North Korea’s Cybercrime Empire: Billions in Stolen Crypto, Bunny Meat for the Masses

How does a country become a hacking superpower when it's barely connected to the internet? It's easy when you're North Korea. The average North Korean can't access the internet; most online activity is conducted via the repressive regime's nationwide intranet, termed Kwangmyong, which is monitored by the secret police. However, those who are permitted access to the open internet, which requires special authorization, are even more tightly watched by the regime.

Such restrictions haven't stopped Pyongyang from becoming a full-fledged cybercriminal regime. All over the world, adept North Korean hackers are leading efforts to crack into sensitive IT systems, ranging from banks to governments to businesses of every kind. This comes as no surprise, since North Korea has financed itself with international criminal proceeds for decades.

For want of much of any legitimate economy, outside arms sales (these have become important to Russia's war against Ukraine recently), the Democratic People's Republic of Korea opted for stealing and selling illegal products globally. A couple decades ago, North Korean representatives were engaged in a wide array of lucrative criminal activity abroad. Drug-dealing is a longtime cash-cow for Pyongyang, with pervasive sales of illegal narcotics, especially ecstasy and methamphetamine, on an industrial scale.

Counterfeiting is another venue for North Korean state-sanctioned crime, all over the world. The DPRK's outsized embassy in Vienna has long served as a front for counterfeiting and other financial crimes across Europe. However, hacking has outpaced all the regime's other criminal campaigns for its ease and profitability.

North Korea's acumen in cyber-theft stunned the world two months ago when Pyongyang's hackers pillaged Bybit, a Dubai-based firm claiming to be the world's second-largest cryptocurrency exchange, with 40 million users. DPRK hackers made off with $1.5 billion in crypto, the biggest online heist in history.

The sophisticated hack exploited vulnerabilities in Bybit's multi-signature wallet system, which was enabled by compromised infrastructure at Safe{Wallet}, a third-party provider. These North Korean hackers are known as the Lazarus Group, also as APT38, and they're savvy criminals whose online thefts since 2020 have targeted cryptocurrency providers employing a cunning series of malicious applications known to the Federal Bureau of Investigation as "TraderTraitor."

The FBI, backed by U.S. cyber intelligence, knows that the Lazarus Group is, in fact, North Korea's intelligence services, specifically the Reconnaissance General Bureau, the regime's foreign spy agency. Pyongyang wasted no time cashing in on its record-breaking haul by laundering some $300 million of the stolen crypto through myriad fronts in just two weeks.

North Korea’s online criminals are just as adept at laundering the proceeds of cybercrime as they are at stealing it in the first place. It's unlikely that most of the stolen crypto will ever be returned, despite persistent international efforts to do so.

The Bybit hack was a wake-up call to the online business world. Pyongyang isn't slowing down its cyber theft operations, which provide badly needed cash for the regime, including to finance its nuclear weapons program. This week brings news that the Lazarus Group—the RGB—has been busy in the United States, attempting to steal cryptocurrency.

In an audacious move, APT38 created two businesses in this country as fronts to infect developers working in the cryptocurrency industry with malicious software. These firms, Blocknovas LLC and Softglide LLC were set up in New Mexico and New York states, respectively, using fake personas and addresses. A third business, Angeloper Agency, is linked to the campaign, but does not appear to be registered in the U.S.

This was a crime from the start, since such actions are illegal under U.S. law. However, Washington may struggle to punish a country that barely operates in the legitimate global economy.

It's therefore imperative for American firms to keep vigilant watch over whom they’re interacting with online. That African IT specialist you just hired at a bargain rate, to virtually assist with your latest software upgrade, may really be a North Korean spy preparing to rob your business blind.

Palpable Irony

As North Korea steals billions of dollars online, all over the world, the proceeds of its vast cybercrime spree are directed to the regime and its leaders. In the meantime, Pyongyang has ordered schools nationwide to establish rabbit pens to help raise cheap protein for the military, which is short of food.

Officials whose schools don’t meet at least the thousand-rabbit quota face regime punishment—stolen crypto cash for some, bunny sandwiches for others, depending on your connections to party bigwigs.

A Call to Action

John R. Schindler served with the National Security Agency as a senior intelligence analyst and counterintelligence officer. The author of several books, including "Uncompromised: Memoir of an FBI Counterintelligence Agent", he is now a professor at the U.S. Naval Academy.