Research (Insikt)

Crypto Country: North Korea’s Targeting of Cryptocurrency

Posted: 30th November 2023
By: Insikt Group


In a new report, Recorded Future’s Insikt Group examines North Korea’s success in its cybercriminal operations targeting the cryptocurrency industry. Since 2017, North Korea has significantly increased its focus on the cryptocurrency industry, stealing an estimated $3 billion worth of cryptocurrency. Initially successful in stealing from financial institutions through the hijacking of the SWIFT network, North Korea shifted its attention to cryptocurrency during the 2017 bubble, starting with the South Korean market and later expanding globally. In 2022 alone, North Korean threat actors were accused of stealing $1.7 billion in cryptocurrency, equivalent to 5% of the country's economy or 45% of its military budget. The stolen funds, often laundered using methods similar to traditional cybercriminal groups, contribute to the regime's revenue, allowing it to operate despite international sanctions.

North Korean State-Sponsored Activity Targeting Cryptocurrency North Korean state-sponsored activity targeting the cryptocurrency industry (Source: Recorded Future Intelligence Cloud)

North Korean threat actors, supported by the state, engage in operations that mirror those of other cybercriminal groups but operate on a larger scale, with 44% of stolen cryptocurrency in 2022 attributed to them. Targets include not only cryptocurrency exchanges but also individual users, venture capital firms, and alternative technologies. Those operating in the cryptocurrency industry, as well as traditional finance entities, are advised to be vigilant. Stolen cryptocurrency is often converted into fiat currency, and North Korean threat actors use various methods, including stolen identities and altered photos, to evade anti-money laundering measures.

The regime views cryptocurrency theft as a major revenue source, particularly for funding military and weapons programs. While the exact amount used for ballistic missile launches is unclear, both the volume of stolen cryptocurrency and missile launches have risen. Without stronger regulations, cybersecurity measures, and investments in cybersecurity for cryptocurrency firms, North Korea is likely to persist in targeting the industry for additional revenue. Despite restrictions on movement and isolation of the general population, the regime's elite and highly trained computer science professionals with privileged access to technology play a crucial role in conducting cyberattacks against the cryptocurrency industry.

To read the entire analysis, click here to download the report as a PDF.