The Democratic People’s Republic of North Korea (DPRK) remains the most isolated country globally. The DPRK poses a significant threat to the U.S. and its allies because of its authoritarian leadership under Supreme Leader Kim Jong Un and its unchecked nuclear weapons and ballistic missile program. Additionally, the DPRK uses stolen cryptocurrency to fund its weapons programs.
On May 16, 2022, the State Department, U.S. Treasury Department, and Federal Bureau of Investigation warned about hiring North Korean IT workers, who often ask for payment in cryptocurrency.
In a press release from May 6, 2022, the U.S. Treasury Department said that Lazarus Group, a state-sponsored cyber threat group, had conducted the most significant cryptocurrency theft, worth about 620 million dollars. Lazarus hacked Axie Infinity, the biggest play-to-earn cryptocurrency game. The DPRK used Blender.io to process 20 million of the stolen funds, which resulted in the U.S. Treasury placing sanctions on the virtual currency mixer.
In April 2022, U.S. citizen and Ethereum developer Virgil Griffith received a 63-month prison sentence for helping North Korea evade sanctions by providing technical advice on cryptocurrency and blockchain technology at an April 2019 conference in North Korea’s capital, Pyongyang.
For this brief, we analyzed how North Korea targets cryptocurrency exchanges and researched Virgil Griffith’s digital footprint using open-source intelligence (OSINT). We identified a pattern of North Korea’s interest in cryptocurrency since 2017 and some concerning social media activity from Mr. Griffith.
North Korea and Cryptocurrency
- In September 2017, cybersecurity company FireEye, which has since merged with McAfee to form Trellix, reported that state-sponsored DPRK actors targeted South Korean cryptocurrency exchanges from April 2017 – July 2017.
- In November 2017, Vice News published a report about Pyongyang University of Science and Technology, the only foreign-funded university in North Korea, teaching a class on cryptocurrency. Federico Tenga, an Italian national and the co-founder of Chainside, a cryptocurrency company, taught the class.
- In December 2017, the National Intelligence Service, South Korea’s equivalent of the CIA, reported that North Korean hackers stole 7 million dollars in cryptocurrency from the exchange, Bithumb.
- In January 2018, North Korea developed malware to mine Monero, the hardest cryptocurrency to trace. As of the writing of this Overwatch brief, one Monero is currently worth $176.63, and there are 18.1 million Monero coins on the cryptocurrency market.
- In April 2018, a tourism company, Koryo Tours, announced that North Korea’s cryptocurrency, Koryo, would be available for tourism use.
- In October 2018, cybercrime research company Group-IB said that North Korean hacking groups were responsible for 65% of cryptocurrency hacks.
- In March 2019, the UN Security Council published information that North Korea had amassed 670 million dollars of Bitcoin. The UN also said that the DPRK’s cyber-attacks, which include targeting crypto exchanges, resulted in 2 billion dollars for its WMD and ballistic missiles program.
- In April 2019, U.S. citizen and Ethereum developer Virgil Griffith (The second most popular cryptocurrency globally) spoke at the Pyongyang Blockchain and Cryptocurrency Conference.
- In March 2020, the U.S. Department of Justice charged two Chinese nationals with laundering 100 million dollars in cryptocurrency for North Korea.
- In February 2021, North Korean military hackers tried to create a fraudulent blockchain and steal 1.3 billion dollars of money and cryptocurrency.
- According to Chainalysis, North Korean hackers stole 400 million dollars in cryptocurrency, primarily Ethereum, in 2021.
Our continued research identified a LinkedIn business page titled Pyongyang Startup Incubator. The incubator describes itself as follows, “Built in the glorious Ryugyong Hotel, the Pyongyang startup incubator is the best incubator in the world for startups of all kinds from AR to VR, crypto mining, hardware devices, etc. Please enquire for more information about our specialties and services or to submit an application to be featured.”
Overwatch analysts note that the page is of interest because the North Korean internet is isolated from the rest of the world. However, it was not confirmed that the page belongs to North Korea.
Further, when we visited the website for the incubator, there was no information about the project, only the Ryugyong Hotel.
In January 2019, Mr. Griffith posted to his Facebook page, “I just put down my deposit for going to North Korea on April 18-25. Anyone want to come with? Total cost is 3300 EUR. American citizens allowed. Japan, South Korea, and Israel citizens not allowed.”
Analysts note that Mr. Griffith asked his Facebook followers/friends to come to North Korea during the country’s Blockchain and Cryptocurrency Conference.
Also, in January 2019, Mr. Griffith tweeted from his now-deleted Twitter account, “Getting people to come with me to North Korea for [The Blockchain and Crypto Conference] has been much harder than I thought.”
Four days following the crypto conference in North Korea, Mr. Griffith wrote on Facebook, “If any of my academic/science/tech friends would like to give some lectures on science/technology at the Pyongyang Sci-Tech Complex (North Korea), do let me know. They have reached out to me for recommendations of new people to invite to their country. The time commitment from you would be between 1-3 weeks.”
When a Facebook friend told Mr. Griffith that North Korea is using Bitcoin for illicit purposes, he replied, “Based on what I saw there, I would roll to disbelieve there is significant Bitcoin activity in DPRK. More likely the Russians compromised the machines and hack from there.”
An American with a Ph.D., who will remain anonymous, responded to Mr. Griffith’s post. The American said, “Sh*t, I’d talk about (topological) quantum computers in NK. That would be amazing. I’d be available in August after I finish my PhD.”
Mr. Griffith posted multiple other times about North Korea on Facebook, once suggesting that the DPRK’s social support systems are “probably more complete than Scandinavia.”
Mr. Griffith also had an active YouTube channel, where he posted multiple videos of Nation and Destiny in June 2019. Nation and Destiny are a lengthy series of North Korean propaganda films produced during the reign of Kim Jong Un’s father, Kim Jong Il.
The DPRK will continue to target cryptocurrency exchanges to circumvent sanctions and fund its weapons of mass destruction (WMD) and ballistic missile program. North Korea’s recent 620-million-dollar cryptocurrency theft shows a significant escalation level since its cryptocurrency activity in 2017. The escalation indicates that the state-sponsored Lazarus Group could target an exchange for more than 620-million dollars, directly funding the North Korean state’s illicit activities. We also assess that as North Korea continues to steal cryptocurrency in massive quantities successfully, other rogue states could follow the same illegal model business and use the funding to support their operations.
Mr. Griffith, who pled guilty to helping North Korea evade sanctions, has social media activity indicating that he had no issue teaching North Korea about blockchain technology. Further, his post asking if anyone wants to come to North Korea and offer their expertise suggests that he supports the DPRK at some level, despite its rogue state status and hostile relationship with the United States.
North Korea will continue identifying crypto experts in the West and weaponize that data for further cyber-attacks.