North Korean Hackers Stole $1.34 Billion in Crypto in 2024
North Korean state-sponsored threat actors this year stole $1.34 billion in cryptocurrency this year, more than half of all the crypto stolen in hacks, according to blockchain analysis firm Chainalysis.
In addition, the frequency and speed of the attacks are accelerating and the hackers are expanding the organizations they’re targeting, pulling in as little as $10,000 in some attacks.
“When examining the DPRK’s [Democractic People’s Republic of Korea’s] activity in comparison to all other hacks we measured, it is clear that the DPRK has been consistently responsible over the last three years for most large-size exploits,” Chainalysis researchers wrote in a report this week.
North Korea has long used cyberattacks – including ransomware – espionage, and scams to bypass international sanctions and fund their nuclear weapons and other military programs. U.S. security agencies, including the FBI and National Security Agency (NSA), in July issued a warning about the rogue country’s activities.
Chainalysis last year initially reported that North Korean-supported actors stole $1 billion through 20 hacks, but later revised that down to $660.5 million, noting that some of the larger hacks attributed to them likely had been conducted by other hackers. That said, the number of attacks remained the same after the researchers identified smaller incidents run by the DPKR groups.
Hackers in general stole more than $1 billion worth of crypto in four previous years – 2018 and 2021 to 2023. This year, the number jumped to $2.2 billion, a 21.07% year-over-year increase, with the number of incidents jumped from 282 in 2023 to 303 this year.
Centralized Services Become Targets
The wrote that this year, they saw a shift in the types of victims targeted. Decentralized finance (DeFi) platforms in previous years were the primary targets of cypto hacks, like because they were more vulnerable due to the tendency of developers to prioritize rapid growth the platforms and more quickly bringing their products to market rather than implementing security measures. This made them targets for hackers.
“Although DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in Q2 and Q3,” they wrote. “Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million). This shift in focus from DeFi to centralized services highlights the increasing importance of securing mechanisms commonly exploited in hacks, such as private keys.”
Compromises of private keys accounted for 43.8% of stolen crypto, the largest share. This highlights the need to secure private keys because they control access to targets’ digital assets, they wrote, adding that “given that centralized exchanges manage substantial amounts of user funds, the impact of a private key compromise can be devastating.”
The researchers pointed to the $305 million DMM Bitcoin hack – one of the largest crypto exploits – which may be attributable to mismanaging of private keys or inadequate security.
The North Korean Angle
A thread running throughout the crypto hack seen were the North Korean actors, who ramped up their attacks.
“Unfortunately, it appears that the DPRK’s crypto attacks are becoming more frequent,” Chainalysis researchers wrote. “We examined the average time between successful DPRK attacks depending on the size of the exploit and found that there was a decline [year-to-year] in attacks of all sizes.”
Attacks that brought in between $50 million and $100 million and those of more than $100 million were much more frequent in 2024 than in years past, which they wrote indicates that North Korea “is getting better and faster at massive exploits. This is in stark contrast to the previous two years, during which its exploits more often each yielded profits below $50 million.”
In addition, North Korean hackers over the past three years typically have been responsible for most of the largest exploits, a trend that continued in 2024. However, there also were more attacks tied to the country at lower amounts, including at $10,000 in value.
IT Worker Scams in the Mix
Some of those seem to be related to the growing North Korean IT worker scams, in which state-sponsored hackers posting as legitimate IT workers apply for – and at times are hired – by companies, including those in the Web3 and crypto domains. After the are brought into the companies, they look to steal data or place malware into the IT environments.
In a case last month, U.S. law enforcement agencies seized four websites used to North Korean operatives posing as legitimate U.S.-based technology and software consultancy firms offering contractors and other IT workers to companies.
Most of the North Korean crypto hacks occurred during the first half of the year. Between January and July, they stole $1.58 billion. However, after July 1, the amount of crypto stolen dropped by almost 58%. The drop in activity coincided with a mutual defense pact that North Korean leaders signed with Russia, which included Russia releasing millions of dollars in North Korean assets that had been frozen and North Korea supply troops and weapons for Russia’s war with Ukraine, though the researchers said they couldn’t make a direct connection.
