The Hidden Truth About North Korea's Crypto Exploits

By  Pratik May 7, 2024

Image for The Hidden Truth About North Korea's Crypto Exploits


In today's day and age, the global financial systems are on high alert due to North Korea's foray into cryptocurrency, as its primary objectives appear to be circumventing sanctions and amassing wealth. The country's engagement, notably through the Lazarus Group, has become a major concern due to its suspected involvement in numerous ransomware attacks, heists, and the theft of cryptocurrency assets.

This pursuit has not only impacted the broader crypto market but has also raised significant cybersecurity concerns worldwide, prompting a call for strengthened measures against such activities. Let's take a closer look into the depths of North Korea's crypto exploits and how they have managed to continue their operations for such a long time.

The Lazarus Group and Their Exploits

The Lazarus Group, a North Korean state-sponsored entity, has garnered infamy due to its extensive involvement in global cybercrimes, particularly targeting cryptocurrency assets. This group has been active for over a decade and is intricately linked to North Korea's government, suggesting a deep, state-supported engagement in cyber espionage and financial theft

Some of their most infamous heists include:

  1. Historical Cyberattacks : The group's activities date back to around 2009, with significant attacks including the disruption of Sony Pictures in 2014 and the widespread WannaCry ransomware attack in 2017.
  2. Cryptocurrency Heists : Lazarus is responsible for several high-profile cryptocurrency thefts, including a massive $600 million heist from the Ronin Network in 2022 and a $100 million theft from Harmony's Horizon bridge.
  3. Targeting Blockchains : On June 23, a staggering amount of up to $100 million was looted from the Harmony blockchain. The heist targeted Horizon's native crypto bridge, a service under the blockchain's purview that allows for the seamless transfer of assets to other blockchains.

Methodologies and Impact

Lazarus has evolved into a sophisticated hacking group that employs a variety of methods to breach security systems, often leading to significant financial losses worldwide. Hackers are systematically recruited and trained by the North Korean government, with some identified and groomed from as young as 11 years old. These individuals often receive substantial state benefits, including exemptions from military service.

Few of the key methodologies employed in their heists include:

  1. Phishing and Supply Chain Attacks : North Korea's operatives frequently use sophisticated phishing strategies and supply chain attacks to access secure crypto environments.
  2. Exploiting Software Vulnerabilities : They also utilize software supply-chain attacks and deploy mining malware to breach security systems.
  3. Private Key Compromises : A common tactic includes compromising private keys or seed phrases, crucial for securing digital wallets.

Now, it's a different ball game when it comes to laundering the stolen money across country borders.The group uses sophisticated laundering techniques to obfuscate the origins of illicitly obtained cryptocurrencies. One common method involves the use of "mixers" which blend potentially identifiable or "tainted" cryptocurrency funds with others, making it difficult to trace back to the original source.

Additionally, the regime engages brokers in China and leverages non-fungible tokens (NFTs) to further launder these funds. Let us delve into the intricacies of various techniques employed in the laundering process:

Utilization of Over-the-Counter Brokers

Over-the-counter (OTC) brokers play a crucial role in North Korea's laundering operations. These brokers facilitate the exchange of stolen cryptocurrencies into fiat currencies, which are then possibly funneled into state-run programs, including those related to nuclear and ballistic missile development. The use of OTC brokers helps North Korea evade traditional banking channels that are subject to international scrutiny and sanctions.

Advanced Techniques and Digital Anonymity

The laundering process is supported by the use of virtual private networks (VPNs) and darknet platforms, which provide additional layers of anonymity. These technologies obscure the digital footprints left by the cyber operatives, complicating efforts by international law enforcement to trace the illicit activities.

Global Scope of Laundering Operations

The laundering operations are not confined to a single jurisdiction but involve a complex network spanning multiple countries. This international dimension of their operations makes it challenging for authorities to track and dismantle these networks.

Innovative Laundering through Hashing Services

APT43, another North Korean state-sponsored hacking group, has been reported to use hashing services as a novel method to launder stolen funds. These services, which convert data into a fixed-size string of characters, are being used to obscure the origins of cryptocurrency transactions linked to illicit activities. Evidence suggests that tens of thousands of dollars worth of crypto have been processed through these services from wallets believed to be controlled by Lazarus.

Global Response and Preventative Measures

The CISA and NSA have emphasized the importance of developing secure smart contracts to safeguard against vulnerabilities in DeFi protocols . Proposals have been made for mandatory periodic audits in the cryptocurrency sector, overseen by agencies like NIST, CISA, and the Department of the Treasury to ensure compliance and security

The cross-border nature of cyber threats necessitates an international collaboration framework involving cybersecurity agencies, law enforcement, and governments. Countries like the U.S., South Korea, and Japan have established a high-level body to address cyber threats, which includes strategic planning and shared intelligence.

Here are some notable steps taken by various countries in combating cyber attacks:

  1. Imposing Sanctions : The U.S. and EU have imposed sanctions including travel bans and asset freezes on entities linked to North Korean cyber activities.
  2. South Korea's Cybersecurity Strategy : South Korea has unveiled a strategy that includes strengthening preemptive and offensive cyber capabilities to counter North Korean threats.
  3. Innovative Cyber Defense Initiatives : Supporting innovation in cybersecurity companies and establishing rapid response systems are part of South Korea's comprehensive strategy.
  4. Comprehensive Advisory by U.S. Departments : A joint advisory by the U.S. Departments of State, Treasury, Homeland Security, and the FBI aims to raise public and network defenders' awareness about North Korean cyber threats.


The involvement of North Korea in these activities not only underscores the advanced capacities of state-sponsored cyber operations but also the pressing need for robust international cybersecurity measures and cohesive actions to mitigate such threats. The detailed examination of the Lazarus Group's methodologies, the financial implications of their heists, and North Korea's sophisticated laundering techniques reinforces the urgency of addressing these security challenges.

As the global community continues to grapple with the ramifications of North Korea's cyber activities, the need of the hour remains hinged on enhanced collaboration, both at the policy and technological levels, to foster a more secure digital environment. The significance of international cooperation, improved legal frameworks, and innovative cybersecurity strategies cannot be overstated in the quest to counteract the persistent and evolving threats posed by these illicit operations.