North Korea's Lazarus Group has made $3 billion out of cryptocurrency hacks.

Since at least 2017, threat actors from the Democratic People’s Republic of Korea (DPRK) have been focusing on the cryptocurrency sector as a way to generate revenue and evade sanctions.

In a report shared with The Hacker News, cybersecurity firm Recorded Future stated that “the regime’s ruling elite and its highly trained cadre of computer science professionals have privileged access to new technologies and information, despite movement restrictions, isolation of the general population, and other restrictions on movement within and outside the country.”

“The privileged access to resources, technologies, information, and sometimes international travel for a small set of selected individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyber attacks against the cryptocurrency industry.”

Coincident with the revelation, the U.S. Treasury Department levied penalties against Sinbad, a virtual currency mixer that the Lazarus Group—affiliated with North Korea—has utilized for the purpose of laundering illicit funds.

Estimates put the value of crypto assets taken by the country’s threat actors at $3 billion over the previous six years, with over $1.7 billion stolen in 2022 alone. Most of these looted funds go straight toward the hermit kingdom’s ballistic missile and weapons of mass destruction (WMD) programs.

“$1.1 billion of that total was stolen in hacks of DeFi protocols, making North Korea one of the driving forces behind the DeFi hacking trend that intensified in 2022,” according to Chainalysis in February.

This past September, the Analytic Exchange Program (AEP) report of the United States Department of Homeland Security (DHS) brought attention to the fact that the Lazarus Group had used DeFi protocols.

“DeFi exchange platforms allow users to transition between cryptocurrencies without the platform ever taking custody of the customer’s funds in order to facilitate the transition,” according to the research. “This allows DPRK cyber actors to determine exactly when to transition stolen cryptocurrency from one type of cryptocurrency to another, enabling attribution to be more difficult to determine or even trace.”

According to the numerous campaigns that have been launched in the past few months, the cryptocurrency sector is one of the primary targets for cyber threat actors backed by the North Korean government.

The North Korean hackers are notorious for their mastery of social engineering techniques, which they use to target cryptocurrency exchange employees. They entice their victims with the promise of lucrative jobs, and in exchange, they spread malware that gives them remote access to the exchange’s network. This allows the hackers to drain the exchange’s assets and transfer them to wallets controlled by the North Korean government.

Watering hole assaults, also known as strategic web breaches, have been used by other campaigns to lure users into downloading trojanized cryptocurrency apps and steal their assets. These campaigns have also used airdrop frauds and rug pulls.

The group’s use of mixing services to hide their cash trail and cloud attribution efforts is another noteworthy approach. These kinds of services are usually available on cryptocurrency exchanges that don’t follow anti-money laundering (AML) rules or have know-your-customer (KYC) requirements.

“Absent stronger regulations, cybersecurity requirements, and investments in cybersecurity for cryptocurrency firms, we assess that in the near term, North Korea will almost certainly continue to target the cryptocurrency industry due to its past success in mining it as a source of additional revenue to support the regime,” said Recorded Future.