In his 2018 New Year’s address, North Korean leader Kim Jong Un admitted that international sanctions had been negatively impacting his country. He called the sanctions “vicious” and “life-threatening” and vowed that the country would fight back by increasing its efforts toward economic self-sufficiency and independence.
As this pressure from broadening international sanctions and economic isolation mounts, North Korean leaders appear to be looking toward a new tool to increase independence and ease some of the economic burden — cryptocurrency.
Cryptocurrency is a form of digital currency that utilizes cryptography to generate units and verify transactions of funds. The first cryptocurrency, bitcoin, was created in 2009 and pioneered the widespread use of a technology called “blockchain.”
Blockchain is essentially a distributed digital ledger, which provides a secure method for making and recording transactions. This ledger is distributed across and verified by thousands of users. As a technology, blockchain is touted by supporters for its transparency and decentralized control.
Today, there are upwards of a thousand different cryptocurrencies, which can be stored, traded or exchanged for hard currency (U.S. dollars, euro, Japanese yen, etc.) on both physical and virtual exchanges.
Most people store their cryptocurrencies in digital wallets administered by companies or individuals with few-to-no security or privacy requirements — a result of the light regulatory environment in most countries.
While blockchain technology is inherently secure, this ecosystem of wallet providers, exchanges and escrow services that have sprung up around it are what truly expose users to theft and fraud.
It is this insecure ecosystem, decentralized control and anonymity that likely attracted North Korea to cryptocurrency. North Korean hackers appear to view cryptocurrency both as a challenge, in devising the most effective ways to legally and illegally obtain cryptocurrencies, and as a solution, to mitigate the negative impacts of international sanctions.
Since early 2017, researchers have tracked a series of thefts, phishing campaigns and mining operations which demonstrate the extent to which North Korea has embraced cryptocurrencies. A series of thefts from South Korean exchanges dating as far back as February have been attributed to North Korea, including:
- the theft of $7 million in cryptocurrency from Bithumb,
- theft of 4,000 bitcoin from Youbit,
- a second theft from the same exchange in December,
- attempted thefts from some South Korean cryptocurrency exchanges in late summer,
- thefts of an undisclosed amount from Coinis in September,
- attempted thefts from another 10 exchanges in October, and
- an additional spear phishing campaign in November.
North Korea has pursued other avenues for obtaining cryptocurrencies as well, including mining of both bitcoin and Monero, ransom paid in bitcoin from the global WannaCry attack in May and even commissioning a cryptocurrency class for North Korean students in November.
In all of these cases, researchers cannot confirm if or when North Korea exchanged these cryptocurrencies for cash, goods or services; meaning that North Korea could also be engaging in global cryptocurrency speculation.
The value of the few confirmed successful thefts alone could be more than $120 million (as of Friday) if North Korea held onto the stolen assets. If they were cashed out at bitcoin’s peak in mid-December, those known coins could have been worth around $210 million. Conversely, if they were exchanged for U.S. dollars at the time of theft, they would have been worth as little as $15 million.
These numbers do not take into account the thefts from exchanges where the amount of stolen assets was not publicly disclosed nor the value of legitimately mined bitcoin or Monero. Additionally, it is difficult to assess the value North Korea places on cryptocurrencies, because we cannot determine what portion of state revenue these operations represent.
For example, experts estimate that North Korea brings in anywhere from $500 million to $1 billion per year from its broad range of criminal activities, which include counterfeiting U.S. dollars, cigarette counterfeiting, drug trafficking and more.
If North Korea has engaged in successful speculation and exchanged its cryptocurrency at peak value then these operations would represent a significant revenue generator for the regime. This would mean that North Korea derives significant value from these operations and is likely to aggressively expand the scope and scale of the full range of cryptocurrency operations, including theft and mining, in 2018.
However, if the value of cryptocurrency operations is on the lower end of the spectrum, $15-20 million, then it will likely continue, but only to a point where the benefits outweigh the costs of the operations (such as network reconnaissance, malware development, time spent by hackers, etc).
This would significantly curb the forecast for the threat from North Korean cryptocurrency operations in 2018, because the value return is less for the investment.
The most likely scenario is somewhere in between. As South Korea responds to these thefts by increasing exchange’s security, and likely government regulation, its exchanges will become harder targets, forcing North Korean actors to look to exchanges and users in other countries as well.
Over the course of 2018, we can expect these operations to expand globally, likely targeting users and exchanges in possibly Southeast Asia or Eastern Europe as well.
Priscilla Moriuchi is the director of strategic threat development at Recorded Future, an internet technology company specializing in real-time threat intelligence.