How the North Korea Hacker Group ‘APT43’ Uses Crypto Services to Fund Espionage Operations
North Korea-based hackers are increasingly utilizing cryptocurrencies to facilitate illicit activities. Per the latest study, the hacker group is using it to mine more crypto via cloud services.
Cryptocurrency and the underlying blockchain technology have showcased various applications over the years. One of the unfortunate routes that emerged was a new way to fund espionage operations. Espionage is the act of spying on others for political, military, or economic gain.
Cryptocurrencies offer a level of anonymity and decentralization that traditional forms of funding cannot match. These features make it difficult for governments to track down the source of funds used to finance espionage activities.
How Does Cryptocurrency Play a Role Here?
Unfortunately, hackers have used various crypto services to launder stolen currency. Hackers use crypto services such as exchanges, wallets, and mixing services to obscure the origin of their stolen funds.
Anonymity: Cryptocurrencies like Bitcoin and Ethereum are decentralized. They do not rely on a central authority to verify transactions. This anonymity makes it difficult for governments to track the flow of funds, which is why they have become an attractive option for funding espionage activities. Also, using pseudonyms and encrypted messaging makes it difficult to trace the source of the transactions.
Decentralization: Traditional forms of funding require a bank or other financial institution to process transactions. On the other hand, cryptocurrencies are decentralized. Two parties can directly send and receive funds without a third party verifying the transaction. Decentralization makes it difficult for governments to freeze or seize funds for espionage activities.
Lack of Regulations: Many countries have no clear regulations around cryptocurrencies. This makes it easier for spies to use them to fund their operations. Consequentially, there are no restrictions on how much money is transferred, where the funds are sent, or who uses them.
Other Features to Consider
Difficulty in Tracking: A public ledger called a blockchain records cryptocurrency transactions. The identities of the parties involved are unknown. This makes it difficult for law enforcement agencies to track the source of funds used to finance espionage activities.
Cryptocurrency Mixers: Cryptocurrency mixers are services that allow users to mix their coins with other users’ coins to make it difficult to trace the source of the funds. These services are popular among criminals and spies because they provide an additional layer of anonymity.
Lack of Paper Trail: Cryptocurrency transactions do not leave a paper trail, which makes it difficult for law enforcement agencies to trace the funds back to the source. Traditional forms of funding like wire transfers or checks leave a paper trail that can be followed. Cryptocurrency transactions are more difficult to trace.
Speed and Efficiency: Cryptocurrency transactions are fast and efficient and are completed in minutes. This speed and efficiency make it easier for spies to transfer funds quickly and efficiently without attracting too much attention.
Most Notorious Hackers come from North Korea
North Korean hackers have operated in the crypto sphere for several years now. North Korea is arguably one of the most active state actors in cybercrime. Its hackers have carried out high-profile attacks on cryptocurrency exchanges, wallets, and protocols. One such collective is the infamous Lazarus Group.
The latest report from Google-owned cybersecurity firm Mandiant focused on a North Korean threat group called APT43. This group primarily targets the technology, healthcare, and aerospace industries, financed by cryptocurrencies.
Countries targeted by APT43 Source: Mandiant
Although its main activity is spying on South Korea, Mandiant found that APT43 likely raised funds for the North Korean regime and funded itself through its illicit operations. The group has been successful in those pursuits:
“APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the central government.”
In addition, APT43—known as Kimuski—likely uses hash rental and cloud mining services to wash the stolen cryptocurrency “clean.” To support the infrastructure financially, PayPal, American Express cards, and “Bitcoin likely derived from previous operations”- the payment methods the group used.
Laundering of cryptocurrency via hash rental services as used by APT43 Source: Mandiant
Understanding the Process
Hash rental and cloud mining are legitimate services many people use for cryptocurrency mining. However, hackers can also use these services to launder stolen cryptocurrency.
In this scenario, the hacker first steals a large amount of cryptocurrency from a victim. They then use the stolen cryptocurrency to purchase hashing power from a hash rental or cloud mining service. With the additional hashing power, hackers can mine more cryptocurrency than they could.
Once the mining is complete, the hacker can sell the newly mined cryptocurrency in exchange for clean cryptocurrency not associated with the original theft. By using hash rental and cloud mining services in this way, the hacker can make it difficult for law enforcement to trace the stolen funds.
It is important to note that while hash rental and cloud mining services can be used for illicit activities, they are not illegal. However, individuals and businesses need to secure their cryptocurrency wallets and ensure they are not vulnerable to hacking attempts. Additionally, exchanges and other cryptocurrency businesses should have measures to detect and prevent money laundering activities.
Overall, governments worldwide have become more aware of the potential for illegal activities funded with cryptocurrency. Regulators are taking steps to regulate the industry. As a result, it is becoming increasingly difficult for spies to use cryptocurrency to finance their operations without detection.