Crypto crash threatens North Korea’s stolen funds as it ramps up weapons testing

SEOUL, June 29 (Reuters) – The nosedive in cryptocurrency markets has wiped out millions of dollars in funds stolen by North Korean hackers, four digital investigators say, threatening a key source of funding for the sanctions-hit country and its weapons programs.

North Korea has poured resources into cryptocurrency theft in recent years, making it a strong hacking threat and leading to one of the largest cryptocurrency heists of all time in March, stealing nearly $615 million, according to the US Treasury Department. Continue reading

The sudden plunge in crypto values, which began in May amid a broader economic slowdown, is hampering Pyongyang’s ability to profit from this and other heists and could impact plans to fund its weapons programs, two South Korean government sources said. Sources declined to be named due to the sensitivity of the matter.

Sign up now for FREE unlimited access to

It comes as North Korea is testing a record number of missiles – which the Korea Institute for Defense Analyzes has estimated in Seoul have cost up to $620 million so far this year – and prepares to resume nuclear testing amid an economic crisis.

Legacy, unwashed North Korean crypto holdings monitored by New York-based blockchain analysis firm Chainalysis, including funds stolen in 49 hacks from 2017 to 2021, have fallen from $170 million to $65 million year-to-date, it said the company told Reuters.

One of North Korea’s cryptocurrency caches from a 2021 heist, worth tens of millions of dollars, has lost 80% to 85% of its value in recent weeks and is now worth less than $10 million, said Nick Carlsen, an analyst at TRM Labs, another US-based blockchain analytics company.

A person who answered the phone at the North Korean embassy in London said he could not comment on the crash as allegations of cryptocurrency hacking were “completely fake news”.

“We didn’t do anything,” said the person, who only wanted to pose as an embassy diplomat. The North Korean Foreign Ministry has described such allegations as US propaganda.

March’s $615 million attack on the Ronin blockchain project, which powers the popular online game Axie Infinity, was the work of a North Korean hacking operation called the Lazarus Group, US authorities say.

Carlsen told Reuters that the interconnected price movements of various assets involved in the hack made it difficult to gauge how much North Korea was able to keep out of this raid.

If the same attack happened today, the stolen ether currency would be worth just over $230 million, but North Korea traded almost everything for bitcoin, which had separate price movements, he said.

“Needless to say, the North Koreans have lost a lot of value on paper,” Carlsen said. “But even at low prices, that’s still a huge haul.”

The United States says Lazarus is controlled by the Reconnaissance General Bureau, North Korea’s main intelligence bureau. He is accused of involvement in the WannaCry ransomware attacks, hacking of international banks and customer accounts, and cyber attacks on Sony Pictures Entertainment in 2014. Continue reading

Analysts are reluctant to provide details about what types of cryptocurrencies North Korea owns, which could reveal investigative methods. Chainalysis said that ether, a popular cryptocurrency linked to the open-source blockchain platform Ethereum, accounted for 58%, or about $230 million, of the $400 million stolen in 2021.

Chainalysis and TRM Labs use publicly available blockchain data to track transactions and identify potential crime. Such work has been cited by sanctions monitors, and according to public procurement documents, both firms work with US government agencies including the IRS, FBI and DEA.

North Korea is under widespread international sanctions over its nuclear program, giving it limited access to global trade or other revenue streams and making crypto heists attractive, investigators say.


Though cryptocurrencies are estimated to make up only a small portion of North Korea’s finances, Eric Penton-Voak, a coordinator for the United Nations panel of experts overseeing sanctions, said at an April event in Washington, DC that cyberattacks were “absolutely fundamental” to Pyongyang’s capability to circumvent sanctions and raise money for its nuclear and missile programs.

In 2019, sanctions monitors reported that North Korea had generated an estimated $2 billion for its weapons of mass destruction programs with cyberattacks.

An estimate by the Geneva-based International Campaign to Abolish Nuclear Weapons says North Korea spends about $640 million annually on its nuclear arsenal. The country’s gross domestic product was estimated at around US$27.4 billion in 2020, according to the South Korean central bank.

Pyongyang’s official revenue streams are more limited than ever amid self-imposed border lockdowns to combat COVID-19. China — its largest trading partner — said in 2021 it imported just over $58 million worth of goods from North Korea, amid one of the lowest levels of official bilateral trade in decades. Smuggling is not included in the official figures.

North Korea already gets a fraction of what it steals because it has to use brokers willing to exchange or buy cryptocurrencies no questions asked, said Aaron Arnold of the RUSI think tank in London. A February report by the Center for a New American Security (CNAS) estimates that North Korea receives only a third of the value of the stolen currency in some transactions.

After North Korea obtains cryptocurrency in a raid, it sometimes converts it to bitcoin and then finds brokers who buy it at a discount for cash, often held outside the country.

“Similar to selling a stolen Van Gogh, you’re not going to get fair market value,” Arnold said.


The CNAS report found that North Korean hackers show only “moderate” concerns about obfuscation of their role compared to many other attackers. This allows investigators to sometimes follow digital leads and attribute attacks to North Korea, though rarely in time to recover the stolen funds.

According to Chainalysis, North Korea has turned to sophisticated methods of laundering stolen cryptocurrency and has proliferated its use of software tools that aggregate and encrypt cryptocurrencies from thousands of electronic addresses — a term for a digital repository.

The contents of a given address are often publicly viewable, allowing companies like Chainalysis or TRM to oversee any investigations related to North Korea.

Attackers have tricked people into allowing access or bypassing security to siphon digital funds from internet-connected wallets to North Korean-controlled addresses, Chainalysis said in a report earlier this year.

The sheer magnitude of the recent hacks has strained North Korea’s ability to convert cryptocurrencies into cash as quickly as it has historically, Carlsen said. That means some funds have stalled even though their value has fallen.

Bitcoin has lost about 54% of its value this year, and smaller coins have also been hit hard, reflecting a fall in share prices linked to investor concerns about rising interest rates and the growing likelihood of a global recession.

“Cash conversion remains an important requirement for North Korea if they want to use the stolen funds,” said Carlsen, an analyst with the FBI investigating North Korea. “Most goods or products that North Koreans want to buy are only traded in USD or other fiat currencies, not cryptocurrencies.”

Pyongyang has other, larger sources of funding it can rely on, Arnold said. UN sanctions monitors said as recently as December 2021 that North Korea continues to smuggle coal — usually to China — and other key exports banned under Security Council resolutions.


North Korean hackers sometimes seem to wait for rapid falls in value or exchange rates before converting into cash, said Jason Bartlett, the author of the CNAS report.

“This sometimes backfires as there is little certainty to predict when a coin’s value will rapidly increase, and there have been multiple instances of heavily debased cryptocurrencies just sitting in North Korea-linked wallets,” he said.

Sectrio, the cybersecurity arm of Indian software company Subex, said there were signs North Korea had started ramping up attacks again on conventional banks rather than cryptocurrencies in recent months.

The banking sector-focused “honeypots” — decoy computer systems designed to attract cyberattacks — have seen an increase in “anomalous activity” since the crypto crash, as well as a surge in “phishing” emails attempting to lure recipients into giving to mislead security information away, Sectrio said in a report last week.

But Chainalysis said it has yet to see any significant change in North Korea’s crypto behavior, and few analysts expect North Korea to give up digital currency heists.

“Pyongyang has included cryptocurrency in its calculus of sanctions evasion and money laundering, and this will likely remain a permanent target,” Bartlett said.

Sign up now for FREE unlimited access to

Reporting by Josh Smith. Editing by Gerry Doyle

Our standards: The Thomson Reuters Trust Principles.