February 16, 2022

Following the Crypto

Using Blockchain Analysis to Assess the Strengths and Vulnerabilities of North Korean Hackers

Executive Summary

Under heavy and sustained pressure from decades of economic sanctions, North Korea has rapidly expanded its illicit activity within the cyber domain. In particular, Pyongyang has demonstrated an increasing interest in using evolving financial platforms, such as cryptocurrency and blockchain technology, to compensate for the fiscal losses related to economic sanctions on more traditional forms of commercial activity. Since 2014, the Pyongyang-led cybercrime organization known as the Lazarus Group has transformed from a rogue team of hackers to a masterful army of cybercriminals and foreign affiliates, capable of compromising major national financial networks and stealing hundreds of millions of dollars’ worth of virtual assets.

The international community and national governments often incorrectly correlate North Korea’s lack of access to modern computer hardware within its borders to its ability to successfully execute software-reliant cyberattacks. While Beijing and Moscow captivate the attention of most democratic governments concerned about pending cyber intrusions, Pyongyang continues to defy miscalculated expectations by successfully employing myriad sophisticated cyberattacks that target new and developing financial technology. North Korea will likely continue to adapt its cybercrime tactics targeting cryptocurrency to circumvent obstacles presented by economic sanctions on more traditional forms of financial activity and commerce.

While Beijing and Moscow captivate the attention of most democratic governments concerned about pending cyber intrusions, Pyongyang continues to defy miscalculated expectations.

This report provides in-depth analysis of North Korea’s demonstrated ability to exploit financial technologies, in particular cryptocurrencies and blockchain technology, to procure funds for its illicit nuclear and ballistic weapons development programs. This research was supported through blockchain analysis conducted in partnership with TRM Labs, a leading blockchain intelligence firm that seeks to monitor, investigate, and mitigate crypto fraud and financial crime.

Through analyzing three case studies of major North Korean hacks, this report outlines key strengths and vulnerabilities in the Lazarus Group’s campaigns to infiltrate cryptocurrency exchanges and steal, launder, and liquidate funds. The report also provides a snapshot of key policy oversights within the regulatory environment in the crypto space of central stakeholders and countries, such as China, the United States, and South Korea. Lastly, this study offers a prospective look into the future of North Korea–led crypto hacks and provides a series of policy recommendations to strengthen cyber resilience against these efforts.

Summary of Recommendations

The following recommendations are proposed for U.S. domestic and foreign policymakers, as well as those in the private sector:

U.S. Domestic Policymakers

  • Financial regulators and lawmakers should work to remove any loopholes that allow decentralized finance (DeFi) platforms and other emerging financial technology to circumvent U.S. regulations on anti–money laundering (AML) and combating the financing of terrorism (CFT).
  • Congress should adopt legislation that requires all cryptocurrency exchanges to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI that could involve the financial and/or personal information of U.S. citizens and/or entities.
  • Within the new National Cryptocurrency Enforcement Team, the executive branch should designate specific research on state-sponsored cybercrime groups.

U.S. Foreign Policymakers

  • The U.S. Department of the Treasury should expand sanctions designations to any individual or entity supporting and/or facilitating North Korean cybercrime, including foreign over-the-counter (OTC) brokers and telecommunications companies that provide to North Korea technical services, know-how, and equipment that its hackers use to conduct malicious cyber operations.
  • The U.S. government should incorporate specific joint research and investigative initiatives on cryptocurrency-related illicit activity within the ongoing U.S.-ROK cyber working group established during the 2021 Biden-Moon Summit.
  • The U.S. government should enhance overall cyber-related intelligence sharing and communication channels with Southeast Asian allies and partners to foster greater understanding of cybersecurity risks.
  • The Financial Crime Enforcement Network (FinCEN) should engage with relevant foreign legislative and enforcement bodies to require that virtual asset service providers (VASPs) operating or seeking to operate within their jurisdictions fully implement all Financial Action Task Force (FATF) guidance on virtual assets.

Private Sector Actors

  • All cryptocurrency exchanges should adopt company-wide best practices for increased cyber hygiene, such as incorporating relevant CISA guidelines on cybersecurity and executing mock email phishing campaigns for all employees.

Download the Full Report

Download PDF

Author

  • Jason Bartlett

    Former Research Associate, Energy, Economics, and Security Program

    Jason Bartlett is a former Research Associate for the Energy, Economics, and Security Program at CNAS. He analyzes developments and trends in sanctions policy and evasion tact...

  • Commentary
    • Lawfare
    • December 13, 2024
    Our Man in Damascus? Sanctions and Governance in Post-Assad Syria

    The complexity of the legal and policy issues presented by the sanctions thicket surrounding Syria—and the disparate authorities responsible for various parts of it—will requi...

    By Alex Zerden

  • Video
    • December 13, 2024
    Ziemba: Russia & Iran Concentrating on Own Battles

    The rebel-led alliance in Syria is set to form a transitional government, after overthrowing President Bashar Al Assad. Reports say the reason the Assad regime fell so quickly...

    By Rachel Ziemba

  • Commentary
    • December 12, 2024
    Sharper: Tariffs

    The incoming Trump administration has signaled that tariffs will be a central pillar of its economic strategy, with significant implications for international trade, the Ameri...

    By Eleanor Hume, Charles Horn & Gwendolyn Nowaczyk

  • Podcast
    • December 12, 2024
    Taking Trump’s Tariffs Threats Seriously

    Join Emily and Geoff to catch up on a whole bunch of economic security news, including the ill fated Nippon Steel / U.S. Steel deal, new chips export controls, and TikTik’s ba...

    By Emily Kilcrease & Geoffrey Gertz

View All Reports View All Articles & Multimedia