FacebookTwitterLinkedIn

North Korea Stole Over $659 Million In Crypto Last Year

Karolis Liucveikis Written by on

In a joint statement issued by the United States, Japan, and the Republic of Korea and published in English on the U.S. Department of State's website.

North Korea Stole Over $659 million In Crypto Last Year

The above-listed countries stated,

The United States, Japan, and the Republic of Korea join together to provide a new warning to the blockchain technology industry regarding the ongoing targeting and compromise of a range of entities across the globe by Democratic People’s Republic of Korea (DPRK) cyber actors.  The DPRK’s cyber program threatens our three countries and the broader international community and, in particular, poses a significant threat to the integrity and stability of the international financial system.

While it can be argued that the warning is not new, its seriousness is not up for debate. Just the amount of funds stolen in 2024 attests to the severity of the problem posed to the financial sector by North Korean state-sponsored threat actors like Lazarus.

North Korean state-backed hacking groups have stolen over 659 million USD worth of cryptocurrency in multiple crypto-heists and, unsurprisingly, continue to target companies that operate on blockchains and other cryptocurrency-adjacent services.

The report went on to state,

As recently as September 2024, the United States government observed aggressive targeting of the cryptocurrency industry by the DPRK with well-disguised social engineering attacks that ultimately deploy malware, such as TraderTraitor, AppleJeus and others. The Republic of Korea and Japan have observed similar trends and tactics used by the DPRK.

Interestingly, the statement directly attributes the attack on an Indian crypto exchange, WazirX, to North Korean attackers. In this instance, thefts from the exchange totaled 235 million USD. Another attack that had eye-watering numbers attached to it has been attributed to North Korean threat actors. In this instance, 308 million USD was stolen from DMM Bitcoin.

The attack chain used by the threat actors in the DMM Bitcoin attack is of particular note, especially for those tasked with defending blockchain networks.

In a short announcement, the FBI stated that in late March 2024, a North Korean cyber actor masquerading as a recruiter on LinkedIn contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company.

The threat actor then sent the target, who maintained access to Ginco's wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test on a GitHub page. The victim copied the Python code to their personal GitHub page, which was subsequently compromised.

From May 2024, TraderTraitor actors exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco's unencrypted communications system.

This information was then used to not only gain access but also manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth 308 million USD at the time of the attack. Following the theft, the stolen funds ultimately moved to TraderTraitor-controlled wallets.

Chainalysis' Even More Dire Picture

In a report published by crypto analysis experts, Chainalysis, in 2024, a far more dire picture was painted. According to the report, North Korean hackers have stolen 1.34 billion USD worth of cryptocurrency across 47 cyberattacks in 2024.

This amount represents 61% of the total stolen funds for the year, marking a year-over-year increase of 21%. Although the total number of incidents, including incidents not associated with North Korean threat actors, 2024 reached a record-breaking 303, the total losses figure isn't unprecedented, as 2022 remains the most damaging year with 3.7 billion USD.

Chainalysis said that based on their data, the DPRK's crypto attacks are becoming more frequent. This conclusion was derived from tracking the average time between successful DPRK attacks, depending on the size of the exploit.

While it was found that there was a decline year-on-year in attacks of all sizes, notably, attacks between 50 and 100 million USD, including those above $100 million, occurred far more frequently in 2024 than they did in 2023. This strongly suggests that the DPRK is getting better and faster at massive exploits. This starkly contrasts with the previous two years, during which its exploits more often yielded profits below 50 million USD.

Chainalysis went on to state,

Some of these events appear to be linked to North Korean IT workers, who have been increasingly infiltrating crypto and Web3 companies, and compromising their networks, operations, and integrity. These workers often use sophisticated Tactics, Techniques, and Procedures (TTPs), such as false identities, third-party hiring intermediaries, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) indicted 14 DPRK nationals who obtained employment as remote IT workers at U.S. companies and generated more than $88 million by stealing proprietary information and extorting their employers.

In order to help mitigate the threat posed by North Korean threat actors to those in the cryptocurrency industry, companies should prioritize thorough employment due diligence, including background checks and identity verification, while maintaining robust private key hygiene to safeguard critical assets, were possible.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog