- Research Programs
- Regions & Topics
- All Publications
A nation must think before it acts.
On September 13, the United States Department of Treasury announced a new round of sanctions on the Democratic People’s Republic of Korea, this time specifically targeting three state-sponsored hacking organizations: Bluenoroff, Andariel, and, most infamous, Lazarus Group. Five days later, Vice reported from a North Korean blockchain conference that Pyongyang was starting the process of developing its own cryptocurrency, according to a Spanish national serving as a special delegate for North Korea.
Regardless of North Korea’s true capacity and intention to design its own cryptocurrency, the estimate that the U.S. Treasury cites assesses that between January 2017 and September 2018, Lazarus Group managed to hack and steal over half a billion dollars in cryptocurrencies, primarily from Japanese and South Korean exchanges. According to the Associated Press, an unpublished United Nations report estimated that North Korea’s broader hacking program has garnered the cash-strapped regime up to $2 billion to date.
Per the U.S. Treasury’s allegations, the organizations responsible operate like modern-day privateers on the digital seas, attacking both obvious rivals and targets that only stand out by virtue of their vulnerability, like Bangladesh. Unlike, say, the Russian Federation, whose cyber antagonism has so bedeviled the United States in recent years, North Korea seems to be dependent upon its stable of hackers as a revenue stream and not strictly a means of asymmetric attack on enemies.
North Korea has long been a pariah in the global economic community, with its international trade overwhelmingly dependent on the neighboring People’s Republic of China, according to the Observatory of Economic Complexity (OEC). Given that the North Korean government is an unreliable reporter and figures are based largely on open-source research, data is inevitably flawed. Regardless, the OEC estimates that in 2017, $1.58 billion of exports—over 90% of the national total—went to China, the largest of these being coal, coats, and mollusks. This is a ledger that flounders when the regime demands it finance Kim Jong-un’s nuclear ambitions, even as nearly a quarter of GDP goes to the military.
As far as a source of income, cryptocurrency exchanges are particularly attractive because while the blockchains on which most major cryptocurrencies operate are exceptionally resistant to interference and hacking, many commercial exchanges centralize customer information in a way that looks to certain hard-line crypto fanatics like bulging piñatas of data and cash. Exchanges smooth out many of the distinctively user-unfriendly edges to accessing the blockchain and crypto wallets, making the logging-on experience comparable to that of email, which is much easier to hack than the original bare-bones vision of public and private keys. Conveniently enough for hackers working for North Korea, the three largest national markets for cryptocurrencies remain the U.S., Japan, and South Korea.
By the same token, crypto is a convenient zone of operation for North Korean hackers, because many exchanges historically have lacked mechanisms for tracing transactions to bad actors and because the resistance of blockchains to hacking prohibits reversal of a transaction—even if that transaction is to a wallet operated by Lazarus Group. Once tokens have changed hands, passing from one wallet to another, that is usually the end of the matter, especially when North Korea does not have the same array of internal targets to strike back against. This is the downside of immutability that blockchains are so effective at enforcing.
Aside from the vulnerability of exchanges, crypto sidesteps traditional international trade barriers, including the inexchangibility of the North Korean won. This gives the regime a means of buying equipment that its feeble reserves cannot afford. Hacking, too, is a simple means of accessing foreign currency—certainly easier than selling citizen labor to Russia for a relatively meager $120 million per year.
As much as they provide some legal framework for repercussions, the U.S. Treasury’s sanctions are almost certainly a poor tool for handling groups like Lazarus Group. It is difficult to picture someone approaching a bank teller desk looking to deposit a check signed “Lazarus Group.” It is, more broadly, hard to believe that parties currently doing business with North Korea have much interest in abiding by U.S. sanctions. Think China and Russia, the latter of which may have been behind the bug that Lazarus Group used in its hack of Coincheck, which remains the largest exchange hack in the history of crypto. Not only are these entities disincentivized from cooperating with the demands of the U.S. Treasury, but these hacker teams are the organizations best equipped to operate beyond the ken of U.S. compliance.
Times, however, are changing in the world of cryptocurrencies, in terms of legal standing and technology enabling enforcement. In June, the Financial Action Task Force issued new guidance for regulating “virtual asset providers,” which has had a global impact on regulation of cryptocurrency exchanges. The recommendations included having all exchanges register in specific jurisdictions to which they would then be legally accountable, and in turn require exchanges to keep more detailed information on all of their customers, tying pseudonymous crypto wallet numbers more clearly to specific owners.
