North Korea regime using and exploiting cryptocurrencies

News by Rene Millman

Malware and crypto mining used to prop up North Korean regime through revenue generation and fraud, according to report.

The North Korean government has been using malware and cryptocurrency mining software as a means of generating money for the country, according to a new report.

The report, compiled by security researcher at Recorded Future, found that the Kim regime has developed a model for using and exploiting the internet that is wholly unique and leadership are quick to embrace new services or technologies when useful and cast them aside when not.  

In particular, the Kim regime has cultivated the internet as a potent tool for revenue generation and sanctions circumvention by using (and exploiting) cryptocurrencies, various interbank transfer systems, the "gig economy", online gaming and more.

The report found that North Korean senior leaders exhibit significantly greater operational security today than in early 2017.

"This awareness combined with the increasing global use of large domain hosting and internet infrastructure providers has over time negatively impacted our visibility into the daily internet activities of North Korea’s ruling elite," said the report’s authors.

Researchers discovered an asset-backed cryptocurrency scam called Marine Chain operated by a network of North Korea enablers in Singapore, and at least one other scam coin, called Interstellar, Stellar, HOLD, or HUZU, also possibly tied to North Korea.

The research found that while in prior research North Korean leaders were mining both Bitcoin and Monero, albeit at a limited or relatively small scale between March and August this year, the exploitation of cryptocurrencies, asset-backed "altcoins" and the cryptocurrency ecosystem by North Korea has "changed dramatically".

"In June 2018, we began to notice a number of connections and a large amount of data transfer with several nodes that were associated with the altcoin called Interstellar, Stellar, or HOLD coin. HOLD coin is known as an ‘altcoin’, which refers to any cryptocurrency other than Bitcoin including some of the more established and widely utilized coins like Monero, Ethereum, and Litecoin. There are over 1,000 altcoins, and most are variations on the Bitcoin framework," researchers said.

Also discovered was a blockchain scam called Marine Chain Platform. Marine Chain was supposedly an asset-backed cryptocurrency that enabled the tokenisation of maritime vessels for multiple users and owners. Users on other forums pointed out that www[.]marine-chain[.]io was a near mirror image of another site, www[.]shipowner[.]io, according to researchers.

Researchers said that investments made on the platform by victims ended in losses. Marine Chain was cloned from another site, www[.]shipowner[.]io. Marine Chain was hosted on four different IP addresses, which hosted several other cryptocurrency rackets in 2017 and 2018. One of these IP addresses hosted fraudulent trading website Binary Tilt.

Two Marine Chain executives were linked to companies in Singapore helping North Korea get around sanctions.

"Broadly, these types of cryptocurrency scams fit the template of low-level financial crime described by defectors that has plagued South Korea for years, and that the international community is just beginning to track," said the report.

"It is a natural step for both a group of actors that has been so embedded in the cryptocurrency world for years and for a network that is being forced to innovate new funding streams to counter the effects of international sanctions."

Ross Rustici, senior director, intelligence services, Cybereason, told SC Media that understanding the full potential of the DPRK in the information age is extraordinarily difficult.

"There is so little that is actually known and the community of 'so-called' experts gets into circular reporting loops that make it seem like there is more information than there actually is confirming tantalizing tidbits of information. Additionally, because the cyber security community in general got the threat from North Korea so wrong for so long, there is currently a lack of healthy scepticism when it comes to attribution of activity," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews