Be Careful What You Download: How to Avoid a North Korea Cyber Attack

TRM InsightsInsights
Be Careful What You Download: How to Avoid a North Korea Cyber Attack
Three Crypto Takeaways from the DOJ Cyber Indictment

Yesterday, the Department of Justice unsealed a 29-page federal indictment and dropped a dramatic press release naming and shaming three North Korean computer programmers who, according to the indictment, participated in a wide ranging global criminal conspiracy to conduct a series of malicious cyberattacks resulting in the theft of an unprecedented $1.3 billion in crypto and fiat currency from financial institutions and other companies worldwide.

This indictment stretches across industries, geography, culture, politics and even the arts. But one thing jumps out to us that we have really always known - the great promise of cryptocurrency, introduces new global risks.  In the same way that the Internet led to new global risks, from echo chambers to data breaches, crypto introduces new systemic risks from hacks to ransomware to programmatic money laundering. The same properties that make crypto a force for good — permissionless, programmable, and instantaneous value transfer — will be hijacked by bad actors to harm our financial system at unprecedented speed and scale. This indictment could be exhibit A to this dangerous new world order.

The same properties that make crypto a force for good — permissionless, programmable, and instantaneous value transfer — will be hijacked by bad actors to harm our financial system at unprecedented speed and scale.

The indictment filed in United States District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), also known as Lazarus Group, which engages in criminal cyberattacks.  These attacks were orchestrated for the purpose of feeding DPRK coffers and propping up the Kim Jung Un regime as it seeks nuclear weapons and fends off U.S. sanctions. To put this in perspective, according to Nicholas Eberstadt, an economist at the American Enterprise Institute, the $1.3 billion targeted represents almost half of the total amount of North Korea’s civilian merchandise imports.  Eberstadt explained to the Washington Post, "These indictments indicate the scale of the fraud Pyongyang engages in to support its other activities, including nuclear weapons and ballistic missile development."

Assistant Attorney General John Demers nailed it when he said, “As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers." And Demers is right. The burgeoning crypto economy has opened the door for nation state actors and cybercriminals to take to the digital battlefield with a new cache of dangerous weapons.  This indictment is filled with must see TV for the cryptoverse way beyond the massive stolen funds. TRM Insights walks through the indictment for 3 key takeaways for crypto:

Rogue Nation States Will Increasingly Use Crypto Hacks to Fund Operations

For years North Korea, denied access to fiat currency, has looked to alternative means of laundering money and evading aggressive U.S. and international sanctions. The indictment, in painstaking detail, paints a picture of a sophisticated, disciplined approach to the cyberattacks:

The computer intrusions often started with fraudulent, spear-phishing messages -- emails and other electronic communications designed to make intended victims download and execute malicious software (“malware”) developed by the hackers. At other times, the spear-phishing messages would encourage intended victims to download or invest in a cryptocurrency-related software program created by the hackers, which covertly contained malicious code and/or would subsequently be updated with malicious code after the program was downloaded (a “malicious cryptocurrency application”). To hone the spear-phishing messages, the hackers would conduct internet research regarding their intended victims and would send “test” spear-phishing messages to each other or themselves. The hackers employed false and fraudulent personas when they sent spear-phishing messages to victims.

Perhaps more concerning than the conduct itself is the professionalism and military precision at work. The indictment, through a detailed series of overt acts, spells out how the defendants, over a two-year period, developed multiple malicious cryptocurrency applications – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale (together known as "AppleJeus"). The cybercriminals then sent communications advertising and encouraging the download of the malware in order to gain backdoor access to their victim’s computer systems.

Digital "Bank Robbery" is the New Data Breach for the Crypto Age

The internet was all about the speedy transfer of information. Hacks and cyberattacks meant stolen personal and proprietary information. But with crypto and the ability for the internet to natively store and transfer money, cyberattacks will have even greater direct financial consequences.  In the DPRK case those consequences are to the tune of hundreds of millions of dollars.

This hacking team targeted hundreds of cryptocurrency companies and stole millions of dollars in cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020. The defendants sent spear-phishing communications to employees of the various cryptocurrency companies including a hyperlink that redirected the employees to download a file containing the malicious malware CryptoNeuro Trader. And again, the level of sophistication is evident in the indictment:

At times, the hackers would conceal the malware within seemingly legitimate word processing documents or software applications, including programs related to cryptocurrency trading(i.e., malicious cryptocurrency applications), which the hackers would falsely and fraudulently, and through the omission of material facts, market as being legitimate software applications.

In the world of data breaches victims are mostly large businesses and governments - the holders of larges amounts of PII.  However, with crypto and the democratization of finance, anyone with digital assets are going to be targeted by cybercriminals who will continue to use spear phishing and malware to strike victims of all types.

The Fight Is Now on the Digital Battleground

Historically, the plan has been to isolate and neutralize rogue nation states like North Korea. Economic sanctions and solid missile defense have been go to policy. But, as Kim Jung Un knows, crypto puts everyone on a digital battlefield where attacks are carried out, not with missiles or aircraft carriers, but with targeted and highly planned cyber intrusions at the speed of the internet.

The indictment spells out the type of modern financial fraud that could be a calling card for rogue state actors. The hackers maliciously developed and marketed the Marine Chain Token and launched an Initial Coin Offering (ICO) to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.

There's A Lot More:

And there is a ton more in this indictment.  In fact, it reads like a globe trotting espionage novel staring a highly trained wholly unleashed cyber hacking unit. The indictment also charges conduct related to the famous 2014 cyberattack on Sony Pictures in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; cyber-enabled heists of $1.2 billion from banks around the world; thefts through ATM cash-out schemes; aggressive spear-phishing campaigns that targeted employees of United States, cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense. The indictment also charges the creation and deployment of the devastating WannaCry 2.0 ransomware.

With great power comes great responsibility. This indictment demonstrates that the same powers that make crypto a force for good in every corner of the world, also makes it a weapon for modern day bank robbers, hackers, rogue nation states and the cybercriminals they support. But upon reading this indictment it appears that vigilance and some great police work are a pretty good shield. Also, be careful what you download.

How Can TRM Labs Help?

Cryptocurrency businesses are constantly adjusting to the threats posed by cybercriminals like Lazarus Group and other illicit actors in the emerging crypto economy. TRM Labs (TRM) provides the next generation blockchain analytics software for cryptocurrency transactions to help your business stay safe from malicious actors and meet regulatory obligations. Our mission is to prevent cryptocurrency fraud and build a safer financial system for billions of people.

We help government agencies, cryptocurrency businesses, and financial institutions trace the source and destination of funds in any digital asset, monitor transactions, and create cross chain profiles for crypto-related entities like exchanges. Our team of world class data scientists, investigators and anti money-laundering experts have created the next-generation tool for monitoring the blockchain to prevent malicious activity and keep the cryptocurrency ecosystem safe.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.