Why are North Korean hackers so skilled at stealing cryptocurrency?
Here is the English translation of the article:
Bybit Hack: How North Korean Hackers Pulled Off the Biggest Crypto Heist in History
Source: The Economist
Translated by: AIMan @ Jinse Finance
Ben Zhou, the CEO of Dubai-based cryptocurrency exchange Bybit, recalled that February 21 was supposed to be an ordinary day. Before going to bed, he approved a fund transfer between company accounts—a "routine operation" necessary to serve more than 60 million users worldwide. Half an hour later, he received a phone call.
"Ben, we have a problem," his CFO said, his voice trembling. "We may have been hacked… All the Ethereum is gone."
Independent investigators and the FBI quickly pointed to a familiar culprit: North Korea. Hackers from this reclusive nation have become one of the biggest threats to the crypto industry and a vital revenue source for the North Korean regime, helping it evade international sanctions, control its elite, and fund its missile and nuclear weapons programs.
According to cryptocurrency research firm Chainalysis, North Korean hackers stole $661 million in 2023. In 2024, their total haul doubled to $1.34 billion across 47 heists—accounting for more than 60% of all crypto thefts worldwide.
The Bybit hack demonstrated that these hackers are becoming more sophisticated and ambitious. In this single attack, North Korea managed to steal approximately $1.5 billion, making it the largest crypto heist in history.
The Origins of North Korea’s Cyber Forces
North Korea's cyberattacks are the result of decades of effort. The country's first computer science school dates back to the 1980s. The Gulf War helped the regime recognize the strategic importance of cyber technology in modern warfare. Thae Yong-ho, a former high-ranking North Korean diplomat who defected in 2016, revealed that gifted math students are sent to specialized schools and exempted from mandatory rural labor.
Initially, North Korea’s cyber forces were designed for espionage and sabotage, but by the mid-2010s, they had shifted their focus to cybercrime. It is said that Kim Jong-un refers to cyber warfare as the "all-powerful sword."
Crypto Heists and Money Laundering
Stealing cryptocurrencies involves two major steps. The first step is infiltrating the target system—akin to digging an underground tunnel into a bank vault. This can be done through phishing emails that insert malicious code or by posing as recruiters to trick software developers into opening infected files during fake job interviews. Another method involves using fake identities to secure remote IT jobs in foreign companies, which can provide access to critical accounts.
Andrew Fierman from Chainalysis noted, "They are very skilled at exploiting weaknesses through social engineering." In the Bybit case, hackers breached the computer of a developer working for a digital wallet software provider.
Once stolen, the cryptocurrency needs to be laundered. Dirty money is spread across multiple digital wallets, mixed with clean funds, and converted into different cryptocurrencies. This process, known as "mixing" and "chain-hopping" in the crypto industry, makes tracking funds more difficult.
"They are the most sophisticated crypto launderers we’ve ever encountered," said Tom Robinson of blockchain analysis firm Elliptic.
The final step is cashing out. Many underground services—often linked to organized crime—facilitate this process. Law enforcement efforts have created some obstacles, but Nick Carlsen, a former FBI analyst now working at blockchain intelligence firm TRM Labs, estimates that North Korea successfully retains "80% to 90%" of its stolen funds.
Why Is North Korea So Good at Crypto Theft?
North Korea enjoys several advantages. One is talent. This might seem counterintuitive given the country's extreme poverty, where most citizens lack access to the internet or even computers. However, Kim Seung-joo from Korea University in Seoul explained, "North Korea can handpick the best talent and tell them exactly what to do. They don’t have to worry about losing them to Samsung."
At the 2019 International Collegiate Programming Contest, a North Korean university team placed eighth, outperforming teams from Cambridge, Harvard, Oxford, and Stanford.
North Korean hackers also work relentlessly, attacking with remarkable audacity. Jenny Jun of Georgia Tech noted that most state-sponsored cybercriminals try to avoid diplomatic backlash, operating like characters in Ocean’s Eleven: wearing white gloves, sneaking in silently, stealing the crown jewels, and vanishing without a trace.
"North Korea doesn’t care about secrecy—they are not afraid to be loud and bold," Jun explained.
Where Does the Stolen Crypto Go?
For the North Korean regime, stolen cryptocurrency has become a lifeline, especially as international sanctions and the COVID-19 pandemic have further crippled its already limited trade. Compared to traditional hard currency sources, such as overseas laborers or illegal drug sales, crypto theft is a far more efficient way to earn foreign currency.
A 2023 report by the UN Panel of Experts (UNPE) estimated that cyber thefts account for half of North Korea's foreign currency revenue. Last year, North Korea's digital thefts were worth more than three times its total exports to China.
"Everything that takes millions of workers to achieve can be done by just a few dozen people," Carlsen remarked.
The stolen funds help sustain the North Korean regime. Hard currency is used to purchase luxury goods to maintain elite loyalty. More importantly, much of the stolen crypto is believed to fund North Korea’s missile and nuclear weapons programs.
Will There Be More North Korean Crypto Heists?
Cryptocurrency investigators are becoming more adept at tracking stolen funds on the blockchain. Major crypto exchanges and stablecoin issuers frequently collaborate with law enforcement to freeze stolen assets. In 2023, the US, Japan, and South Korea launched a joint initiative to combat North Korean cybercrime. The US has also imposed sanctions on several crypto mixing services used by North Korea.
However, authorities remain one step behind. After the US sanctioned North Korea’s preferred mixers, hackers simply switched to alternative services. Solving this problem requires a multilateral effort between governments and the private sector, but such cooperation is often fragile. Last year, Russia used its veto power at the UN to dismantle the UN’s cybersecurity capacity-building committee. Former US President Donald Trump’s cuts to foreign aid also weakened programs aimed at strengthening cybersecurity in vulnerable nations.
Meanwhile, North Korea is investing more resources into cybercrime. South Korean intelligence estimates that the number of North Korean cybercriminals has grown from 6,800 in 2022 to 8,400 last year.
With the crypto industry expanding into less-regulated markets, North Korea has an increasingly "rich target environment," said Abhishek Sharma of the Observer Research Foundation, an Indian think tank. He noted that last year, North Korea targeted exchanges in India and Indonesia.
North Korea has already begun using AI in its operations. AI tools can make phishing emails more convincing, enable mass production of fraudulent communications in multiple languages, and help remote IT workers infiltrate companies more effectively.
For industry executives like Bybit’s Ben Zhou, bad days like February 21 might become increasingly common.
This article is sourced from Foresight News:
https://foresightnews.pro/article/detail/80720
Respectfully submitted by the AIC Team
March24, 2025
