Report: North Korea Seeks Bitcoins to Bypass Sanctions

JP Morgan Chief Slams Bitcoin as Fit Only for Drug Dealers, Murderers, Regimes
Report: North Korea Seeks Bitcoins to Bypass Sanctions
North Korean leader Kim Jong-un, pictured earlier this month. (Photo: KCNA)

The government of North Korea has been turning to bitcoin exchange heists and cryptocurrency mining to evade sanctions and fund the regime, security experts say.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

Observers have reported that recent cryptocurrency heists appear to tie to the Pyongyang-based government of North Korea, officially known as the Democratic People's Republic of Korea, which is led by Kim Jong-un.

"Since May 2017, we have observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds," Luke McNamara, a threat researcher at cybersecurity firm FireEye, says in a blog post.

"The spear-phishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware - Peachpit and similar variants - linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016," he adds.

Peachpit is a backdoor used to give attackers persistent access to a system. FireEye has previously reported that Peachpit has appeared in a limited number of attacks, which suggests that rather than being sold on underground sites, whichever attack group that developed the tool uses it exclusively. And the malware has been previously seen in attacks tied to North Korea.

The cryptocurrency-targeting attack assessment by FireEye's McNamara mirrors a report, released in August, that said at least one or two South Korean digital currency exchanges had been targeted by North Korea. Simon Choi, an official at South Korea's Cyber Warfare Intelligence Center, told Radio Free Asia - a non-profit Eastern Asian news agency - that the attacks used phishing emails to fool victims into executing a type of malware that had been seen in previous attacks tied to North Korea.

It was "not only one or two exchanges where attack attempts have been made," Choi told RFA. "Startups that use blockchain, financial technology sector companies as well as others may have [also] been the target."

North Korean Heists

If Pyongyang is attempting to steal bitcoins, it wouldn't be the first time the regime has tried to bolster its coffers via illegal means. Indeed, DPRK watchers say the country continues to seek new ways to bolster its GDP and fund the regime, following years of sanctions by numerous countries as well as the EU and United Nations.

Current UN sanctions, for example, prohibit member states from selling coal, minerals, aviation fuel, jet fuel or rocket fuel to the DPRK. In addition, the sanctions require many DPRK individuals' and organizations' offshore holdings to be frozen and prohibit UN members from doing any banking business or maintaining any banking subsidiaries in the country. And this month, the UN Security Council agreed on new sanctions following DPRK's Sept. 3 nuclear test, including banning textile exports - worth on average $760 million per year over the past three years - as well as capping the amount of crude oil the country is allowed to import.

North Korea has already been tied to attacks against banks and attempts to subvert the SWIFT interbank messaging system, including the attempted theft of $1 billion in February 2016 from the central bank of Bangladesh (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).

Following increased sanctions on the nation, furthermore, threat intelligence firm Cybereason has warned that the regime will likely authorize a greater number of online heist attempts and potentially also wreak a bit of havoc.

"Banking, financial institutions and currency exchanges are likely to see a steady increase in malicious and sophisticated intrusion attempts," Cybereason said in a recent report. "They will likely be focused on institutions in South Korea, the United States and Japan (to add a little political flavor to the currency generation). However, we could see the uptick also happen in countries where network security is largely weak - parts of South and Southeast Asia, the Baltics and potentially even parts of Africa."

Bitcoin 'Is a Fraud'

North Korea isn't the only government that has been paying more attention to cryptocurrencies as a potential source of revenue, especially as the value of a bitcoin earlier this month hit an all-time high of $5,000.

"As bitcoin and other cryptocurrencies have increased in value in the last year, nation-states are beginning to take notice," FireEye's McNamara says. "Recently, an adviser to President Putin in Russia announced plans to raise funds to increase Russia's share of bitcoin mining, and senators in Australia's parliament have proposed developing their own national cryptocurrency."

Bitcoin (USD) Price

A bitcoin's dollar value, shown from Sept. 14, 2016, to Sept. 14, 2017. (Source: Coindesk)

But not everyone is bullish on bitcoin.

Speaking this week at a banking conference in New York, Jamie Dimon, chairman, CEO and president of financial services giant JP Morgan Chase, said that while he sees potential for blockchains, bitcoin "is a fraud."

"The currency isn't going to work," Dimon said, according to news reports. "You can't have a business where people can invent a currency out of thin air and think that people who are buying it are really smart."

