Skip to Content
Blockchain

How the North Korean hackers behind WannaCry got away with a stunning crypto-heist

The so-called Lazarus group has used elaborate phishing schemes and cutting-edge money-laundering tools to steal money for Kim Jong-un’s regime.
January 24, 2020
North Korean leader Kim Jong Un inspects fighter combat readiness of Unit 1017 of the Air and Anti-aircraft Force of the Korean People's Army, in an unknown location in North Korea.
North Korean leader Kim Jong Un inspects fighter combat readiness of Unit 1017 of the Air and Anti-aircraft Force of the Korean People's Army, in an unknown location in North Korea.
North Korean leader Kim Jong Un inspects fighter combat readiness of Unit 1017 of the Air and Anti-aircraft Force of the Korean People's Army, in an unknown location in North Korea.Associated Press

Cyberattacks waged against cryptocurrency exchanges are now common, but the theft of just over $7 million from the Singapore-based exchange DragonEx last March stands out for at least three reasons. 

First there is the extremely elaborate phishing scheme the attackers used to get in, which involved not only fake websites but also fake crypto-trading bots. Then there’s slick way they laundered the crypto-cash they stole. Last but not least: they appear to have been working for Kim Jong-un.

The heist, new details of which were recently published by blockchain analytics firm Chainalysis, shows how good today’s digital bank robbers have become. And if this and other reports are correct in fingering North Korean hackers as the perpetrators, it looks to be part of a larger survival strategy by Kim’s regime, which has been cut off from the global financial system by international economic sanctions meant to curtail its nuclear weapons program.

DragonEx was not the first crypto exchange to be victimized by this particular hacker band, which some security analysts call the Lazarus Group. The group has been targeting the industry since at least 2017, as part of a broader campaign focused on financial institutions. In August, a group of independent experts reported to the United Nations that North Korea has generated an estimated $2 billion for its missile program by using “widespread and increasingly sophisticated” cyberattacks to steal from banks and cryptocurrency exchanges. The regime’s use of cryptocurrency to evade sanctions is behind a recent warning from the same group of UN experts not to attend an upcoming blockchain conference in Pyongyang.

The Lazarus Group is widely believed to have been behind several headline-grabbing hacks, including the breach of Sony Pictures in 2014 and the WannaCry ransomware hack in 2017, which affected hundreds of thousands of computers in 150 countries. But it was its theft of $81 million from the central bank of Bangladesh in 2016 that foreshadowed its eventual targeting of crypto exchanges. According to the FBI, the attackers spent more than a year doing reconnaissance before gaining access to the bank’s computer system via an elaborate phishing campaign.

Plagued by lax security, the cryptocurrency ecosystem was an “an easy target” for North Korean hackers, who already had experience going after financial institutions, says Priscilla Moriuchi, head of nation-state research at Recorded Future, a cybersecurity company. “They are far more capable than they get credit for, especially on the financial crime side,” Moriuchi says. 

To compromise DragonEx, Lazarus created a fake company that advertised an automated cryptocurrency trading bot called Worldbit-bot, says Chainalysis. The invented company had a website, and its made-up employees even had social-media presences. When they pitched a free trial of the trading software to DragonEx employees, someone bit, downloading malware to a computer that held the private keys for the exchange’s wallets.

In research published earlier this month, Kaspersky describes another of the Lazarus Group’s recent schemes, which also apparently targeted cryptocurrency businesses. In this case, the attackers created fake companies and then enticed targets to download malware using the popular messaging app Telegram. 

Breaking in and stealing money isn’t enough, though. They have to cash out. In the past year, the Lazarus Group has completely revamped the way it does this, according to Chainalysis. Last year, it appeared fairly unsophisticated in its money-laundering techniques, typically letting the stolen funds sit for 12 to 18 months before cashing out using an exchange that doesn’t keep track of who its customers are. (Cryptocurrency exchanges in most jurisdictions are required to keep track of their customers’ identities, for exactly this reason.) 

The way the group moved its money after the DragonEx hack last March was apparently much more sophisticated. They used many more intermediary steps, including exchanges and a variety of digital wallets. The coins ended up in a special kind of wallet that uses a Bitcoin-compatible privacy technology called CoinJoin, which combines transactions from multiple users in a way that makes it difficult to tell who sent which payment to which recipient. And the hackers cashed out more quickly: nearly all the funds were moved to “liquidation services” within 60 days, according to Chainalysis.

The North Korean hackers' new and improved methods may say less about their own capabilities than about the money-laundering tools now available in the crypto world. Chainalysis’s head of research, Kim Grauer, says that in 2019 her team noticed a big uptick in “advanced laundering infrastructure that various criminal organizations can kind of just plug into.” In other words, even criminals who aren’t savvy about blockchains may have ready access to sophisticated methods of covering their tracks after they steal your crypto. Either way, as long as exchanges have security holes, groups like Lazarus are going to keep robbing them.

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.