North Korea Increasingly Dependent on Cyber-Based Theft for Cash

On June 19, the Financial Times reported on signs that North Korea, due to “immense economic pressure from sanctions, increasingly depends on cash from cyber-based theft.”  According to cybersecurity experts, North Korean leader Kim Jong Un’s regime

controls an army of thousands of hackers who bring in hundreds of millions of dollars annually . . . . With North Korea cut off from most trade with the outside world, the cash generated from illicit cyber-based activities is thought to have become a core revenue stream for Pyongyang and has now probably surpassed the value of sales of weapons and military services.

The reported increase in North Korean online crime “also marks the latest example of the Kim regime’s decades-long struggle to bring in cash to the country via unorthodox and illicit means, and follows reported cases of global insurance fraud and the production of counterfeit money and drugs.”  For example, in 2018 the U.S. Department of Justice unsealed charges against “a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions.  Those charges alleged that the conspiracy utilized a strain of malware, ‘Brambul,’ which was also used to propagate” the Joanap botnet (i.e., “a global network of numerous infected computers under the control of North Korean hackers that was used to facilitate other malicious cyber activities”).  Subsequently, the Department announced “an extensive effort to map and further disrupt, through victim notifications, the Joanap botnet.”

While the Financial Times cautioned that “[e]stimates vary as to exactly how much money North Korea now makes from any of its illicit activities,” the Department of Justice has alleged that Park and his coconspirators stole $81 million from Bangladesh Bank in 2016 and sought to steal at least $1 billion from financial institutions.  A former U.S. National Security Agency analyst, Priscilla Moriuchi, stated that North Korean operatives “had proved to be ‘persistent, patient and skilled’.  “There was an impression that these [banking hacking operations] were opportunistic targets.  We can see they are decidedly not . . . .”

In addition, the Financial Times reported that “[a]nalysts stressed it was difficult to pinpoint what happens to the stolen cash, cryptocurrencies or gaming credits. But, one expert said, there were signs stolen cryptocurrencies were quickly laundered through several different exchanges, making them ‘virtually untraceable’.”

Note: The increasing sophistication and persistence of these North Korean-authorized cybertheft operations — coupled with the efforts of sanctioned North Korean banks to use companies to launder funds on behalf of those banks – represent serious compliance challenges for the financial sector.  Cybersecurity and compliance teams in financial firms should take this opportunity, if they have not done so recently, to review the capacity of their cybersecurity and AML programs to address these kinds of threats to their firms, and to seek additional funding if necessary from senior management.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s