North Korea hackers stole $659 million in cryptocurrency

US and South Korea joint statement outlines ‘significant threat’ to global blockchain companies

North Korean state-backed hackers stole millions in crypto assets in multiple heists. These heists were part of a wider program of malign activity financing the North Korea regime.

The US and South Korea governments have issued a joint statement accusing North Korean state-backed hacking groups of stealing over $659 million in cryptocurrency across multiple heists. The statement also cautions that these groups, affiliated with the Democratic People’s Republic of Korea (DPRK), remain a significant threat to blockchain companies worldwide.

The joint statement said: "As recently as September 2024, the United States government observed aggressive targeting of the cryptocurrency industry by the DPRK with well-disguised social engineering attacks that ultimately deploy malware, such as TraderTraitor, AppleJeus and others. The Republic of Korea and Japan have observed similar trends and tactics used by the DPRK.”

The statement also highlighted the broader implications of these cyberattacks. "The DPRK's cyber programme threatens our three countries and the broader international community and, in particular, poses a significant threat to the integrity and stability of the international financial system.” it said.

North Korea’s involvement in the July 2024 attack on India’s largest Bitcoin exchange, WazirX, which led to losses of $235 million, was also confirmed in the statement. Other major breaches attributed to DPRK-linked hackers include last year’s attacks on DMM Bitcoin ($308 million), Upbit ($50 million), Rain Management ($16.13 million), and Radiant Capital ($50 million).

Exploiting remote IT work

Beyond cryptocurrency heists, DPRK’s tactics include infiltrating private companies under the guise of remote IT workers. United States, South Korean, and Japanese agencies have repeatedly warned about North Koreans posing as US - based IT professionals by leveraging laptop farms in the United States to access corporate networks.

North Korean IT operatives, who label themselves ‘IT warriors’, have been trained to conceal their true identities to secure employment in companies globally. Some, like the individual recently employed by cybersecurity firm KnowBe4 as a Principal Software Engineer, managed to pass extensive hiring processes, including background checks, reference verifications, and video interviews. Using stolen identities and AI tools, this individual attempted to install malware on company devices shortly after being hired.

In some cases, these operatives have exploited insider access to extort former employers, threatening to release sensitive information unless demands are met.

The US State Department has responded by offering up to $5 million for tips that could disrupt the activities of North Korean front companies, including Yanbian Silverstar and Volasys Silverstar. Over the past six years, these entities have reportedly generated over $88 million through fraudulent remote IT work schemes.

“The United States, Japan and the Republic of Korea advise private sector entities, particularly in blockchain and freelance work industries, to thoroughly review these advisories and announcements to better inform cyber threat mitigation measures and mitigate the risk of inadvertently hiring DPRK IT workers,” the joint statement concluded.