UN investigates 58 alleged cryptocurrency heists by North Korea worth $3 billion


A United Nations panel said it was investigating 58 cyberattacks allegedly carried out by North Korean hackers that resulted in the attackers reaping about $3 billion over a six-year period.

In a report released March 7UN experts said they tracked the activity of “cyber threat actors subordinate to the Reconnaissance General Bureau (RGB), including KimsukyTHE Lazare Group, Andariel And BlueNoroff», between 2017 and 2023. Kimsuky and Lazarus are particularly well known to cybersecurity researchers.

“The main tasks of these cyber threat actors are to obtain valuable information for the Democratic People’s Republic of Korea and illegally generate revenue for the country,” the experts said, echoing accusations from the U.S. government and other international authorities.

Stolen intellectual property helps the regime achieve technological advancements and can also be sold, the report said.

“The country’s attack methods continue to include spearphishing, vulnerability exploitation, social engineering, and watering holes,” the experts said.

The panel is currently investigating 17 cryptocurrency hacks dating back to 2023 alone, with the value of stolen funds equivalent to approximately $750 million.

Some of these attacks include:

  • Terraport Finance, April 10, 2023, $4 million
  • Merlin DEX, April 26, 2023, $1.8 million
  • Atomic WalletJune 2, 2023, $120 million
  • AlphapoJuly 22, 2023, $110 million
  • CoinsPaidJuly 22, 2023, $44 million
  • Steadefi, August 7, 2023, $1.16 million
  • Stake.com, September 4, 2023, $41.3 million
  • CoinExSeptember 12, 2023, $70 million
  • Fantom Foundation, October 17, 2023, $7.5 million
  • PoloniexNovember 10, 2023, $114 million
  • HTXNovember 22, 2023, $30 million
  • HECO Chain (HTX Eco Chain bridge), November 22, $86 million
  • Orbit ChainDecember 31, 2023, $81 million

The groups also continue to target defense companies and software supply chains and, increasingly, share infrastructure and tools, experts said.

The panel cited hundreds of reports from dozens of research firms and cybersecurity firms that tracked attacks by various North Korean government and military groups.

The groups targeted nuclear engineers and companies creating radar systems, unmanned aerial vehicles, military vehicles, ships, weapons and maritime companies – some of which were operating. Spainthe Netherlands, Poland and even Russia.

Russia either denied or refused to comment when the panel asked about several different incidents allegedly instigated by North Korean groups. The panel noted that Chinese institutions have also faced a tidal wave of attacks from North Korean groups.

Social engineering and supply chain attacks

The report describes dozens of different social engineering tactics used by hacking groups, from presenting fake recruiters on LinkedIn to manipulating job seekers on Telegram and WhatsApp.

The attackers also made a point of repeatedly targeting South Korean companies and government organizations, stealing reams of defense data from the country’s navy, IT companies, universities and more.

Supply chain attacks involving software companies like JumpCloud, JetBrains And CyberLink were also highlighted in the report, with investigators finding that JumpCloud attacks allowed North Korean hackers to launch two cryptocurrency heists that netted them approximately $147.5 million.

The report also looks at the sometimes confusing web of groups that cybersecurity companies and governments have identified and linked to North Korea. The panel found that there is “increasing overlap” between the groups involved in the attacks.

The groups cited – such as Andariel, Kimsuky, BlueNoroff, ScarCruft and Lazarus – are housed within different agencies in North Korea, but generally conduct joint operations and share infrastructure.

The panel notes that one of its members was targeted in 2023.

“Democratic People’s Republic of Korea cyber actors, likely Kimsuky, were likely responsible for targeting a Group member’s private email address through persistent spearphishing attacks,” the experts said.

“The Group reiterates its view that such attacks against the Group and the Committee constitute sanctions evasion. »

North Korean groups have also been seen dabbling in ransomware, with hackers linked to Andariel stealing $360,000 worth of bitcoin (BTC) via ransomware attacks against three companies.

“Lazarus Group actors collaborated with a Republic of Korea company to distribute ransomware and collected approximately $2.6 million in recovery fees from more than 700 victims,” the panel added. “Some profits were allegedly transferred to a cryptocurrency wallet owned by the Lazarus Group.”

The report includes a series of recommendations for UN members, including increased cyber protection for financial institutions and more sanctions against specific hacking groups.

States must also find ways to limit the methods North Korean actors use to launder stolen funds, the panel said.

Blockchain security company Elliptic is closely monitoring North Korean activity and recently updated a report about Lazarus’ efforts to launder money through Tornado Cash – a popular mixing service from which the group had temporarily distanced itself because of American sanctions. Hackers have returned and are laundering large sums of money, Tom Robinson, one of Elliptic’s co-founders, told Recorded Future News this week.

“The amount laundered through Tornado Cash following this hack attributed to Lazarus has now reached $100 million,” Robinson said.

Leave a comment