Associated Press

How the North Korean hackers behind WannaCry got away with a stunning crypto-heist

The so-called Lazarus group has used elaborate phishing schemes and cutting-edge money-laundering tools to steal money for Kim Jong-un’s regime.

Cyberattacks waged against cryptocurrency exchanges are now common, but the theft of just over $7 million from the Singapore-based exchange DragonEx last March stands out for at least three reasons. 

First there is the extremely elaborate phishing scheme the attackers used to get in, which involved not only fake websites but also fake crypto-trading bots. Then there’s slick way they laundered the crypto-cash they stole. Last but not least: they appear to have been working for Kim Jong-un.

The heist, new details of which were recently published by blockchain analytics firm Chainalysis, shows how good today’s digital bank robbers have become. And if this and other reports are correct in fingering North Korean hackers as the perpetrators, it looks to be part of a larger survival strategy by Kim’s regime, which has been cut off from the global financial system by international economic sanctions meant to curtail its nuclear weapons program.

DragonEx was not the first crypto exchange to be victimized by this particular hacker band, which some security analysts call the Lazarus Group. The group has been targeting the industry since at least 2017, as part of a broader campaign focused on financial institutions. In August, a group of independent experts reported to the United Nations that North Korea has generated an estimated $2 billion for its missile program by using “widespread and increasingly sophisticated” cyberattacks to steal from banks and cryptocurrency exchanges. The regime’s use of cryptocurrency to evade sanctions is behind a recent warning from the same group of UN experts not to attend an upcoming blockchain conference in Pyongyang.

The Lazarus Group is widely believed to have been behind several headline-grabbing hacks, including the breach of Sony Pictures in 2014 and the WannaCry ransomware hack in 2017, which affected hundreds of thousands of computers in 150 countries. But it was its theft of $81 million from the central bank of Bangladesh in 2016 that foreshadowed its eventual targeting of crypto exchanges. According to the FBI, the attackers spent more than a year doing reconnaissance before gaining access to the bank’s computer system via an elaborate phishing campaign.

Plagued by lax security, the cryptocurrency ecosystem was an “an easy target” for North Korean hackers, who already had experience going after financial institutions, says Priscilla Moriuchi, head of nation-state research at Recorded Future, a cybersecurity company. “They are far more capable than they get credit for, especially on the financial crime side,” Moriuchi says. 

To compromise DragonEx, Lazarus created a fake company that advertised an automated cryptocurrency trading bot called Worldbit-bot, says Chainalysis. The invented company had a website, and its made-up employees even had social-media presences. When they pitched a free trial of the trading software to DragonEx employees, someone bit, downloading malware to a computer that held the private keys for the exchange’s wallets.

In research published earlier this month, Kaspersky describes another of the Lazarus Group’s recent schemes, which also apparently targeted cryptocurrency businesses. In this case, the attackers created fake companies and then enticed targets to download malware using the popular messaging app Telegram. 

Breaking in and stealing money isn’t enough, though. They have to cash out. In the past year, the Lazarus Group has completely revamped the way it does this, according to Chainalysis. Last year, it appeared fairly unsophisticated in its money-laundering techniques, typically letting the stolen funds sit for 12 to 18 months before cashing out using an exchange that doesn’t keep track of who its customers are. (Cryptocurrency exchanges in most jurisdictions are required to keep track of their customers’ identities, for exactly this reason.) 

The way the group moved its money after the DragonEx hack last March was apparently much more sophisticated. They used many more intermediary steps, including exchanges and a variety of digital wallets. The coins ended up in a special kind of wallet that uses a Bitcoin-compatible privacy technology called CoinJoin, which combines transactions from multiple users in a way that makes it difficult to tell who sent which payment to which recipient. And the hackers cashed out more quickly: nearly all the funds were moved to “liquidation services” within 60 days, according to Chainalysis.

The North Korean hackers' new and improved methods may say less about their own capabilities than about the money-laundering tools now available in the crypto world. Chainalysis’s head of research, Kim Grauer, says that in 2019 her team noticed a big uptick in “advanced laundering infrastructure that various criminal organizations can kind of just plug into.” In other words, even criminals who aren’t savvy about blockchains may have ready access to sophisticated methods of covering their tracks after they steal your crypto. Either way, as long as exchanges have security holes, groups like Lazarus are going to keep robbing them.