The Largest Security-Cleared Career Network for Defense and Intelligence Jobs - JOIN NOW

Weapons of Mass Destruction (WMD)

Cyberthefts Help North Korea Offset Revenue Lost to Sanctions

By Christy Lee February 21, 2020

North Korea made up nearly $2 billion of revenue it lost from sanctions by conducting cyberthefts from financial institutions and cryptocurrency exchanges, an expert said.

The government's engagement in illicit cyberoperations such as thefts has been "undercutting the effectiveness of sanctions," said Troy Stangarone, senior director of the Korea Economic Institute.

North Korea lost approximately $1.5 billion to $2 billion annually from 2018 to 2019 because of sanctions, said Stangarone, who estimated the figures by comparing export revenues, mostly from China, before and after major export sanctions were imposed on North Korea in 2016.

Beginning that year, the U.N. Security Council passed several resolutions banning North Korea from exporting commodities, such as coal, textiles and seafood, that became key sources of income supporting its nuclear weapons program.

According to a report released by the U.N. Panel of Experts in August 2019, North Korea generated as much as $2 billion by conducting cyberattacks on banks and cryptocurrency exchanges, offsetting the amount the regime lost from sanctions.

North Korea's state-sponsored hackers conducted online bank and cryptocurrency heists in 17 countries, including Bangladesh, Chile, India, Poland, South Korea and South Africa, according to the U.N. report.

Communications system exploited

The hackers stole money from banks by gaining access to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system. They exploited the system to execute fraudulent transactions by transferring funds to dummy accounts set up under their control, the U.N. report said.

The report indicated that North Korea also has increasingly turned toward stealing from cryptocurrency exchanges that have less oversight and fewer regulations than the traditional banking sector. Cryptocurrency is an electronic form of money that exists only virtually in digital form as a medium of exchange to conduct financial transactions.

"If sanctions are going to have the type of effects that we hope, there's going to need to be effort made to try and cut off these illicit avenues," Stangarone said.

He said the international community has yet to put in place "firm measures" that would limit North Korea's "ability to exploit things like cryptocurrency."

Stangarone said that although banks have "more robust systems in place to prevent theft, it doesn't mean that they are invulnerable."

On Wednesday, a State Department spokesperson told VOA's Korean service that it is "deeply concerned about the DPRK's malicious cyber activities, which pose a significant threat to the United States and the broader international community."

The DPRK stands for North Korea's official name, the Democratic People's Republic of Korea.

Quoting from the 2019 World Threat Assessment published by the Office of the Director of National Intelligence, the spokesperson said, "North Korea continues to use cyber capabilities to steal from financial institutions to generate revenue."

According to a report issued by the Massachusetts-based cybersecurity firm Recorded Future's Insikt Group last week, internet use by North Korean senior leadership to conduct cyberattacks has soared 300% since 2017.

The report, How North Korea Revolutionized the Internet as a Tool for Rogue Regimes, said the regime has grown sophisticated in masking its illicit virtual activities.

"North Korea has developed an internet-based model for circumventing international financial controls and sanctions regimes imposed on it by multinational organizations and the West," the report said.

Insikt Group said North Korea's large-scale cryptocurrency theft took place on South Korean cryptocurrency exchanges.

Inside target network

To conduct online banking theft, the report said, "Attackers likely spent anywhere from nine to 18 months inside a target network conducting further reconnaissance, moving laterally, escalating privileges, studying each organization's specific SWIFT instances and disabling security procedures."

Although North Korea has turned increasingly to cryptocurrency theft because of its less regulated system, Stangarone said, "because the value of cryptocurrency is highly volatile, it is less useful for Pyongyang than its cyberattacks on banks."

In 2016, North Korea made off with $81 million from Bangladesh's central bank by exploiting the bank's SWIFT interbanking system, according to cybersecurity firm Kaspersky Lab, as reported by Reuters.

Baik Sung-won contributed to this report, which originated in VOA's Korean service.

Join the mailing list