Since 2017, North Korea has greatly expanded its targeting of the cryptocurrency industry, stealing over an estimated $3 billion worth of cryptocurrency. Prior to this, the regime saw previous success in stealing from financial institutions by hijacking the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network. However, this activity brought heavy attention from international authorities, and financial institutions responded by investing in improving their cyber defenses. During the cryptocurrency bubble of 2017, when the technology reached the mainstream, North Korean cyber operators shifted their targeting from traditional finance to this new digital financial technology by first targeting the South Korean cryptocurrency market before significantly expanding their reach globally. North Korean threat actors were accused of stealing an estimated $1.7 billion worth of cryptocurrency in 2022 alone, a sum equivalent to approximately 5% of North Korea’s economy or 45% of its military budget. This amount is also almost 10 times more than the value of North Korea’s exports in 2021, which sat at $182 million, according to the Observatory of Economic Complexity (OEC).
North Korean threat actors’ operations targeting the cryptocurrency industry and how they launder the stolen cryptocurrency often mirror traditional cybercriminal groups that use cryptocurrency mixers, cross-chain swaps, and fiat conversions. However, state support allows North Korean threat actors to expand the scale and scope of their operations to a level not possible by traditional cybercriminal groups, with approximately 44% of stolen cryptocurrency in 2022 traced to North Korean threat actors. Targeting is not limited to cryptocurrency exchanges, with individual users, venture capital firms, and alternative technologies and protocols all having been targeted by North Korean threat actors. All of this activity puts anyone operating in the industry at risk of becoming a potential target of North Korean threat actors and allows the regime to continue operating and funding itself while under international sanctions.