North Korea’s Cybercrime Empire: Billions In Stolen Crypto, Bunny Meat For The Masses

How does a country become a hacking superpower when it’s barely connected to the internet? It’s easy when you’re North Korea.

The average North Korean can’t access the internet; most online activity is conducted via the repressive regime’s nationwide intranet, termed Kwangmyong, which is monitored by the secret police. The relatively few North Koreans who are permitted access to the open internet, which requires special authorization, are even more tightly watched by the regime. Such restrictions haven’t stopped Pyongyang from becoming a full-fledged cybercriminal regime. All over the world, adept North Korean hackers are leading efforts to crack into sensitive IT systems, ranging from banks to governments to businesses of every kind.

This comes as no surprise, since North Korea has financed itself with international criminal proceeds for decades. For want of much of any legitimate economy, outside arms sales (these have become important to Russia’s war against Ukraine recently), the Democratic People’s Republic of Korea opted for stealing and selling illegal products globally.

A couple decades ago, North Korean representatives were engaged in a wide array of lucrative criminal activity abroad. Drug-dealing is a longtime cash-cow for Pyongyang, with pervasive sales of illegal narcotics, especially ecstasy and methamphetamine, on an industrial scale. Counterfeiting is another venue for North Korean state-sanctioned crime, all over the world. The DPRK’s outsized embassy in Vienna has long served as a front for counterfeiting and other financial crimes across Europe. However, hacking has outpaced all the regime’s other criminal campaigns for its ease and profitability. North Korea’s acumen in cyber-theft stunned the world two months ago when Pyongyang’s hackers pillaged Bybit, a Dubai-based firm claiming to be the world’s second-largest cryptocurrency exchange, with 40 million users. DPRK hackers made off with $1.5 billion in crypto, the biggest online heist in history.

This sophisticated hack exploited vulnerabilities in Bybit’s multi-signature wallet system, which was enabled by compromised infrastructure at Safe{Wallet}, a third-party provider. These North Korean hackers are known as the Lazarus Group, also as APT38, and they’re savvy criminals whose online thefts since 2020 have targeted cryptocurrency providers employing a cunning series of malicious applications known to the Federal Bureau of Investigation as “TraderTraitor.” The FBI, backed by U.S. cyber intelligence, knows that the Lazarus Group is, in fact, North Korea’s intelligence services, specifically the Reconnaissance General Bureau, the regime’s foreign spy agency.

Pyongyang wasted no time cashing in on its record-breaking haul by laundering some $300 million of the stolen crypto through myriad fronts in just two weeks. North Korea’s online criminals are just as adept at laundering the proceeds of cybercrime as they are at stealing it in the first place. It’s unlikely that most of the stolen crypto will ever be returned, despite persistent international efforts to do so. 

The Bybit hack was a wake-up call to the online business world. Pyongyang isn’t slowing down its cyber theft operations, which provide badly needed cash for the regime, including to finance its nuclear weapons program. This week brings news that the Lazarus Group—the RGB—has been busy in the United States, attempting to steal cryptocurrency. In an audacious move, APT38 created two businesses in this country as fronts to infect developers working in the cryptocurrency industry with malicious software. These firms, Blocknovas LLC and Softglide LLC were set up in New Mexico and New York states, respectively, using fake personas and addresses. A third business, Angeloper Agency, is linked to the campaign, but does not appear to be registered in the U.S. This was a crime from the start, since it violates U.S. Treasury sanctions on the North Korean regime’s international financial operations.

This latest RGB gambit employs online spy tradecraft that Pyongyang’s using widely. These days, DPRK cyber operatives, including the Lazarus Group, routinely use aliases and fake profiles via LinkedIn, hoping to get hired by American and other Western firms, in order to steal from them. Firms in numerous countries, especially the United States and Great Britain, including dozens of Fortune 100 companies, have mistakenly hired North Korean IT workers, in actuality, cyber spies, who have posed under fake names and resumes. Although the FBI and the Justice Department are cracking down aggressively on these DPRK “laptop farms,” such mitigation efforts are barely scratching the surface of North Korea’s cyber threat to the world.

There’s no chance that Pyongyang will pull back from its online pillaging of other countries, especially the United States. The gains are enormous, while the risks of serious punishment are modest. What can Washington, DC, realistically do to punish a country that barely operates in the legitimate global economy? It’s therefore imperative for American firms to keep vigilant watch over whom they’re interacting with online. That African IT specialist you just hired at a bargain rate, to virtually assist with your latest software upgrade, may really be a North Korean spy preparing to rob your business blind.

There’s palpable irony here. As North Korea steals billions of dollars online, all over the world, the proceeds of its vast cybercrime spree are directed to the regime and its leaders. In the meantime, Pyongyang has ordered schools nationwide to establish rabbit pens to help raise cheap protein for the military, which is short of food. Officials whose schools don’t meet at least the thousand-rabbit quota face regime punishment—stolen crypto cash for some, bunny sandwiches for others, depending on your connections to party bigwigs.

John R. Schindler served with the National Security Agency as a senior intelligence analyst and counterintelligence officer.