North Korea reportedly stole $2B in wave of cyber attacks

Draft report from the United Nations, which was seen by several news outlets, revealed North Korea chalked up US$2 billion from launching cyber attacks against banks and cryptocurrency exchanges as part of efforts to fund a weapons buying programme.
Written by Eileen Yu, Senior Contributing Editor

North Korea has reportedly chalked up an estimated US$2 billion from launching cyber attacks against banks and cryptocurrency exchanges, in a bid to fund its purchase of military weapons. The attacks were widespread and "increasingly sophisticated", according to a leaked draft report from the United Nations. 

Pyongyang tapped the cyberspace to steal funds from financial institutions and cryptocurrency exchanges as well as to launder the stolen money, found the report, which was submitted to the Security Council committee last week and seen by news agencies such as Reuters, The Associated Press, and Nikkei Asian Review. The report was submitted by a panel that monitored UN sanctions. 

It noted in the report: "Democratic People's Republic of Korea (DPRK) cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programmes, with total proceeds to date estimated at up to US$2 billion." The General Bureau is North Korea's military intelligence agency.

The UN report pointed to at least 35 reported instances of DPRK actors targeting financial institutions, cryptocurrency exchanges, and mining activities designed to earn foreign currencies in 17 countries. 

It noted that the attacks against cryptocurrency exchanges enabled North Korea to generate income in ways that were "harder to trace and subject to less government oversight and regulation", compared to the traditional banking sector. In one incident of cryptocurrency mining, DPRK hackers reportedly mined an estimated US$25,000 by infecting an organisation's computer using cryptojacking malware

The report added that DPRK continued to have access to the global financial system "through bank representatives and networks operating worldwide" and attributed this to "deficiencies" by UN member states in implementing financial sanctions as well as deceptive practices on the part of North Korea. 

It noted that Pyongyang had sent out hundreds of IT workers including software developers to various regions including Asia and Europe, where they ran cryptocurrency theft operations in companies that were headed, on paper, by locals.

A previous March report by the UN panel of experts determined that North Korean hackers stole around US$571 million from at least five cryptocurrency exchanges in Asia between January 2017 and September 2018. It added that the hackers generated almost US$670 million in foreign and virtual currencies through cybertheft.

Cybersecurity vendor Kaspersky in March said it detected ongoing attacks targeting cryptocurrency businesses with malicious documents that later would be downloaded and installed either as Windows or Mac malware. It pointed to attacks by the Lazarus Group, which was a codename given to a division of North Korea's state hackers, that targeted Asia-based cryptocurrency exchanges.


North Korean hackers continue attacks on cryptocurrency businesses

Lazarus Group hackers seamlessly integrate Mac malware into their normal attack routine.

North Korean cyberspies deploy new malware that harvests Bluetooth data

ScarCruft hackers deploy Bluetooth-harvesting malware in recent campaign.

North Korea is the most destructive cyber threat right now: FireEye

DPRK hackers are cybering every way they can, and according to FireEye their destructiveness and unpredictability makes them dangerous.

Revamped cryptominer strikes Asia through EternalBlue exploit

A new version of the NRSMiner cryptominer is making the rounds by exploiting PCs which are still not patched against the Windows vulnerability.

How US authorities tracked down the North Korean hacker behind WannaCry

US authorities put together four years worth of malware samples, domain names, email and social media accounts to track down one of the Lazarus Group hackers.

Editorial standards