Chainalysis: What Did North Korean Hackers Do With the Money Stolen From Cryptocurrency Platforms?

Original Title: $2.2 Billion Stolen from Crypto Platforms in 2024, but Hacked Volumes Stagnate Toward Year-End as DPRK Slows Activity Post-July

Original Source: Chainalysis

Original Translation: Tao Zhu, Golden Finance

Cryptocurrency hacks remain a persistent threat, with over $1 billion worth of cryptocurrency stolen in four of the past ten years (2018, 2021, 2022, and 2023). 2024 marks the fifth year to reach this unsettling milestone, highlighting that as cryptocurrency adoption and prices rise, the amount that can be stolen also increases.

In 2024, stolen funds grew by approximately 21.07% year-on-year, reaching $2.2 billion, with the number of individual hacker incidents increasing from 282 in 2023 to 303 in 2024.

Interesting to note is the evolution in the intensity of cryptocurrency hacks around the first half of this year. In our mid-year crime update, we observed that the cumulative value stolen between January 2024 and July 2024 had already reached $15.8 billion, around 84.4% higher than the stolen value in the same period of 2023. As seen in the chart below, by the end of July, the ecosystem was poised to easily surpass 30 billion, akin to 2021 and 2022. However, the upward trend in cryptocurrency theft in 2024 significantly slowed post-July and remained relatively stable thereafter. Later, we will explore the potential geopolitical reasons for this shift.

Regarding the stolen amounts categorized by victim platform type, 2024 also revealed an interesting pattern. In most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary target of cryptocurrency hackers. DeFi platforms may be more vulnerable to attacks as their developers tend to prioritize rapid growth and product launches over implementing security measures, making them a prime target for hackers.

While DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were more targeted in the second and third quarters. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).

This shift in focus from DeFi to centralized services highlights the increasing importance of security mechanisms commonly used by hackers, such as private keys. In 2024, private key leaks accounted for the largest proportion of stolen cryptocurrency, reaching 43.8%. For centralized services, ensuring the security of private keys is crucial as they control access to user assets. Given that centralized exchanges manage a large amount of user funds, the impact of private key leaks could be devastating; we only need to look at the $305 million DMM Bitcoin hack, which is one of the largest cryptocurrency vulnerabilities to date, possibly due to poor private key management or lack of sufficient security.

After leaking private keys, malicious actors often launder stolen funds through decentralized exchanges (DEXes), mining services, or mixing services to obfuscate transaction trails and complicate tracking. By 2024, we can see that the money laundering activities of private key hackers are significantly different from hackers exploiting other attack vectors. For example, after stealing private keys, these hackers often turn to bridging and mixing services. For other attack vectors, decentralized exchanges are more commonly used for money laundering activities.

In 2024, North Korean hackers will steal more from cryptocurrency platforms than ever before

North Korean-affiliated hackers are infamous for their sophisticated and ruthless tactics, often using advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored actions and evade international sanctions. U.S. and international officials assess that Pyongyang leverages stolen cryptocurrency to fund its large-scale weapons of mass destruction and ballistic missile programs, posing a threat to international security. By 2023, North Korean-affiliated hackers will have stolen approximately $660.5 million through 20 incidents; by 2024, this figure increases to $1.34 billion across 47 incidents, a 102.88% increase in stolen value. These figures account for 61% of the total amount stolen that year and 20% of the total number of incidents.

Please note that in last year's report, we released information that North Korea stole $1 billion through 20 hacking incidents. After further investigation, we determined that some of the larger hacking incidents previously attributed to North Korea may no longer be relevant, hence reducing the amount to $660.5 million. However, the number of incidents remains the same as we identified additional smaller hacking incidents attributed to North Korea. As we obtain new on-chain and off-chain evidence, our goal is to continuously reassess our evaluation of North Korean-affiliated hacking incidents.

Unfortunately, cryptocurrency attacks from North Korea seem to be becoming more frequent. In the figure below, we examined the average time between DPRK attack successes based on the exploit scale and found that attacks of various scales have all decreased year over year. It is worth noting that in 2024, the frequency of attacks valued between 50 to 100 million USD and over 100 million USD is much higher than in 2023, indicating that North Korea is becoming more proficient and faster in conducting large-scale attacks. This is a sharp contrast to the previous two years, during which its profits per attack often fell below 50 million USD.

When comparing North Korea's activities to all other hacker activities we monitor, it is clear that North Korea has been consistently responsible for the majority of large-scale attacks over the past three years. Interestingly, North Korean hacker attacks have lower amounts, and the density of hacker attacks, especially around the 10,000 USD mark, has been steadily increasing.

Some of these events seem to be linked to North Korean IT professionals who are increasingly penetrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often employ complex Tactics, Techniques, and Procedures (TTP), such as false identities, utilizing third-party recruitment intermediaries, and manipulating remote work opportunities to gain access. In a recent case, the US Department of Justice (DOJ) on Wednesday indicted 14 North Korean nationals acting as remote IT professionals in the US. The group earned over 88 million USD by stealing proprietary information and extorting their employers.

To mitigate these risks, companies should prioritize thorough hiring due diligence—including background checks and identity verification—while maintaining strong private key security to protect critical assets (if applicable).