Partially due to the historic vulnerability of local exchanges, South Korean regulators have been particularly quick in stepping up to the demands of the FATF as well as the Fair Trade Commission. Many of the most prominent exchanges in the country have taken steps such as delisting privacy tokens like Monero and Dash—tokens for which suspected North Korean hackers would often sell their commandeered coins. Such tokens hide payment details as well as wallet balances, making them antithetical to current know-your-customer and anti-money laundering standards, which require exchanges to maintain databases of client information.
Restrictions on exchanges operating within South Korea may make those exchanges less vulnerable, but they don’t necessarily help U.S. allies identify crypto spent by agents of the North Korean government. However, the technology available to track crypto transactions of all stripes and identify bad actors has advanced dramatically in recent years. Crypto compliance firms like Chainalysis, Ciphertrace, and Elliptic have seen a dramatic rise in funding, yielding more advanced capabilities to identify flows of ill-gotten crypto through chains of transactions. Though the U.S. Treasury is not necessarily adept at following Bitcoin through such devious measures as crypto tumblers, which mix tainted and clean tokens and generate transactions in which money does not actually leave the control of the original owner, the technology to do just that exists.
While it should be a concern, North Korea’s desire to launch its own cryptocurrency is hardly unique. Central bank digital currencies have become a fashionable topic in government brainstorming. The European Union and Russia are currently exploring such currencies. According to some observers, China is particularly close to actually launching one.
North Korea’s ability to design an as-of-yet hypothetical cryptocurrency in such a way that it remotely appeals to international exchange seems fraught. Venezuela with its Petro token provides a good case study. El Petro, despite extravagant promotion by the Maduro regime, has failed to act as any real counterweight to either overwhelming inflation or oppressive sanctions. Nobody trades in it, so it has no value, no matter how much the regime tries to back it with the price of a barrel of oil. An executive order from President Donald Trump last March proved to be a crippling blow to the nascent token.
North Korea’s economic weakness may be a strength, even as any Pyongyang coin remains hypothetical. While the North Korean regime is clearly capable of sustaining a powerful offensive force in the cyber world, defense is a different game entirely. Locks are harder to build than to pick. Modern cybersecurity is predicated on the assumption that eventually a breach will happen. It’s all about mitigation in advance, which North Korea has had limited experience with. Part of the challenge of North Korea as an adversary is that its regressive economic layout leaves little to target—a major reason why it’s hard to imagine the U.S. Treasury sanctions really threatening the lifeblood of Lazarus Group. The regime’s primary fuel is its citizens’ capacity to endure suffering. Establishing a functional, internationally traded cryptocurrency would give North Korea something to lose in the face of much better-funded cyber teams like those in the U.S. government.
That is not to say that U.S. cyber defenses are all they should be. In a comic example, the National Security Agency (NSA) developed the EternalBlue hack, only to have it leak to the public and, ultimately North Korea, which reconfigured it into 2017’s devastating WannaCry ransomware. But it is not only technical prowess nor even funding that gets in the way of American cyber supremacy.
On the international stage, U.S. cyber capabilities are struggling to keep up because the roster of major players not party to the dictates of the U.S. Treasury form a massive market not only opposed to the U.S. and its sanctions, but also adroit at dodging them. Russian programmers, for example, have created and disseminated a whole host of bugs and hacking techniques that, despite the U.S.’s dominance in terms of military firepower, have proven to be a vast game of whack-a-mole for the world’s policemen to contend with. A largely unplugged nation, North Korea sends its hackers to China to learn the trade.
U.S. retaliation relies on old measures: sanctions on traditional economic activity and the often-implausible threat of military force. These levers just don’t work in the cyber realm, and instead encourage adversaries to collaborate with each other and create new forms of trade and invasion.
Without a doubt, the U.S. needs to invest more heavily in cybersecurity and research and must upgrade systems that store critical information. More controversial is the proposition that the U.S. needs to start presenting more carrots to rival governments for cooperation with the global economic system that it spent the last century building, or it needs to get comfortable wielding sticks in cyberspace. The NSA cannot be stockpiling expensive cyberweapons like EternalBlue only for rival hackers to steal them on the cheap and use them to extort businesses out of Bitcoin. These weapons are valuable, but are largely one-time use items, as subsequent security patches render them obsolete. In treating cyberweapons like nuclear arsenals, American agencies are missing the point that their impacts are economic and, consequently, sovereign governments are remarkably hesitant to go to war over cyber attacks. The diplomatic consequences are negative, but so too are those of sanctions. Given the direction in which rival nations are developing, and given how much more difficult it is to protect a network long term than to breach it, the U.S. needs to start playing offense in the cyber world.