‘World’s most prolific cyber thief’: North Korea stealing cryptocurrency to fund nuclear weapons, UN report says

25 views 9:58 am 0 Comments March 25, 2024

North Korea is reportedly stealing cryptocurrency to help fund its nuclear weapons program, a UN report has found, with investigations underway into cyberattacks valued at $US3 billion ($4.6 billion) linked to the country. 

In its annual report, the UN Panel of Experts on the Democratic People’s Republic of Korea (DPRK) said it was investigating 58 cyberattacks allegedly carried out by the country between 2017 and 2023.

The report noted that probes were underway into 17 cryptocurrency heists in 2023 alone, valued at more than $US750 million.

The figures in the report were derived from information from other UN member states, media reports and private companies.

“According to one member state, the malicious cyberactivities of the DPRK generate approximately 50 per cent of its foreign currency income and are used to fund its weapons programs,” the report found.

“[The] DPRK’s cyberthreat actors continued targeting the virtual asset industry to evade United Nations sanctions and generate revenue.

“One cyber company branded the Democratic People’s Republic of Korea the ‘world’s most prolific cyber-thief’.”

North Korea has previously released statements denying allegations of hacking.

While the last known nuclear test in North Korea took place in 2017, the report said the country’s nuclear facilities still appeared operational and a number of other weapons testing had taken place.

Between July 2023 and January 2024, the report noted at least seven ballistic missiles were launched in North Korea, as well as a military observation satellite using ballistic missile technology.

In January, North Korean state media reported leader Kim Jong Un oversaw testing of new missiles and reiterated his interest in building a nuclear-armed navy.

The report also accused North Korea of deliberately targeting defence companies to steal information that would help it further advance its weapons programs.

North Korean leader Kim Jong Un smiles in the snow with hands in pockets next to military leaders

North Korean leader Kim Jong Un is regularly featured in state media attending weapons testing.(Reuters: KCNA)

It was also noted that investigations were underway into other alleged breaches of UN sanctions including the sale of conventional weapons, the importation of restricted petroleum products and efforts to earn money through overseas-based workers.

What tactics are being used?

The report found that various tactics are being used by North Korean state actors to access digital currency and sensitive information.

In one instance, the Lazarus Group — an actor linked to North Korea’s primary intelligence network the Reconnaissance General Bureau — manipulated job seekers online “into opening malicious apps for fake job interviews” that then allowed them backdoor access to company systems.

The report noted that aerospace companies in Spain, the Netherlands and Poland had been attacked using similar methods.

Citing a Microsoft report, the panel said North Korea had targeted defence companies across the globe, including in Russia, the US, Germany and France.

Kym Jong Un claps while watching a missile test in the distance along a rugged coastline

North Korean leader Kim Jong Un watches what government media said was a test of a solid-fuel engine for its new-type intermediate-range hypersonic missile this week.(Korean Central News Agency/Korea News Service via AP)

Cryptoactors were found to have used phishing and social engineering techniques in deliberate campaigns targeting cryptocurrency industry employees.

Groups also breached weak security and attacked third party supply chains to steal cryptocurrency.

The panel found North Korea was becoming increasingly reliant on services in neighbouring countries like China and Russia to launder its stolen cryptocurrency while at the same time, attacking government agencies, companies and individuals in those same countries at a high rate.

The report concluded that five cyberactors linked to North Korea’s Reconnaissance General Bureau — the Lazarus Group, Andariel, BlueNoroff, ScarCruft and Kimsuky —  should be sanctioned.

It recommended individuals and cryptocurrency exchanges take extra steps to ensure security and boost monitoring to identify possible DPRK transactions.

It also found that one of the cyberactors —  most likely Kimusky — was probably responsible for targeting the private email address of a member of the panel with a persistent spear-phishing campaign.

The panel found this amounted to “sanctions evasion”.