North Korea has stolen $13.4 billion in cryptocurrencies over the past seven years, according to South Korea’s Institute for National Security Strategy (INSS). This amount accounts for 20 percent of North Korea’s total illicit foreign currency earnings.
On August 27, the Institute for National Security Strategy (INSS), a research institute focused on South Korea’s security strategy, released its second strategic report on North Korea’s foreign currency earnings. The report states that since 2017, the United Nations Security Council has imposed sanctions on North Korea’s foreign currency earnings to curb its missile development. Despite these sanctions, North Korea managed to earn $6.29 billion through illicit means between 2017 and 2023. Of this total, approximately $1.35 billion was obtained through hacking, with the majority coming from cryptocurrency theft.
The report revealed that North Korea has hacked cryptocurrencies valued at approximately $13.4 billion over the past seven years. In addition, around $6.1 million was stolen in various currencies through the hacking of banks or financial systems. However, most of the attempts to steal traditional currencies were either recouped or resulted in failed hacks.
The report also highlighted that North Korea has established and operates information technology companies in China, Russia, and Southeast Asia. These companies generate income by developing and supplying software programs. In particular, North Korean workers in China earned an average of $3,500 per month. The report estimated that North Korea has earned a total of $397.8 million through these IT companies.
North Korea faced an $8.25 billion deficit in legitimate foreign currency earnings, but the country managed to reduce this deficit through illicit activities such as hacking, drug trafficking, counterfeit money trading, and coal smuggling. Cryptocurrency hacking played a significant role in narrowing the deficit.
The report is a follow-up to the 2022 publication that estimated North Korea’s illicit foreign currency earnings. According to the report, North Korea generates revenue through hacking and operating gambling sites. Hacking is a particularly lucrative method, often involving attacks on financial payment systems to extort money. However, direct attacks on financial services are often unsuccessful. As a result, North Korea frequently targets cryptocurrency wallets belonging to investment firms or trading companies, stealing cryptocurrency and laundering the proceeds.
Lim Soo-ho, a senior research fellow at INSS and the author of the report, said in his analytic statements that, “The international community should work together to strengthen the monitoring and sanction of cryptocurrency hacking, as it pertains to North Korea’s illicit financing through hacking.” He added, “We should also raise awareness to expose North Korea’s hacking targets.”
Related article: North Korean hackers target Google browser to steal cryptocurrency, Microsoft says
A North Korean government-backed hacking group exploited a vulnerability in Google’s open-source browser to steal cryptocurrency, according to Microsoft.
In a blog post, Microsoft Threat Intelligence and the Microsoft Security Response Center revealed that on August 19, they identified a North Korean hacking group exploiting a vulnerability in Google Chromium, an open-source browser. Microsoft stated that this exploit involves a zero-day vulnerability, meaning the hackers targeted the system before a security patch was available.
Microsoft has identified the threat actor as ‘Citrine Sleet,’ a group linked to Bureau 121 of North Korea’s Reconnaissance General Bureau, a cyberwarfare agency. This actor exploited a vulnerability in Chromium, known as ‘CVE-2024-7971,’ to distribute malware.
The threat actor compromised the system using sophisticated malware known as the “FudModule rootkit.” This malware allowed them to access the system while evading detection by users.
Google released a security patch for Chromium on August 21, two days after Microsoft’s blog announcement. However, the number of victims affected by the attack remains uncertain.
In response, the United States Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of exploited vulnerabilities to include the Google Chromium vulnerability CVE-2024-7971. CISA has set a deadline for federal agencies to apply the security patch by September 16. READ MORE