He suggested that the only users who might see upsides from bitcoin were the likes of drug dealers, murderers and pariah regimes. "If you were in Venezuela or Ecuador or North Korea or a bunch of parts like that, or if you were a drug dealer, a murderer, stuff like that, you are better off doing it in bitcoin than U.S. dollars," he said. "So there may be a market for that, but it'd be a limited market."

Bitcoins are not the only cryptocurrency to be embraced by potential criminal elements. Blockchain analysis firm Chainalysis, for example, estimates that criminals have amassed $225 million by stealing Ethereum cryptocurrency (see SEC Chairman Seeks More Cyber Risk Disclosure).

Pyongyang Mines for Bitcoin

DPRK does not appear to be trying to obtain bitcoins only through outright theft. In July, threat intelligence research firms Recorded Future and Team Cymru issued a report noting that they saw bitcoin mining commence for the first time on North Korean systems beginning in May.

"Before that day, there had been virtually no activity to bitcoin-related sites or nodes, or utilizing bitcoin-specific ports or protocols," according to their report. "Beginning on May 17, that activity increased exponentially, from nothing to hundreds per day."

Bitcoin mining involves solving computationally intensive mathematical tasks, which are used to build the bitcoin blockchain - a public ledger of transactions. As an incentive, anyone who provides such mining has a chance of getting bitcoins back as a reward.

The timing of North Korea's foray into bitcoin mining is notable, in that it came just days after the May 12 WannaCry outbreak.

Many security firms, and reportedly also British intelligence agency GCHQ, ascribed the WannaCry outbreak to the Lazarus group, a cyberattack team that has been tied to DPRK (see British Security Services Tie North Korea to WannaCry).

Due to apparent coding errors in the WannaCry ransomware, the malware defaulted to directing victims to pay a ransom using one of three preset bitcoin addresses. As a result, it would likely have been easy for intelligence and law enforcement agencies to track any attempts to cash out those bitcoins.

The report from Recorded Future and Team Cymru suggests that by May 17, the North Korean government would have realized that attempting to cash out bitcoins obtained via WannaCry ransom payments was too risky. "Actors within the government would have realized that moving the bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack," according to the report.

Any cryptocurrency mining being done in the DPRK is likely under direct government control. "It is not clear who is running the North Korean bitcoin mining operations; however, given the relatively small number of computers in North Korea coupled with the limited IP space, it is not likely this computationally intensive activity is occurring outside of state control," according to the report.

While bitcoins are anonymizing, they are not anonymous. In 2014, for example, researchers reported being able to de-anonymize bitcoin traders 11 percent to 60 percent of the time, by correlating a bitcoin user's pseudonym - which serves as a public key - with the IP address from which they trade bitcoins (see Tougher to Use Bitcoin for Crime?).

No doubt by now intelligence and law enforcement agencies are even better at correlating data and de-anonymizing cryptocurrency transactions. But just how effective they might be remains a closely guarded secret.

Surge in Bitcoin Mining

Bitcoin mining, however, allows an organization to use processing power to generate fresh cryptocurrency. And attacks aimed at giving cryptocurrency-mining criminal gangs access to victims' processing power are on the rise, according to security firm Kaspersky Lab.

"The actual process of cryptocurrency mining is perfectly legal, though there are groups of people who hoodwink unwitting users into installing mining software on their computers, or exploiting software vulnerabilities to do so," Kaspersky Lab researchers Evgeny Lopatin and Vladas Bulavas write in a recent blog post. "This results in threat actors receiving cryptocurrency, while their victims' computer systems experience a dramatic slowdown."

The researchers say that in just the past month, they've found "several large botnets designed to profit from concealed crypto mining," as well as an increase in attacks that aim to sneak mining software onto servers.

The researchers do not ascribe the botnet to any particular individual, group or nation-state.

Number of Kaspersky Lab product users who encountered malicious cryptocurrency miner attacks, from 2011 through the first half of 2017.

But Recorded Future and Team Cymru say that after North Korea began mining bitcoins, they also saw a spike in the country's research - and potential reconnaissance - against multiple "foreign laboratories and research centers," especially in India and the Philippines.

Compromising systems run by those organizations could give attackers access to massive amounts of processing power to further any cryptocurrency mining efforts.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network