Connect with us


Separating fact from fiction – Cointelegraph Magazine



The Democratic People’s Republic of Korea is widely considered to be a state sponsor of cryptocurrency hacking and theft. While multiple United States presidents have attempted to stifle the growth of North Korean nuclear energy development through a series of economic sanctions, cyber warfare is a new phenomenon that can’t be dealt with in a traditional way. 

Unfortunately for the crypto industry, DPRK has taken a liking to digital currencies and seems to be successfully escalating their operations around stealing and laundering cryptocurrencies to bypass crippling economic sanctions that have led to extreme poverty in the pariah state.

Some evidence suggests that Pyongyang has racked up well over two billion U.S. dollars from ransomware attacks, hacks, and even stealing crypto directly from the public through a spectrum of highly sophisticated phishing tricks. Sources explain that the regime employs various tactics to convert the stolen funds into crypto, anonymize it and then cash out through overseas operatives. All this activity has been given a name by the United States authorities — “hidden cobra.”

To achieve all this, not only does the operation need to be backed by the state, but many highly trained and skilled people have to be involved in the process to pull off the heists. So, does the DPRK indeed have the means and capability to engage in cyber warfare on a global scale, even as the country’s leadership openly admits that the country is in a state of economic disrepair?

How much exactly have the hackers stolen?

2020 continues the pattern of multiple updates on how much money the DPRK-backed hackers have allegedly stolen. A United Nations report from 2019 stated that North Korea has snatched around $2 billion from crypto exchanges and banks. 

Most recent estimates seem to indicate that the figure is around the $1.5 to $2.5 billion mark. These figures suggest that, although the exact data is hard to come by, the hacking efforts are on the rise and are bringing in more funds each year. Furthermore, multiple reports of new ransomware, elaborate hacks and novel ransomware methods, only supports this data.

Madeleine Kennedy, senior director of communications at crypto forensics firm Chainalysis told Cointelegraph that the lower estimate is likely understated:

We are confident they have stolen upwards of $1.5B in cryptocurrency. It seems likely that DPRK invests in this activity because these have been highly successful campaigns.

However, Rosa Smothers, senior vice president at KnowBe4 cyber security firms and a former CIA technical intelligence officer, told Cointelegraph that despite the recent accusations from the United States Department of Justice that North Korean hackers stole nearly $250 million from two crypto exchanges, the total figure may not be as high, adding: “Given Kim Jong Un’s recent public admission of the country’s dismal economic situation, $1.5B strikes me as an overestimate.”

How do the hacking groups operate?

It’s not very clear how exactly those North Korean hacking groups organized and where they are based, as none of the reports paint a definitive picture. Most recently, the U.S. Department of Homeland Security stated that a new DPRK-sponsored hacking group, BeagleBoyz, is now active on the international scene. The agency suspects the gang to be a separate, but affiliated entity to the infamous Lazarus group, which is rumored to be behind several high profile cyber attacks. DHS believes that BeagleBoyz have attempted to steal almost $2 billion since 2015, mostly targeting banking infrastructure such as ATMs and the SWIFT system.

According to Ed Parsons, managing director UK of F-Secure, “The ‘BeagleBoyz’ appears to be the U.S. government name for a recent cluster of activity targeting financials in 2019/2020,” adding that it’s unknown if the unit is new or “a new name attached to an initially unattributed campaign that was then later linked to DPRK activity.” He further told Cointelegraph that the malware samples were associated with those under the “hidden cobra” codename, which is a term used by the U.S. government to identify DPRK online activity. 

According to the U.S. Security & Infrastructure Security Agency, the hidden cobra-related activity was flagged in 2009 and initially aimed to exfiltrate information or disrupt the processes. The main vectors of attack are “DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware,” targeting the older versions of Microsoft’s Windows and Adobe software. Most notably, the hidden cobra actors make use of the DDoS botnet infrastructure, known as the DeltaCharlie, which is associated with over 600 IP addresses.

John Jefferies, chief financial analyst at CipherTrace, a blockchain forensics company, told Cointelegraph that there are several prominent hacking groups and it’s extremely difficult to differentiate between them. Anastasiya Tikhonova, head of APT Research at Group-IB, a cybersecurity company, echoed the sentiment saying that regardless of the group name attached, the attack vectors are very similar:

“Initial access to targeted financial organizations is gained using spear phishing — either via emails with a malicious document masquerading as a job offer or via personal message on social media from a person pretending to be a recruiter. Once activated the malicious file downloads the NetLoader.”

Additionally, several experts have outlined JS-sniffers as the latest thread to emerge, most commonly linked to the Lazarus group. JS-sniffers is a malicious code which was designed to steal payment data from small online stores, an attack in which all the parties who engaged in the transaction would have their personal information exposed.



Overall, the hacking groups seem to be perfecting the use of a very specific set of malicious tools that center around phishing, whereby unknowing company employees install the infested software which then spreads across the enterprise system targeting the core functions. Most notable examples of suspected activity are the 2014 hack of Sony Pictures and the spread of the WannaCry malware in 2017

According to various sources most attacks are executed to a high standard with evidence of lengthy preparations. The latest examples from 2020 include a fake trading bot website built to lure in DragonEX crypto exchange employees which raked in $7 million in crypto.

