North Korea is raising money for its missile and nuclear programs by conducting cybercrime and syphoning the wages of North Korean computer engineers doing legitimate work overseas, according to a new report by the United Nations Panel of Experts on the DPRK.
Details of the report, which was published on Thursday, were leaked in advance and led North Korea to deny the allegations before they were published.
In the report, the UN Panel of Experts says “DPRK cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for the country’s weapons of mass destruction programs, with total proceeds to date estimated at up to $2 billion.”
On Sunday, the North’s “National Coordination Committee of the DPRK for Anti-Money Laundering and Countering the Financing of Terrorism” called that “a sheer lie.”
The report details attacks on the SWIFT inter-bank transfer system and crypto currency exchanges that have been attributed to North Korean hackers, including the attempted theft of $951 million from the account of Bangladesh’s central bank account at the U.S. Federal Reserve. Some of that money was recovered but hundreds of millions of dollars was not.
According to the report, North Korean hackers stationed overseas are launching attacks aimed at netting tens or hundreds of millions of dollars from banks, usually by tricking them into transferring money to accounts under control of the hackers.
Here’s one example from an attack in February this year: “Attempted theft of 14.5M USD from the Bank of Valletta (BOV) on 13 February. Before being reversed, transfers were made to banks located in the U.K., the U.S., Czech Republic, and Hong Kong, China. “phishing” activity using the same digital fingerprint had been detected since October 2018.”
It also listed attacks on crypto currency exchanges, the largest of which was against NiceHash in Slovenia that resulted in over $60 million in crypto currency being stolen.
Crypto currency is proving to be a highly efficient way for the North Korean government to gain and launder money. The report noted on instance in which crypto funds were sent through thousands of accounts in multiple countries to disguise its source before being turned into cash.
In order to obfuscate their activities, attackers use a digital version of layering in which they create thousands of transactions in real time through one-time use cryptocurrency wallets. According to that Member State, stolen funds following one attack in 2018 were transferred through at least 5,000 separate transactions and further routed to multiple countries before eventual conversion to fiat currency, making it highly difficult to track the funds.
And it’s not just hackers sitting at keyboards that are part of the greater money-making scheme, the report said. It relies on a number of people on the ground in different countries around the world.
In one notable example, DPRK cyber actors gained access to the infrastructure managing entire automatic teller machine networks of a Member State for the purposes of installing malware modifying transaction processing in order to force 10,000 cash distributions to individuals working for or on behalf of the DPRK across more than 20 countries in five hours. That operation required large numbers of people on the ground, which suggests extensive coordination with DPRK nationals working abroad and possible cooperation with organized crime.
Some of the money raised is from the same programmers and engineers doing legitimate work through freelancing websites. The report detailed the wage siphoning arrangement that is likely earning the government hundreds of thousands of dollars per month.
“A Member State informed the Panel that the DPRK Munitions Industry Department, an entity designated for its supervisory role in the development of the country’s nuclear and ballistic missile programs, is using its subordinate trading corporations to station abroad information technology workers such as software programmers and developers in order to earn foreign currency.”
The report went on to state that “hundreds” of IT workers in Europe, Asia, Africa and the Middle East are paying a “significant portion” of their monthly $3,000 to $5,000 earnings to the Munitions Industry Department. The government agency in turn uses the money to fund its weapons programs.
“To obscure their nationality and identity, they employ an operational model whereby a local citizen serves as a nominal head of a company that, in fact, is run by Democratic People’s Republic of Korea developers who, in turn, pay the company for their cover. These workers also use foreign websites to obtain freelance work while disguising their identity. Alongside non-malicious information technology work, the DPRK information technology workers conduct illicit work involving the theft of assets such as cryptocurrency in support of Democratic People ’s Republic of Korea cyber actors in the evasion of financial sanctions.”
Government syphoning of foreign wages is not unusual and a 2012 report by the International Network for the Human Rights of North Korean Overseas Labor said the state can grab as much as 90 percent of money earned overseas. If we assume just 300 overseas workers earning $3,000 per month and a 50 percent cut, that’s already $450,000 per month for the state. In reality the government is probably taking a much larger slice and the number of workers is probably higher.
The known trading companies controlled by the Munitions Industry Department and listed in the UN report are:
- Kuryonggang Trading Corporation (???????)
- Ryungseng Trading Corporation (??????)
- Tangun Trading Corporation (??????)
- Hangryon Trading Corporation (??????)
- Ryonbong General Corporation (?????)
- 5 Trading Corporation (5 ????)
- Pugang Trading Corporation (??????)
- Mirae Trading Corporation (??????)
- Ryonhap Trading Corporation (??????)
- Advanced Technology Trading Corporation (????????)
- Jinhung Joint Production Corporation (??????)
- Sobaeksu United Corporation (???????)
- Pihosan Trading Corporation (???????)
- Sinhung IT Trading Corporation (??????????)
- Chonryong Trading General Corporation (???????)
- Taesong Trading Corporation (????????)
- Peace Motors Corporation (???????)
- Taeryonggang Trading Corporation (???????)
The report concludes by making several recommendations including that U.N. member states ensure crypto currency exchanges and businesses are covered by the same obligations that traditional financial companies have to operate under. These include improving online security, sharing information about attempted attacks and monitoring of suspicious transactions and blocking accounts and transactions believed to be associated with sanctioned organizations.