North Korean computer hackers continue to threaten a wider cryptocurrency ecosystem by stealing an estimated $2 billion worth of cryptocurrency in the last five years, as detailed in a report presented by TRM Labs. The report explains the methods and target audience used by hackers.
Blockchain intelligence firm TRM Labs published a report warning readers about the dark world of cryptocurrency hacking, focusing on the attacks carried out by North Korean cybercriminals. According to TRM Labs’ data, North Korean hackers stole approximately $200 million worth of cryptocurrency in 2023, accounting for 20% of all stolen crypto assets that year.
It is estimated that North Korean cyber attacks are ten times larger than those carried out by other malicious actors. Hackers in the country also targeted decentralized finance (DeFi) ecosystems, aiming at important cryptocurrency transfers and interchain bridges.
Interchain attacks, such as the Axie Infinity Ronin Bridge attack, resulted in the theft of $650 million worth of cryptocurrency, while North Korean hackers collectively stole approximately $800 million in three separate attacks in 2022.
The methods used to carry out these cyber attacks vary, including phishing attacks and supply chain attacks that involve compromised private keys and seed phrases. TRM Labs states that North Korean hackers have become more sophisticated with their on-chain laundering methods. Previously, stolen cryptocurrencies were used to convert them into cash, but this has evolved into highly complex “multi-stage money laundering processes.”
In response to aggressive sanctions imposed by the Office of Foreign Assets Control, law enforcement operations, and advanced blockchain monitoring tools, hackers have developed new methods. TRM Labs cited the 2023 Atomic Wallet attack by North Korea as an example of the concealment methods used by state-sponsored hackers.
The incident occurred in June 2023 when hackers targeted the unsupervised wallet provider Atomic Wallet and stole $100 million worth of cryptocurrency from 4,100 addresses. TRM Labs believes that this exploit was made possible by a phishing or supply chain attack.
Hackers emptied user wallets in Ethereum, Tron, Bitcoin, XRP, Dogecoin, Stellar, and Litecoin blockchain ecosystems, transferring the stolen funds to new wallets. ERC-20 and TRC-20 tokens were exchanged with Ethereum and Tron, and decentralized exchanges were used in combination with automated programs, mixers, and interchain swaps to launder the funds.