UN probing 58 alleged crypto heists by North Korea worth $3 billion

A United Nations panel said it is investigating 58 cyberattacks allegedly conducted by North Korean hackers that allowed attackers to rake in about $3 billion over a six-year span.

In a report released March 7, the U.N. experts said they tracked the activity of “cyberthreat actors subordinate to the Reconnaissance General Bureau (RGB), including Kimsuky, the Lazarus Group, Andariel and BlueNoroff,” between 2017 and 2023. Kimsuky and Lazarus are particularly well-known to cybersecurity researchers.

“The key tasks of these cyberthreat actors are to obtain information of value to the Democratic People’s Republic of Korea and to illicitly generate revenue for the country,” the experts said, echoing accusations by the U.S. government and other international authorities.

Stolen intellectual property helps the regime make technological advancements and also can be sold, the report said.

“The country’s attack methodologies continue to include spearphishing, vulnerability exploits, social engineering and watering holes,” the experts said.

The panel is currently investigating 17 cryptocurrency hacks from 2023 alone, with the value of the stolen funds equivalent to about $750 million. 

Some of these attacks include: 

• Terraport Finance, 10 April 2023, $4 million
• Merlin DEX, 26 April 2023, $1.8 million
• Atomic Wallet, 2 June 2023, $120 million
• Alphapo, 22 July 2023, $110 million
• CoinsPaid, 22 July 2023, $44 million
• Steadefi, 7 August 2023, $1.16m
• Stake.com, 4 September 2023, $41.3m
• CoinEx, 12 September 2023, $70m
• Fantom Foundation, 17 October 2023, $7.5 million
• Poloniex, 10 November 2023, $114 million
• HTX, 22 November 2023, $30 million
• HECO Chain (HTX Eco Chain bridge), 22 November, $86 million
  
• Orbit Chain, 31 December 2023, $81 million

The groups also continue to target defense companies and software supply chains and, increasingly, sharing infrastructure and tools, the experts said.

The panel cited hundreds of reports from dozens of research companies and cybersecurity firms that have been tracking attacks conducted by an array of North Korean government and military groups. 

The groups targeted nuclear engineers and companies creating radar systems, uncrewed aerial vehicles, military vehicles, ships, weaponry and maritime companies — some of which were in Spain, the Netherlands, Poland and even Russia. 

Russia either denied or declined to comment when asked by the panel about several different incidents allegedly launched by North Korean groups. The panel noted that Chinese institutions also have faced a tidal wave of attacks by North Korean groups. 

Social engineering and supply chain attacks

The report outlines dozens of different social engineering tactics used by the hacking groups, from posing as fake recruiters on LinkedIn to manipulating job-seekers on Telegram and WhatsApp. 

The attackers also made a point of repeatedly targeting South Korean companies and government organizations, stealing troves of defense data from the country’s navy, IT companies, universities and more. 

Supply chain attacks involving software makers like JumpCloud, JetBrains and CyberLink were also spotlighted in the report, with the investigators finding that the JumpCloud attacks allowed North Korean hackers to launch two cryptocurrency heists that netted them about $147.5 million. 

The report also delves into the at-times-confusing web of groups that cybersecurity firms and governments have identified and tied to North Korea. The panel found that there is “increasing overlap” among the groups involved in attacks. 

Groups that have been named — such as Andariel, Kimsuky, BlueNoroff, ScarCruft and Lazarus — are housed within different agencies in North Korea but typically conduct joint operations and share infrastructure. 

The panel notes that one of its members was targeted in 2023. 

“Democratic People’s Republic of Korea cyberactors, probably Kimsuky, were likely responsible for targeting the private email address of a member of the Panel through persistent spearphishing attacks,” the experts said.

“The Panel reiterates its view that such attacks against the Panel and the Committee amount to sanctions evasion.”

North Korean groups were also seen dabbling in ransomware, with hackers connected to Andariel stealing $360,000 worth of bitcoin (BTC) through ransomware attacks on three companies. 

“Lazarus Group actors collaborated with a Republic of Korea company to distribute ransomware and collected approximately $2.6 million in recovery costs from more than 700 victims,” the panel added. “Some proceeds were reportedly transferred to a cryptocurrency wallet owned by the Lazarus Group.”

The report includes a range of recommendations for UN members, including increased cyber protections for financial institutions and more sanctions on specific hacking groups. 

States also need to find ways to limit the methods North Korean actors use to launder their stolen funds, the panel said. 

Blockchain security firm Elliptic closely watches North Korean activity and recently updated a report on efforts by Lazarus to launder money through Tornado Cash — a popular mixing service that the group temporarily had moved away from due to U.S. sanctions. The hackers have come back and are laundering large amounts, Tom Robinson, one of Elliptic’s co-founders, told Recorded Future News this week.

“The amount laundered through Tornado Cash from this Lazarus-attributed hack has now reached $100 million,” Robinson said.