Russian and North Korean Cyberattack Infrastructure Converge: New Hacking Data Raises National Security Concerns

In the wake of a historic arms meeting between Kim Jung-un and Vladimir Putin, on-chain data reveals disturbing information: Democratic People’s Republic of Korea (DPRK)-linked hacking groups are increasing their use of Russia-based exchanges known to launder illicit crypto assets.

This development comes as independent sanctions monitors are raising alarms about North Korea’s evolving tactics in cyber warfare. A forthcoming United Nations report warns that DPRK is using increasingly sophisticated cyberattacks to fund its nuclear missile programs, with “state-sponsored” hacking groups targeting cryptocurrency and financial exchanges worldwide.

Chainalysis data shows that $21.9 million in cryptocurrency stolen from Harmony Protocol was recently transferred to a Russia-based exchange known for processing illicit transactions. Additionally, Chainalysis has evidence that shows that DPRK entities have been using Russian services, including this exchange, for money laundering since 2021. This latest action marks a significant escalation in the partnership between the cyber underworlds of these two nations.

The Chainalysis Reactor graph below shows some of the movement of stolen Harmony funds to the Russian exchange.

This Chainalysis Reactor graph shows some of the movement of stolen Harmony funds to the Russian exchange.
Not only does this revelation signify a potent alliance between North Korean and Russian cybercriminal actors, but it also presents challenges for global authorities. Russia’s notoriously uncooperative stance toward international efforts by law enforcement makes the prospect of recovering stolen funds sent to Russian exchanges particularly grim. While the types of mainstream centralized exchanges North Korean hackers have previously relied upon typically cooperate, Russia’s exchanges and law enforcement agencies have a track record of non-compliance, significantly reducing the chance of asset recovery. 

What North Korean crypto hacking totals reveal for 2023

While the shift in laundering strategy illuminates new complexities, hacking activities associated with DPRK in general show a paradoxical trend as we approach the end of the third quarter. According to Chainalysis data, the value of stolen cryptocurrency associated with DPRK groups currently exceeds $340.4 million this year, compared to over $1.65 billion in stolen funds reported in 2022.

While North Korea-linked hackers are on pace to steal much less cryptocurrency than they did last year, it’s important to acknowledge that the catastrophically high figures from 2022 created an unusually high bar to surpass.

Activities associated with North Korea-based groups, 2016-present

With the total amount of cryptocurrency stolen estimated at $3.54 billion, DPRK continues to be an incubator for hacking activities and remains one of the largest active threats in the cybercrime landscape. 

Total value of DPRK-linked hacks vs. others, 2016-2023

North Korea-linked groups still account for 29.7% of cryptocurrency stolen via hacks this year, though not as high a share as 2022.

Lessons from 2022: North Korean cyberthreats still loom

Although it may be tempting to view the reduction in the total value of hacked funds as a marker of progress, we must remember that 2022 set a dismally high benchmark. Last year was characterized by a number of high profile hacks, several of which involved the notorious hacker collective Lazarus Group. The most noteworthy of those attacks targeted the Ronin Network, a sidechain created for the popular play-to-earn game Axie Infinity. The impact of the breach was significant, accounting for $600 million of the total funds stolen. The fact that this year’s numbers are down is not necessarily an indicator of improved security or reduced criminal activity – although we do hope that increased code audits are helping.

In reality, we are only one large hack away from crossing the billion-dollar threshold of stolen funds for 2023. Things move quickly online — a major attack could materialize overnight. Both government bodies and organizations must remain vigilant to defend against the rising complexities and stakes of crypto crime.

Combatting blockchain-based crime 

While the cross-border nature of cryptocurrencies can make it easier for actors within rogue nations to collaborate, the blockchain itself offers significant investigative advantages for law enforcement agencies.

Unlike conventional financial systems, which can hide illicit activity behind intricate layers of shell companies and uncooperative banking jurisdictions, blockchain technology is transparent by design. Chainalysis equips authorities with powerful tools to interpret transaction data. This allows them to trace the flow of funds to target and dismantle cybercrime operations from their core.

International efforts are intensifying to shore up cybersecurity and enhance cooperation among nations in countering crypto-related hacks and broader cybercrime. Far from being a black hole of criminality, blockchain can serve as a valuable ally in maintaining the security and integrity of global financial systems.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.