“North Korea utilizes virtual asset hacking as a means of funding military programs, including ballistic missile development. There is no country free from virtual asset hacking. South Korea must recognize this and prepare accordingly.”
Andrew Fierman, head of national security intelligence at the blockchain data analysis firm Chainalysis, mentioned in a written interview with ChosunBiz on the 21st, discussing the hacking group Lazarus of North Korea, which is identified as the culprit of the largest virtual asset theft incident in history that occurred in February. He said, “South Korea is not a safe zone either.” Lazarus attacked the virtual asset exchange Bybit based in Dubai, stealing approximately $1.46 billion (about 2.7 trillion won) worth of Ethereum.
In 2024, the total amount of hacking damage in the virtual asset industry is expected to reach about $2.2 billion (about 3.134 trillion won). Of this, approximately 61%, or about $1.4 billion (about 1.9944 trillion won), was stolen by Lazarus. Since Chainalysis began tracking in 2016, North Korean operatives have targeted global virtual asset wallets using increasingly diverse and sophisticated methods.
However, the notion that virtual assets and blockchain technology are vulnerable to hacking or primarily used for illegal activities is a misunderstanding. Whenever new technologies gain attention, there have always been forces looking to exploit them. Thanks to blockchain's characteristics of high liquidity and fast transactions, virtual assets have become targets for criminals, but at the same time, the transparency of blockchain makes it possible to identify hacks and trace stolen blockchains, Fierman explained.
Chainalysis was founded in 2014 and collaborates with regulatory agencies such as the U.S. Department of Justice and the U.S. Commodity Futures Trading Commission (CFTC). The following is a question-and-answer session with Fierman.
─There are trends in virtual asset hacking and it’s changing, isn’t it?
“Recently, hackers are changing their primary targets in virtual asset hacking. From 2021 to 2023, decentralized finance platforms were the main attack targets in most quarters. However, there is a trend showing that starting in the second and third quarters of 2024, the primary attack targets are shifting from decentralized finance to centralized exchanges. Notable cases include the DMM Bitcoin hacking incident, which resulted in the theft of $305 million (about 500 billion won), and the WazirX hacking incident, which saw the theft of $234.9 million (about 340 billion won).”
─What kind of virtual assets are hackers targeting?
“Hackers do not target specific virtual assets exclusively. The presence of vulnerabilities to exploit determines the virtual assets they target. Additionally, hackers typically launder funds before cashing them out, so they are not limited to specific virtual assets. They convert unlawfully obtained funds into other virtual assets and launder their funds through mixers and bridges.”
─There are numerous hacks led by Lazarus in North Korea, aren’t there?
“North Korea is regarded as the most sophisticated and persistent threat in the current virtual asset ecosystem. During the early rise of virtual assets, it gained notoriety with the Sony Pictures and WannaCry cyberattack incidents and later focused on virtual asset crimes with high revenue potential. Since 2018, North Korea and Lazarus have stolen and laundered more than $200 million (about 290 billion won) in virtual assets annually. In the most significant incident prior to Bybit, they stole $615 million (about 900 billion won) in the Ronin Bridge hacking incident.”
─How are the virtual assets stolen by Lazarus used?
“According to the United Nations, North Korea utilizes virtual asset hacking as a primary means of funding military programs, such as the development of weapons of mass destruction (WMD) and ballistic missiles, to evade international sanctions. Unlike ordinary cybercriminals who operate for personal gain, North Korea's hacking activities are operations supported at the state level, with North Korean cyber units utilizing government resources and strategic objectives to carry out sophisticated large-scale hacking attacks.
The Lazarus group and other North Korean-linked hacking organizations have repeatedly targeted centralized exchanges, decentralized finance protocols, and personal wallets to execute the largest virtual asset theft in history. The stolen funds attempt to conceal their origins through a complex money laundering process involving intermediate wallets, decentralized exchanges, mixing services, and cross-chain bridges, making recovery efforts more challenging.
─How do North Korean related hackers carry out their attacks?
“North Korean related hackers are highly skilled and sophisticated in all areas of hacking technology and laundering stolen funds. They infiltrate target organizations using phishing bait, code exploits, malware, and advanced 'social engineering techniques' to leak funds to addresses they control.
The social engineering techniques used in hacking operations refer to manipulating or deceiving personal information within the victim organizations to gain unauthorized access to systems. This method is employed multiple times to gather information, identify system vulnerabilities, and attack protocol flaws. The Bybit hacking incident is a representative example of an attack utilizing such social engineering techniques.”
─How is the stolen virtual asset laundered, and is it traceable?
“After stealing virtual assets, hackers use complex money laundering techniques to conceal their origins. They typically move funds to a number of intermediate wallets, dispersing them into thousands of small transactions for camouflage. They also exchange assets on decentralized exchanges to increase tracing difficulty and use immediate exchange services without customer verification procedures (KYC) to exchange assets, obscuring their sources and destinations in various ways.
However, even after multiple rounds of money laundering, transactions occurring on the blockchain can still be traced. This means that while tracing difficulty may increase, most transactions remain traceable. As of March, Chainalysis is tracking over 90% of the stolen funds. The majority of the stolen funds have been converted to Bitcoin and sent to thousands of addresses.
─Is it possible to recover stolen virtual assets?
“Recovering and freezing stolen assets is indeed possible. Chainalysis has numerous asset recovery cases in collaboration with several international organizations. In 2022, they successfully seized $30 million (about 4.34 billion won) worth of virtual assets stolen by North Korean linked hackers in the Axie Infinity hacking case, in cooperation with law enforcement agencies and key stakeholders in the virtual asset industry. More recently, South Korean authorities succeeded in tracking and recovering $1 million (about 1.45 billion won) in stolen funds related to the Harmony Bridge hacking incident.
However, issues such as delays in cross-border law enforcement and the lack of cooperation between the industry and government still remain. Therefore, establishing a real-time data sharing system among virtual asset exchanges, regulatory bodies, and cybersecurity corporations is essential, as well as securing consistency in global regulations.”
─Are there ways for investors and financial authorities to prepare for virtual asset hacking?
“To quickly adapt to changing hacking techniques, cooperation between the public and institutional sectors is essential. In particular, key stakeholders should support the rapid identification and neutralization of malicious activities through data sharing initiatives, real-time security solutions, advanced tracking tools, and customized security training.
Furthermore, best security practices across the industry must evolve rapidly, and both prevention of security incidents and accountability must be taken into consideration simultaneously. Ultimately, it is crucial to strengthen cooperation with law enforcement agencies in each country and provide resources and expertise for quick responses to security teams.