Although all these trends indicate significant North Korean activity this year, most of its attacks occurred early in the year, with overall hacker activity stalling in the third and fourth quarters, as shown in the earlier graphs.

In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong-un will also hold a summit in Pyongyang, signing a joint defense agreement. So far this year, Russia has unfrozen millions of dollars in previously restricted North Korean assets according to UN Security Council sanctions, marking the continued development of the alliance between the two countries. Meanwhile, North Korea has deployed troops to Ukraine, provided ballistic missiles to Russia, and reportedly sought advanced space, missile, and submarine technology from Moscow.

If we compare the average daily losses of DPRK vulnerabilities before and after July 1, 2024, we can see a significant decrease in the stolen value. Specifically, as shown in the graph below, the amount stolen by North Korea decreased by around 53.73% afterward, while the amount stolen by non-North Korea actors increased by about 5%. Therefore, in addition to shifting military resources to the conflict in Ukraine, North Korea, which has significantly strengthened its cooperation with Russia in recent years, may also have altered its cybercriminal activities.

The decrease in North Korea's fund thefts after July 1, 2024, is evident and the timing is quite conspicuous, but it's worth noting that this decrease may not necessarily be related to Putin's visit to Pyongyang. Furthermore, some events occurring in December could alter this pattern by year-end, and attackers often launch attacks during the holiday season.

Case Study: North Korea's Attack on DMM Bitcoin

A prominent example of a 2024 hack related to North Korea involved the Japanese cryptocurrency exchange DMM Bitcoin, which was targeted in a hack resulting in the loss of approximately 4,502.9 bitcoins, valued at $305 million at the time. The attackers exploited vulnerabilities in the infrastructure used by DMM, leading to unauthorized withdrawals. In response, with the support of the parent company, DMM fully reimbursed customer deposits by sourcing equivalent funds.

We were able to analyze the on-chain fund flow post-initial attack. In the initial phase, we observed the attackers moving millions of dollars worth of cryptocurrency from DMM Bitcoin to several intermediary addresses, eventually reaching a Bitcoin CoinJoin mixing server.

After successfully mixing the stolen funds using a Bitcoin CoinJoin mixing service, the attackers transferred a portion of the funds to Huioneguarantee through some bridging services. Huioneguarantee is an online marketplace associated with the Cambodian conglomerate Huione Group, a significant player in the space known to facilitate cybercrime.

DMM Bitcoin has transitioned its assets and client accounts to a subsidiary of the Japanese financial group SBI Group, known as SBI VC Trade, with the transition scheduled for completion by March 2025. Fortunately, emerging tools and predictive technologies are on the rise, as we will explore in the next section, to prepare for preventing such disruptive hacker attacks.

Stopping Hacker Attacks Using Predictive Models

Advanced predictive technologies are transforming cybersecurity by proactively detecting potential risks and threats in real-time to safeguard the digital ecosystem. Let's look at the following example involving the decentralized liquidity provider UwU Lend.

On June 10, 2024, attackers exploited UwU Lend's price oracle system to secure around $20 million. The attackers executed a flash loan attack to manipulate the price of Ethena Staked USDe (sUSDe) on multiple oracles, causing misreporting of the valuation. Consequently, the attackers were able to borrow millions of dollars within seven minutes. Hexagate detected the attack contract and its similar deployments approximately two days before the exploit.

Although the attack contract was accurately real-time detected in the days leading up to the exploit, the connection to the exploited contract did not immediately surface due to its design. Leveraging tools like Hexagate's security oracle, among others, can further utilize this early detection to mitigate the threat. It is worth noting that the initial attack that resulted in an $8.2 million loss occurred just minutes before subsequent attacks, providing another critical signal.

Alerts issued prior to significant on-chain attacks like this have the potential to alter the security posture of industry participants, enabling them to proactively defend against costly hacks rather than react to them.

In the image below, we see the attacker transferring stolen funds through two intermediary addresses before reaching the OFAC-approved Ethereum smart contract mixer Tornado Cash.

However, it is important to note that merely accessing these predictive models does not guarantee preventing a hack, as protocols may not always have the appropriate tools to take action effectively.

Stronger Encryption Security Needed

The increase in cryptocurrency thefts in 2024 underscores the industry's need to address a growingly complex and evolving threat landscape. While the scale of cryptocurrency theft has not yet returned to the levels of 2021 and 2022, the aforementioned resurgence highlights the gaps in existing security measures and the importance of adapting to new exploitation methods. Effective responses to these challenges require crucial collaboration between public and private sectors. Data-sharing initiatives, real-time security solutions, advanced tracking tools, and targeted training can empower stakeholders to swiftly identify and neutralize malicious actors while establishing the resilience needed to protect crypto assets.

Furthermore, as cryptocurrency regulatory frameworks continue to evolve, scrutiny on platform security and customer asset protection may intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. By strengthening partnerships with law enforcement and providing resources and expertise for rapid response to teams, the cryptocurrency industry can bolster its anti-theft capabilities. These efforts are not only critical for safeguarding individual assets but also essential for fostering long-term trust and stability in the digital ecosystem.

Original Article Link