalysis data, Bitcoin now accounts for less than one quarter of North Korean stolen cryptocurrency—in fact, only 20% of these stolen funds now comprise of Bitcoin when measured in dollar value.

In contrast, Ethereum makes up the vast majority of stolen funds for the Hermit Kingdom. In total, 58% of North Korea’s stolen crypto funds are now Ethereum. 

This, in turn, shines a light on exactly what North Korea does in order to launder stolen crypto funds. 

Per Chainalysis, the procedure starts by swapping Ethereum-based ERC-20 tokens and other cryptocurrencies for Ethereum (ETH) via a decentralized exchange. The Ethereum is then put through a so-called mixer, which Chainalysis described as “software tools that pool and scramble cryptocurrencies from thousands of addresses.” Those funds are then swapped for Bitcoin, mixed a second time, and consolidated into a new wallet. 

That mixed Bitcoin is then sent to deposit addresses at exchanges where crypto can be converted into a fiat currency, typically at exchanges across the Asian continent. 

This strategy is so central to North Korea’s illicit crypto empire that over 65% of the regime’s stolen funds were laundered through mixers in 2021. In 2020 and 2019, that number was only 42% and 21% respectively. 

One 2021 highlight was the August 19 hack of Liquid.com, a crypto exchange that saw 67 different ERC-20 tokens—as well as some Bitcoin and Ethereum—moved to addresses controlled by North Korean-affiliated actors. 

Lazarus Group

Lazarus Group, led by North Korea’s chief intelligence agency the Reconnaissance General Bureau, is the marquee state-backed group of cybercriminals at North Korea’s disposal. 

Knowledge of Lazarus Group hit the mainstream following North Korea’s WannaCry and Sony Pictures cyber attacks.

“From 2018 on, the group has stolen and laundered massive sums of virtual currencies every year, typically in excess of $200 million,” Chainalysis said.

Lazarus Group has also targeted KuCoin, a popular cryptocurrency exchange, making way with approximately $250 million in crypto for their efforts. 

Unlaundered funds

Chainalysis’ research has also found that $170 million worth of North Korea’s stolen cryptocurrency came from 49 separate hacks spanning 2017 to 2021. 

These funds are yet to be laundered. In fact, North Korea currently holds more than $55 million that came from attacks as far back as 2016. 

“It’s unclear why the hackers would still be sitting on these funds, but it could be that they are hoping law enforcement interest in the cases will die down, so they can cash out without being watched,” Chainlaysis said, adding that the length of time North Korea holds onto these funds “suggests a careful plan, not a desperate and hasty one.”

What next?

The vast amount of laundered and unlaundered funds in North Korea’s grasp has prompted Chainlaysis to describe North Korea as a “nation that supports cryptocurrency-enabled crime on a massive scale."

What’s more, Chainalysis has gone as far as to say North Korea’s government—through Lazarus Group or others—”has cemented itself as an advanced persistent threat to the cryptocurrency industry in 2021.” 

Despite this, the crypto analytics platform suggests the “inherent transparency of many cryptocurrencies” could provide a solution. 

“With blockchain analysis tools, compliance teams, criminal investigators, and hack victims can follow the movement of stolen funds, jump on opportunities to freeze or seize assets, and hold bad actors accountable for their crimes.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.