Keypoints
- Since 2017, North Korean state-linked actors have shifted focus to cryptocurrency, stealing an estimated $3 billion total and $1.7 billion in 2022.
- Early operations included hijacking the SWIFT network before expanding to target exchanges, individual users, venture capital firms, and alternative technologies.
- Stolen cryptocurrency is frequently laundered and converted to fiat using methods such as stolen identities and altered photos to evade AML controls.
- North Korean groups conduct operations at scale and use tactics comparable to other cybercriminal groups but with greater state support and resources.
- The proceeds are a significant revenue source for the regime, contributing to military and weapons programs.
- Recorded Future recommends stronger regulations, enhanced cybersecurity measures, and investment in defenses for cryptocurrency firms to mitigate continued targeting.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to compromise financial messaging infrastructure: (‘hijacking of the SWIFT network’).
- [T1078] Valid Accounts – Leveraged stolen or compromised credentials to access exchanges, wallets, and financial systems (‘stealing from financial institutions’ and the shift to targeting cryptocurrency exchanges and users’).
- [T1036] Masquerading – Employed stolen identities and doctored photos to impersonate legitimate actors and bypass detection (‘stolen identities and altered photos, to evade anti-money laundering measures’).
- [T1589] Gather Victim Identity Information – Collected identity data to enable laundering and conversion of stolen funds into fiat (‘stolen identities and altered photos, to evade anti-money laundering measures’).
Indicators of Compromise
- [Domain] Report and media hosting – recordedfuture.com, go.recordedfuture.com (source report and hosted PDF).
- [File] Report PDF – cta-2023-1130.pdf (full analysis available for download from the report link).
- [Domain] Asset hosting – cms.recordedfuture.com (image and media assets referenced in the article).
Since 2017, North Korean state-backed actors pivoted from SWIFT-focused intrusions to systematically targeting the cryptocurrency ecosystem, successfully compromising exchanges, individual wallets, and related financial services. Their operations combine exploitation of externally facing financial infrastructure with the use of valid credentials obtained through compromise, enabling unauthorized transfers of funds out of custodial platforms and direct theft from user accounts.
After theft, actors use a layered laundering chain to convert cryptocurrency into fiat: they employ stolen identities and doctored media to open accounts or pass AML checks, leverage mixing and chain-hopping services to obscure transaction provenance, and move funds through multiple platforms and jurisdictions. These techniques are designed to mimic common cybercriminal laundering methods while specifically exploiting gaps in crypto-specific compliance and monitoring.
Mitigation requires tightening security around public-facing financial applications, implementing robust credential protection and monitoring, enhancing KYC/AML processes to detect synthetic or doctored identities, and investing in threat hunting for blockchain indicators of compromise. Without stronger regulation and improved cyber defenses, state-backed groups with skilled personnel and privileged access are likely to continue exploiting the crypto sector as a revenue stream.
Read more: https://www.recordedfuture.com/crypto-country-north-koreas-targeting-cryptocurrency