In late June, a report warned that the Lazarus Group will seek to launch a COVID-19 specific attack in which the hackers would impersonate government offices in countries that are issuing pandemic-related financial relief to direct unwary email recipients to a malicious website that would siphon financial data and ask for crypto payments. Additionally, crypto industry job seekers also appear to be under threat as according to a recent report, the hackers are using LinkedIn-like emails to send fake job offers containing a malicious MS Word file.

Most notable are the attacks on the crypto exchanges. Although the exact amount stolen from trading platforms is unknown, several reports by cybersecurity firms and various government agencies put the estimated amount at well over a billion dollars. However, DPRK is only suspected of being behind some of those hacks with only a handful of cases having been tracked back to the regime. The best known example is the hack of the Japanese-based Coincheck exchange during which $534 million in NEM tokens was stolen.

In late August 2020 a statement from the U.S. Department of Justice outlined the details of an operation to launder stolen funds through crypto, which was traced back to 2019. It is believed that the North Korean-backed hackers initiated the heist with the support of a Chinese money laundering ring. The two Chinese nationals in question used the “peel chain” method to launder $250 million through 280 different digital wallets, in an attempt to cover the origin of the funds.

According to Kennedy, DPRK-linked hacking groups are indeed becoming more sophisticated at hacking and laundering: “Specifically, these cases highlighted their use of “chain hopping,” or trading them into other cryptocurrencies such as stablecoins. They then convert the laundered funds into Bitcoin.” Chain hopping refers to a method where traceable cryptocurrencies are converted into privacy coins such as Monero or Zcash.

Addressing the apparent success of the hackers, Parsons believes that:

The small IP space/access to the internet in the DPRK, as well as its less connected nature to global/online systems, arguably offers it an asymmetric advantage in relation to cyber operations.

Speaking to Cointelegraph, Alejandro Cao de Benos, a special delegate of the Committee for Cultural Relations with Foreign Countries of DPRK refuted claims that the country is behind the crypto cyber attacks, stating that it’s a “big propaganda campaign” against the government:

“Usually the DPRK is always portrayed in the media as a backward country without internet access or even electricity. But at the same time they always accuse it of having higher capacity, faster connectivity, better computers and experts than even the best banks or US government agencies. It does not make sense just from a basic logical and technological point of view.”

What’s the size of the alleged cyber force and where are they based?

Another number that various reports and studies fail to agree upon is the size of the cyber force that the North Korean government allegedly backs. Most recently, The U.S. Army report “North Korean Tacticsstated that the figure stands at 6,000 operatives, mainly spread across Belarus, China, India, Malaysia, Russia and several other countries, all united under the leadership of a cyber warfare unit called “Bureau 121.”

Parsons believes that the number was most likely derived from previous estimates obtained from a defector who fled DPRK in 2004, although conceding that: “The figure may also have been generated from internal U.S. intelligence that is not publicly attributable.” Tikhonova agreed that it’s hard to assess the size of the force: “Different reports can give a clue to the regime’s ‘hiring’ strategy,” she said, continuing that: 

“The North Koreans have been allegedly attracting students from universities. In addition, some of the North Korean hackers were recruited while working for IT companies in other countries. For example, Park Jin Hyok, an alleged member of the Lazarus APT wanted by the FBI, worked for the Chosun Expo IT company based in Dalian, China.”

Smothers was more skeptical of the report’s conclusion, however stating that: “This is consistent with reporting from South Korea’s Defense Ministry who had, just a few years ago, estimated their number at 3,000,” adding that if anyone has such information, it would be South Korea. Addressing the question of how the set cyber force is organized and where it’s based, she also agreed that most hackers would be stationed around the world “given the limited bandwidth in North Korea.”

Jefferies also believes that “North Korean hackers are based all around the world — a privilege afforded to very few in the country,” also adding that in most cases, hacks attributed to North Korea are not conducted by hackers-for-hire. Tikhonova provided a possible reason behind both assertions, saying: 

It is unlikely that they would give someone access to their list of potential targets or their data given the sensitivity of the operations, so those are carried out by North Koreans themselves.

What can be done to stop the hackers?

It seems that, so far, identifying the movement of money and uncovering some of the third parties is the only thing that has been done successfully — at least in public. One report by BAE systems and SWIFT has even outlined how the funds stolen by the Lazarus Group are processed through East Asian facilitators, eluding the Anti-Money Laundering procedures of some crypto exchanges.

Jeffreries believes that more needs to be done in that regard: “Authorities need to enact and enforce crypto anti-money laundering laws and Travel Rule regulation to ensure that suspicious transactions are reported.” He also stressed the importance of authorities ensuring that virtual asset service providers deploy adequate Know Your Customer measures:

“One known tactic used by North Korean-backed professional money launderers was the use of fake IDs to create accounts at multiple exchanges. The exchanges with stronger KYC controls were better able to detect these fraudulent accounts and prevent the abuse of their payment networks.”

