Skip to content

North Korean hackers continue to threaten the broader cryptocurrency ecosystem, having stolen an estimated $2 billion of crypto over the past five years.

Blockchain intelligence firm TRM Labs released its latest deep dive into the murky world of cryptocurrency-related hacking, focusing on the exploits of North Korean cybercriminals. According to TRM Labs’ data, North Korea has stolen around $200 million of crypto in 2023, accounting for 20% of all stolen funds this year.

North Korean cyberattacks are estimated to be 10 times larger than attacks by other malicious actors. Hackers from the country have also honed in on the decentralized finance (DeFi) ecosystem, preying on cross-chain bridges that continue to handle a significant volume of cryptocurrency transfers.

Related: North Korea stole more crypto in 2022 than any other year: UN report

Cross-chain hacks, such as the Axie Infinity Ronin Bridge hack, resulted in $650 million of crypto stolen, with North Korean hackers collectively stealing around $800 million in three separate attacks in 2022 alone.

The methods used to carry out these cyberattacks vary, with phishing and supply chain attacks involving compromised private keys and seed phrases.

TRM Labs notes that North Korean hackers have become more industrious with on-chain laundering methods. In the past, cryptocurrency exchanges had been used to cash out stolen cryptocurrency, but this has evolved into highly complex “multi-stage money laundering processes.”

Hackers have evolved their methods in response to aggressive sanctions by the Office of Foreign Assets Control, law enforcement operations and improved blockchain tracing tools. TRM Labs unpacked North Korea’s 2023 Atomic Wallet hack as an example of the obfuscation methods now being used by hackers from the sanctioned state.

Data visualization of the Atomic Wallet hack carried out by North Korean hackers in June 2023. Source: TRM Labs

The incident occurred in June 2023, when hackers targeted noncustodial wallet provider Atomic Wallet and made off with $100 million of cryptocurrency from 4,100 addresses. TRM Labs speculates that a phishing or supply chain attack likely made the exploit possible.

Hackers drained user wallets across the Ethereum, Tron, Bitcoin, XRP, Dogecoin, Stellar and Litecoin blockchains, sending the stolen funds to new wallets.

ERC-20 and TRC-20 tokens were swapped to Ether (ETH) and Tron (TRX) using decentralized exchanges before being laundered with a mix of automated programs, mixers and cross-chain swaps.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.

Magazine: Should crypto projects ever negotiate with hackers? Probably