North Korean hackers stole $400M in 2021, mostly ETH: Chainalysis


North Korean hackers hijacked nearly $400 million worth of crypto through cyberattacks in 2021 according to new data from Chainalysis.

The type of stolen crypto has also seen a drastic change according to the January 13 report from the blockchain analytics firm. In 2017, BTC accounted for almost all of the crypto stolen by the DPRK, but it now only accounts for a fifth:

“In 2021, only 20% of stolen funds were Bitcoins, while 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for the majority of stolen funds at 58%.”

The report states that attacks in 2021 from North Korea (DPRK) primarily targeted “investment firms and centralized exchanges, and used phishing lures, code exploits, malware, and social engineering. Advanced” to acquire the funds in a malicious way.

The stolen cryptocurrency is believed to be used by the DPRK to evade economic sanctions and to help fund nuclear weapons and ballistic missile programs, according to a UN Security Council report.

The threat the DPRK poses to global crypto platforms has become ubiquitous. Chainalysis now refers to Hermit Kingdom hackers, such as the Lazarus Group, as Advanced Persistent Threats (APTs). These threats have increased over the past three years, following the all-time high of over $500 million worth of stolen crypto in 2018.

Chainalysis reported that the funds were meticulously laundered. The methods range from chain hopping to the “Peel Chain” method and more recently hackers have used a complicated system of swapping and mixing coins.

Related: LCX loses $6.8 million in hot wallet compromise on Ethereum blockchain

Mixers were used on over 65% of stolen funds in 2021, a threefold increase since 2019. A mixer is a software-based privacy system that allows users to hide the source and destination of coins that they send. Decentralized exchanges (DEX) are increasingly preferred by hackers as they are permissionless and have sufficient liquidity for coins to be exchanged at the user’s will.

Chainalysis used the August 19, 2021 hack of in which $91 million in crypto was stolen as an example of how typical DPRK hackers launder funds. They first exchanged ERC-20 coins for Ether (ETH) on decentralized exchanges. Then ETH was sent to a mixer and exchanged for Bitcoin (BTC), which was also mixed. Finally, BTC was sent from the mixer to centralized Asian exchanges as a likely fiat exit ramp.