As the digital currency bitcoin traced one of its meteoric ascents, a plum job posting began circulating online: chief financial officer for a rapidly expanding bitcoin financial-services company based in London. Although the company was real, the job had been dreamed up by North Korean hackers, according to Secureworks Inc., a cybersecurity company that discovered a document with the fake job description in November. It was meant to circulate by email among people in the bitcoin world. If someone clicked on it, a prompt would explain that it was created by a later version of Microsoft Word and that the user needed to “enable editing” and “enable content.” Doing so would install a piece of malicious code. While many digitally savvy people would presumably know better, such attacks can pay off if they hit just a few distracted recipients.
The hackers could have been after any number of things, but they were most likely trying to break into personal or corporate stashes of bitcoin and other so-called cryptocurrencies. For North Korea’s rogue regime, the emergence of bitcoin provides new revenue possibilities to get around increasingly stringent sanctions. Its price has soared from under $1,000 at the end of 2016 to more than $16,000, and it can move quickly and largely anonymously across borders. “It’s a perfect mechanism for North Korean money,” says Joshua Chung, a senior security researcher in Secureworks’ counterthreat unit, which tracks new computer attacks and vulnerabilities.
Secureworks has tracked the document ploy back to the middle of 2016, when researchers began seeing it used to target the energy industry. Pieces of the code used in the bitcoin-job document link it to Lazarus Group, the North Korean team that hacked Sony Pictures Entertainment Inc.’s computer systems in late 2014, stole $81 million from Bangladesh’s central bank in 2016, and set the WannaCry ransomware worm loose on the world in May, according to the researchers. WannaCry locked up users’ computers and demanded payment in bitcoin to free their systems.
North Korean interest in bitcoin goes back to at least 2013, when Secureworks noticed activity from the nation’s extremely limited range of internet addresses conducting research on bitcoin in underground online forums. Chung’s guess is the North Koreans were trying to figure out how bitcoin worked and how to convert cryptocurrency into hard currency. Although the DPRK’s hackers normally cover their tracks by using proxy servers—intermediate hops online that hide where internet traffic originates—the proxies had failed, revealing an address used in previous cyber operations.
The Bangladesh central bank theft shows that North Korea’s hackers could probably steal bitcoin if they got inside a company’s systems, says Rafe Pilling, a senior security researcher at Secureworks based in Edinburgh. “They’ve demonstrated repeatedly that they’re quite effective at turning that initial access into a good understanding of the internal network and figuring out any business process they need to use or abuse to achieve their aim,” he says.
It’s impossible to say how much bitcoin North Korea actually has. It’s also unclear whether the North Koreans have gotten into Western bitcoin companies yet. But someone has: In early December, NiceHash, a marketplace for cloud-based mining of cryptocurrencies based in Slovenia, said hackers breached its systems and emptied its bitcoin wallet of an unspecified amount. The rewards of theft are increasing along with bitcoin’s price. In theory, stolen bitcoin should be traceable, but there are plenty of ways to launder it, including quickly converting it into other cryptocurrencies such as monero (the fate of the WannaCry earnings) or using bitcoin “tumblers,” which perform millions of transactions of random sizes to obscure where each bitcoin started and where it ended up.
South Korea, which tends to be the North’s testing ground for hacking, also has one of the world’s most vibrant cryptocurrency markets. The North’s hackers have already compromised several bitcoin exchanges there and, in at least one case, successfully nabbed funds, says Luke McNamara of FireEye Inc. McNamara calls the North Koreans “among the more entrepreneurial” hackers he tracks, and they’re not limiting themselves to trying to steal bitcoin. They may also be mining it—that is, doing the computational work that verifies transactions, which the system rewards with new bitcoins.
Earlier this year, the cybersecurity company Recorded Future Inc. got a cache of data from internet usage in North Korea for the first half of the year. The data showed no bitcoin-related activity until May 17, when it exploded in what Priscilla Moriuchi, the company’s director of strategic threat development and previously a cyberthreat manager at the U.S. National Security Agency, realized was mining. The data also showed the trails of users—presumably some of the few members of Pyongyang’s political and military elite with permission to access the internet—making purchases using bitcoin.
The start date of the mining is particularly interesting because it overlaps with the WannaCry infections—the bulk of which happened from May 12 to May 17. By the end of the day on May 17, the three WannaCry bitcoin wallets had received 277 payments totaling slightly more than 45 bitcoins, at the time approximately equivalent to $82,000.
“They may have realized by the 17th that they weren’t going to get a quick return on the WannaCry attacks,” Moriuchi says. “What’s interesting to me is the breadth to which North Korea has embraced cryptocurrency. It appears that the Kim regime is focused on many different methods for exploiting or obtaining cryptocurrency, including mining, outright theft, possible speculation, and ransom payments.” Mining bitcoin takes electricity. So it plays to one of North Korea’s few economic strengths, which is its energy resources, according to Dave Venable, vice president for cybersecurity at managed security provider Masergy. “This is a very easy way for them to effectively export energy, in a way that is probably a lot more profitable and doesn’t involve shipping coal,” he says.
Much of this is theory, built on tiny clues—that’s the way cyberthreat research works. One of the few outsiders with some direct information on bitcoin in North Korea is Federico Tenga, co-founder of a company that focuses on bitcoin management systems for businesses. He spent a week in November in Pyongyang, lecturing on bitcoin technology to university students, who were particularly impressed by photos he showed them of bitcoin mining operations. As for the regime getting around sanctions or anyone in North Korea putting bitcoin technology to practical use, Tenga seems skeptical. “I went there to teach the basics on how the technology works, if they want to put that in practice they still have a very long way to go,” he wrote in an email.