Crypto klepto North Korea stole $659M over just 5 heists last year

North Korean blockchain bandits stole more than half a billion dollars in cryptocurrency in 2024 alone, the US, Japan, and South Korea say.

The sum of stolen assets totaled a little more than $659 million across five major incidents, although just two contributed a large portion of that.

The BitcoinDMM crypto exchange was raided for $308 million in May 2024 – the biggest haul of the five heists - by a group tracked by law enforcement agencies as TraderTraitor.

To pull it off, the North Korean attackers upended their usual playbook of seeking employment at Western organizations and assumed the role of recruiter. 

They reached out to a staffer at Japanese enterprise crypto wallet company Ginco in March with a pre-employment test, which turned out to be a malicious Python script. The job seeker uploaded it to their personal GitHub page, which was then compromised.

TraderTraitor exploited stolen session cookies to impersonate the Ginco employee to gain access to the company's unencrypted comms system in May. From there, the group tampered with a transaction request made by a BitcoinDMM worker to forward the stolen funds to North Korean wallets.

The attack on Indian crypto exchange WazirX also raked in a pretty penny for Kim's crew – $235 million to be precise. 

Mere months after the BitcoinDMM attack, WazirX was hit in July and according to Arkham data, by September North Korea had laundered most of the stolen assets using the Tornado Cash mixer service.

Cyvers Alerts first detected the compromise of the exchange's multi-signature wallet on July 18, claiming the stolen assets comprised around 45 percent of the exchange's total reserves. WazirX halted operations the following day and engaged all the outside expertise it could.

The exchange's postmortem report revealed that the attackers compromised the transaction authorization processes at both WazirX and Liminal, the two signatories that approve transactions on the affected wallet.

It said four of six signatures are required to authorize a transaction – three from WazirX and one from Liminal. The North Korean attackers obtained all four, but the exchange still found no evidence of compromise on its signers' machines.

WazirX said one of two possible scenarios could be true, claiming that Liminal's infrastructure was likely breached in both:

1. Considered by WazirX as the more likely explanation, it involves malicious transactions sent by a potentially compromised Liminal to exchange signers. It believes that because no new connection requests were made to hardware wallets, the request came from an address whitelisted by Liminal, and that expected token names and the destination address were seen on the Liminal interface and email notifications.

2. All three exchange signers were compromised by malware by unknown means, despite no malware being found. WazirX emphasized that this would also mean a breach at Liminal had to have taken place to obtain the fourth signature.

The other named incidents affected Upbit, Rain Management, and Radiant Capital.

The three countries raising awareness of North Korea's actions said the schemes being concocted to steal these huge sums are sophisticated and well disguised.

• Security pros baited with fake Windows LDAP exploit traps
• North Korea's fake IT worker scam hauled in at least $88M over six years
• Scattered Spider, BlackCat claw their way back from criminal underground
• Officials warn of Russia's tech-for-troops deal with North Korea amid Ukraine conflict

The FBI said in September, around the time it started noticing a significant uptick in North Korea's targeting of the crypto industry: "North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets.

"North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products."

The three said this week they will continue to work together to counter North Korea's attempted attacks, and called for deeper collaboration between the public and private sectors to step up these efforts.

They also once again drew attention to North Korea's ongoing attempts to siphon funds out of enemy economies by securing employment at Western companies, typically in IT roles.

The public communications about these schemes have been coming for a few years now but intensified during 2024. The US government maintains that the money generated from this activity is used to fund North Korea's weapons programs.

High-profile incidents, such as the one involving KnowBe4 in July, alerted the industry that North Korea can even infiltrate major cybersecurity companies.

Kim's spy passed four video interviews after faking a US identity and landed a software engineering job on the vendor's AI team. He wasn't caught until he started loading malware using his company-issued Mac.

Other cases reported by incident responders demonstrated that even after being outed and ousted, North Korean workers demanded six-figure ransoms for data they stole during their undercover work.

The US Department of Justice said last month that in the past six years, these rogue employment schemes have netted North Korea $88 million. ®