North Korea has always been a bit of an outlier among the countries that make extensive use of offensive cyber capabilities. Unlike the United States, Russia, China, Israel, or Iran, North Korea has never appeared to be particularly focused on cyber-espionage or targeted cyber-sabotage. Instead it has performed a series of financially-motivated cybercrime campaigns like the 2017 WannaCry ransomware, as well as some splashy revenge-motivated breaches, most notably the 2014 Sony Pictures compromise. These high-profile incidents have suggested for a while that North Korea has more in common with cybercriminals than other nation states. But a December indictment unsealed this week by the Department of Justice makes clear just how central financial gain is to North Korea’s cyber activities. More importantly, it sheds light on the extent to which cryptocurrency and cybercrime can allow countries to undermine existing economic sanctions.
The indictment charges three hackers who work for the North Korean Reconnaissance General Bureau with a long list of computer intrusions and cybercrimes targeting victims all over the world and totaling some $1.3 billion in attempted theft and extortion efforts. The incidents range from well-known attacks like the Sony Pictures breach and WannaCry to intrusions into and thefts from Bangladesh Bank, Banco Nacional de Comercio Exterior in Mexico (Bancomext), BankIslami Pakistan Limited, the Polish Financial Supervision Authority, and casinos and cryptocurrency companies in Central America and Asia, to name just a few. The charges include fraudulent SWIFT transfers to manipulating bank computers in order to dispense cash from ATMs, developing and distributing cryptocurrency programs that were actually malware, stealing from cryptocurrency companies across the globe, among other things. It’s the most comprehensive and extensive catalog of North Korean cybercrimes the United States has ever made public, and it includes enough details to show not just how wide-ranging North Korea’s cyber exploits have been, but also which of those activities have been most lucrative.
Despite the name “Reconnaissance General Bureau,” very little of the activity described in the indictment resembles espionage or reconnaissance. Instead, as the indictment describes, the charged individuals “sought to cause damage through computer intrusions in response to perceived reputational harm” or “to steal currency and virtual currency … or to obtain it through extortion, for the benefit of the DPRK regime—and, at times, for their own private financial gain.” Aside from a few cases like Sony Pictures in which North Korea sought to publicly shame a victim (the indictment dubs these “revenge-motivated computer attacks”), most of the indictment details financially motivated instances of cybercrime. It also reveals some failures:
Despite the $1.3 billion figure that the Department of Justice calculated in total attempted theft and extortion, North Korea only succeeds in stealing a small portion of that sum. In 2016, for example, North Korea attempted to steal $951 million via transfers from Bangladesh Bank to accounts in the Philippines and Sri Lanka, according to the indictment, but only about $101 million from those fraudulent transfers went through.
Still, $100 million is a lot of money for a single cybercrime operation—and the Bangladesh Bank incident is only one of many detailed in the indictment. Another 2016 compromise of a bank in Africa yielded $104.1 million in false and fraudulent wire transfers. A 2018 breach of Bancomext led to $110 million in profits for the North Korean hackers. These breaches of banks are some of the most lucrative efforts detailed in the indictment. By comparison, the ransomware and extortion incidents described in the indictment tend to yield much smaller sums. For instance, one ransomware incident leads to a $100,000 payment, another to a $361,500 payout from a casino in Central America, and a third to $2.3 million worth of cryptocurrency from a different Central American casino.
North Korea’s use of cryptocurrency for cybercrime was not limited to ransomware attacks, however. In fact, it appears to have been more successful at stealing money directly from cryptocurrency companies through fraudulent transfers than it was at eliciting ransoms from individual victims. By compromising companies in Slovenia and Indonesia, the individuals named in the indictment were apparently able to steal $75 million and $24.9 million worth of cryptocurrency, respectively, from the virtual currency wallets managed by those companies. They also developed and distributed malware in the guise of cryptocurrency trading programs called things like iCryptoFx (a purported “cryptocurrency algo-trading tool”), CoinGo Trade, and CryptoNeuro Trader. Even more wild, they apparently developed a plan to create their own cryptocurrency called “Marine Chain Token” which would “allow investors to purchase fractional ownership interests in marine shipping vessels, such as cargo ships, supported by a blockchain” and planned to raise money for it through a fraudulent initial coin offering.
North Korea also made use of lower-tech financial infrastructure to access non-virtual currency. In 2018, for instance, it compromised the BankIslami computer network in order to approve fraudulent ATM withdrawal requests that led to $6.1 million being dispensed from ATMs. That money was then laundered with the help of a co-conspirator identified as Canadian American Ghaleb Alaumary.
The range of activities, victims, and theft and extortion models laid out in the indictment is staggering, not because any of these models are so new or sophisticated, but because, taken together, they paint the clearest picture yet of how effectively cybercrime can be used to undermine international sanctions. It’s a stark reminder that even as more countries are beginning to use economic sanctions as a response to malicious cyber activity, that very same activity can itself be used to circumvent those sanctions. As heartening as it is that countries are bolstering their responses to cyberattacks through the use of sanctions, the latest North Korea indictment demonstrates just how worthless those efforts will be without simultaneous aggressive, coordinated, international policing of cybercrime.