U.S. Treasury Sanctions North Korean Cyber Intrusion Group Kimsuky

On November 30, 2023, the U.S. Treasury's Office of Foreign Assets Control (OFAC), in conjunction with counterparts in Australia, Japan, and the Republic of Korea, announced sanctions on eight foreign-based agents of North Korea (DPRK) and the cyber espionage group Kimsuky. The sanctions were in response to the DPRK-claimed military reconnaissance satellite launch on November 1, 2023. Kimsuky was designated by South Korea’s Ministry of Foreign Affairs (MoFA) in June 2023 and was included in a joint cybersecurity advisory between the U.S. Department of State, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) with partners from South Korea’s Ministry of Foreign Affairs, National Police Agency, and National Intelligence Service.

‍What is Kimsuky?

The designations specifically target North Korea's cyber capabilities. Kimsuky, a cyber espionage group that has been active since at least 2012, has focused its intelligence collection efforts on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Kimusky, which, according to the designation, is subordinate to the UN and US designated Reconnaissance General Bureau (RGB), is the DPRK’s primary foreign intelligence service. Kimsuky’s cyber espionage campaigns, according to Treasury, directly support the DPRK’s strategic and nuclear ambitions. 

Kimsuky primarily uses spear-phishing to target individuals employed by government, research centers, think tanks, academic institutions, and news media organizations, including entities in Europe, Japan, Russia, South Korea, and the United States and has been associated with a number of cyber campaigns. 

‍Kimsuky's Use of cryptocurrencies

North Korea was an early adopter of the use of cryptocurrencies for money laundering and, over the last five years, has been attacking the cryptocurrency ecosystem at alarming speed and scale. Therefore much of the recent discussion has been about DPRK crypto theft. For example, TRM has reported that over the past five years, North Korean hackers have stolen over USD 2 billion in cryptocurrencies in over 30 attacks.

Given the size and scale of North Korea’s hacking activity, at times it is easy to forget that a state as unusual as the DPRK also uses more traditional cyber-enabled espionage techniques. The small amounts of crypto known to be linked to Kimsuky are tied to more operational uses than the hundreds of millions worth of crypto that North Korea’s cybercriminal Lazarus Group moves on-chain. In the graph below, the funds flowing from Kimsuky to the payment processor were most likely used to support their online espionage campaigns. That might include the purchase of VPN services or domain registrations. 

While Kimsuky’s use of cryptocurrency is relatively small and used primarily to fund its cyber and espionage operations, it is all part of the larger North Korea cyber and illicit finance strategy that has involved malware attacks, hacks of central bank infrastructure, and the theft of billions from the crypto ecosystem. The actions by OFAC and Korea’s MoFA are another step toward mitigating the risk from North Korea’s cybercriminal groups.