Created by a Vietnamese gaming studio, Axie Infinity offers players the chance to breed, trade and fight Pokémon-like cartoon monsters to earn cryptocurrencies including the game’s own “Smooth Love Potion” digital token. At one stage, it had more than a million active players.
But earlier this year, the network of blockchains that underpin the game’s virtual world was raided by a North Korean hacking syndicate, which made off with roughly $620mn in the ether cryptocurrency.
The crypto heist, one of the largest of its kind in history, was confirmed by the FBI, which vowed to “continue to expose and combat [North Korea’s] use of illicit activities — including cyber crime and cryptocurrency theft — to generate revenue for the regime”.
The successful crypto heists illustrate North Korea’s growing sophistication as a malign cyber actor. Western security agencies and cyber security companies treat it is as one of the world’s four principal nation state-based cyber threats, alongside China, Russia, and Iran.
According to a UN panel of experts monitoring the implementation of international sanctions, money raised by North Korea’s criminal cyber operations are helping to fund the country’s illicit ballistic missile and nuclear programmes. Anne Neuberger, US deputy national security adviser for cyber security, said in July that North Korea “uses cyber to gain, we estimate, up to a third of their funds for their missile programme”.
Crypto analysis firm Chainalysis estimates that North Korea stole approximately $1bn in the first nine months of 2022 from decentralised crypto exchanges alone.
The rapid collapse last week of FTX, one of the biggest exchanges, has highlighted the opacity, erratic regulation and speculative frenzies that have been the central features of the market for digital assets. North Korea’s growing use of crypto heists have also served to demonstrate the absence of meaningful international regulation of the same markets.
Analysts say the scale and sophistication of the Axie Infinity hack exposed just how powerless the US and allied countries appear to be to prevent large-scale North Korean crypto theft.
Only about $30mn of the crypto loot has since been recovered. That was after an alliance of law enforcement agencies and crypto analysis companies traced some of the stolen funds through a series of decentralised exchanges and so-called “crypto mixers”, software tools that can shuffle the crypto holdings of different users so as to obfuscate their origins.
In one of the few law enforcement actions since the theft, in August the US sanctioned the Tornado Cash mixer, which the US Treasury said had been used by the hackers to launder more than $450mn of their Ethereum haul.
The US has since designated the crypto mixer, alleging the tool was used to support North Korean hackers who were in turn supporting the country’s weapons of mass destruction programme.
It also highlights the opportunities afforded by the unregulated world of crypto to many other rogue regimes and criminal actors around the world, with experts warning that the problem is likely only to get worse over the decade as crypto exchanges are increasingly decentralised and more goods and services — legal and illicit — are made available for purchase with cryptocurrency.
“We are not anywhere near where we need to be when it comes to regulating the cryptocurrency industry,” says Allison Owen, a research analyst at RUSI’s Centre for Financial Crime and Security Studies. “Countries are taking steps in the right direction, but North Korea will continue finding creative ways to evade sanctions.”
Office 39
Like some of the communist regimes upon which it once depended but which it has long since outlived, North Korea’s hereditary regime has a colourful history of engaging in criminal activity as a means to accumulate foreign currency.
In the 1970s North Korea’s then ruler Kim Il Sung, the grandfather of present ruler Kim Jong Un, tasked his son and successor Kim Jong Il with establishing a cell within the ruling Workers’ Party of Korea to raise money for the dictatorship’s founding family.
Called Office 39, it was one of several entities created by the regime to bring in billions of dollars a year from schemes ranging from producing and distributing counterfeit cigarettes and US dollar bills to selling illegal drugs, minerals, arms and even rare animal species.
North Korean officials, diplomats, spies and assorted operatives were all mobilised in support of this illicit shadow economy, which continues to operate through a complex network of shell companies, financial institutions, foreign brokers and organised crime groups that facilitate the country’s proliferation and sanctions evasion efforts.
Pyongyang has also spent recent decades building up its formidable cyber capabilities, a project that dates back to the late 1980s and early 1990s when the Kim regime sought to develop what was then a nascent nuclear weapons programme.
Regime defectors have described how Kim Jong Il saw the value of networked computers as an efficient means to direct regime officials while remaining in seclusion. He also saw them as a platform to underpin the country’s nuclear and conventional weapons development.
Kim Jong Il is quoted in a book published by the North Korean army as having said that “if the internet is like a gun, cyber attacks are like atomic bombs.” But it was only under his son Kim Jong Un, who assumed power in 2011, that the country’s cyber capabilities started to garner international attention.
While less than 1 per cent of the North Korean population is estimated to have restricted and closely monitored access to the internet, potential members of the country’s army of approximately 7,000 hackers are identified while still at school. They are then trained and groomed at elite government institutions, with some also receiving training and additional experience in China and other foreign countries.
“They train people who show early indications of being strong in cyber and they send them to other places around the world and embed them into organisations, embed them into the society and culture,” says Erin Plante, vice-president of investigations at Chainalysis. “You have these hacking cells based all around the Asia-Pacific region merging in with the rest of the tech community.”
In 2014, North Korean hackers launched an attack on Sony Pictures ahead of its release of The Interview, a Hollywood comedy about a fictional assassination attempt on Kim Jong Un. The hack shut down the production studio’s computer network before threatening executives with the release of sensitive and embarrassing internal documents.
That was followed in 2016 by a raid on Bangladesh’s central bank. Members of the Lazarus Group, the same syndicate that was behind the Axie Infinity hack, broke into the bank’s computer network and lurked inside it for a year before issuing instructions to the Federal Reserve Bank in New York to drain $951mn of Bangladeshi reserves.
The money was transferred to a bank in the Philippines and was only identified because one of the orders happened to contain a word that was also the name of a sanctioned Iranian ship, alerting US authorities. The hackers ended up getting away with less than 10 per cent of their haul.
North Korean hackers have also demonstrated their offensive capabilities, causing widespread chaos through ransomware attacks. In 2017, the Lazarus Group unleashed the devastating WannaCry virus, which infected at least 200,000 computers at hospitals, oil companies, banks and other organisations around the world.
The transactions on the Axie Infinity game were supported by Ronin Network, a so-called “cross-chain bridge” that links different blockchains, that is supposed to have a high level of security. Hackers gained access to five of nine private keys, digital compartments that contain key information allowing hackers to approve withdrawals in their favour.
According to Nils Weisensee, a cyber security expert with Seoul-based information service NK Pro, the Axie Infinity hack demonstrates how North Korean hackers can now “exploit new vulnerabilities in the latest blockchain technologies almost as quickly as they arise”.
“Just a few years ago, North Korean hackers were specialising in distributed denial-of-service attacks, which is a relatively crude method of flooding your victims’ servers with internet traffic,” says Weisensee. “But if a DDOS attack is the cyber equivalent of beating someone with a baseball bat, then the successful raids on cross-chain bridges like Ronin and Horizon are the equivalent of stealing someone’s wallet through a hole in their pocket they didn’t even know existed.”
Analysts cite the Bangladesh Bank heist as an example of just how much more labour intensive and time consuming it is to target traditional financial institutions.
The North Korean hackers who infiltrated the bank’s computer network had lurked in the system for a year before executing the theft. The proceeds were transferred through several banks to casinos in Manila, where…
Read More:How North Korea became a mastermind of crypto cyber crime
2022-11-14 05:06:32