According to the information revealed by the U.S. DOJ, those laundering the money target exchanges with weaker KYC requirements. Although no platforms have been named, these are likely smaller exchanges operating solely in the Asian market. There’s also the issue of some authorities being unable to do take action when it comes to companies that are not under their jurisdiction, as Smothers points out:

“The global nature of these exchanges, as well as the Chinese OTC (over-the-counter cryptocurrency trading) actors, limits our Justice Department’s ability to take swift action. For instance, the DOJ filed a civil action in March, but the Chinese OTCers pulled all funds out of the target accounts within hours of the DOJ’s filing.”

But what complicates things even further is that according to a Chainalysis report from 2019, those laundering the funds may take months — if not years — to complete the process. According to the authors supported the notion that attacks were for financial benefit as the stolen crypto could sit idle in wallets for up to 18 months prior to being moved due to fear of detection.

However, researchers believe that since 2019, the tactics employed by the criminals have changed to accommodate faster withdrawals through the extensive use of cryptocurrency mixers to obscure the source of the funds. Kennedy explained further:

“We can’t speak to the reasons behind their techniques, but we have noticed that these actors often move money around from one hack, then stop to concentrate on moving money around from another hack, and so on. […] Cryptocurrency exchanges were critical in the investigations, and the public and private sectors are working together to address the threats posed by these hackers.”

How serious is the issue?

When discussing DPRK, it’s hard to avoid the topics of human rights violations and the nuclear program that the country reportedly continues to run, despite tightening economic sanctions. 

In that sense, the dynastic government guided by supreme leader Kim Jong Un is seen to be of considerable threat to the world: But now, it’s not just because of the regime’s nuclear aspirations. Even though cybersecurity attacks in most cases are not directly harmful to a human life, these efforts provide a steady stream of income for the state to continue strengthening its ideals and goals.

But, perhaps more worryingly, is that, according to several commentators cited in this article, the hacking groups that seem to be backed by the North Korean regime continue to expand and branch out their operations since their methods are proving to be exceedingly successful. Jefferies for one believes that: “It’s not a surprise that they would continue to build upon and invest in their cyber capabilities.”


Source by [author_name]

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Privacy coins ‘pose less risk of money laundering than other coins’



Privacy coins including Monero, Dash, Grin, and Zcash pose less of a risk of money laundering than other cryptocurrencies according to a report by a global law firm.

According to a new white paper released by U.S. international law firm Perkins Coie, anti-money laundering (AML) measures taken by regulatory bodies worldwide have been sufficient to address any issues caused by privacy coins, and additional oversight may not be necessary.

The paper cited coins fitting within the current financial regulatory structure used by the U.S. Financial Crimes Enforcement Network (FinCEN), the New York Department of Financial Services (NYDFS), Japan’s Financial Services Agency (FSA), the U.K.’s Financial Conduct Authority (FCA), and the Financial Action Task Force (FATF).

“Privacy coins pose lower inherent AML risk than other cryptocurrencies when considering evidence of illicit use in practice,” the white paper stated.

“Not only do privacy coins provide public benefits that substantially outweigh their risks, existing AML regulations properly and sufficiently cover those risks, providing a proven framework for combating money laundering and related crime.”

The report stated that while most transactions made with cryptocurrencies are legitimate, privacy coins can provide benefits that “substantially outweigh” the risks of using them. More than 90% of addresses used on darknet markets were for Bitcoin (BTC), compared to just 0.3% for Dash (DASH), Monero (XMR), and Zcash (ZEC) combined.

“The critical takeaway here is that privacy coins do not pose an inherent AML risk that is uniquely or unmanageably high.”

One of the ways privacy coins stand out from pre-crypto money laundering methods — i.e. cash, card, paper payments — is that they still provide some form of transfer record. More than 90% of money laundering still goes undetected, because non-crypto forms of payment can cross borders without the benefit of a blockchain transaction record.

“Ultimately, absent evidence that existing AML regulations cannot adequately address the risks posed by privacy coins, there is no reason to impose new and overbroad AML requirements that specifically target privacy coins,” the white paper concluded. “Allowing VASPs to support privacy tokens under current, tested AML regulations strikes the appropriate policy balance between preventing money laundering and allowing beneficial, privacy-preserving technology to develop.”

Source link

Continue Reading


New US Treasury sanctions on Russian hackers aim for Monero



Per its Wednesday additions to its list of sanctioned individuals, the United States Treasury Department is targeting Monero (XMR) addresses.

Russian nationals Dmitriy Karasavidi and Danil Potekhin have become the newest names on the specially designated nationals list. According to the Treasury’s announcement on the subject, the two engineered an elaborate phishing campaign targeting U.S. citizens in 2017 and 2018.

Both parties had a number of cryptocurrency addresses including Bitcoin (BTC) and Ether (ETH), as well as Zcash (ZEC) and Litecoin (LTC). Surprisingly, Karasavidi’s information includes a Monero address: 5be5543ff73456ab9f2d207887e2af87322c651ea1a873c5b25b7ffae456c320.

Given Monero’s famous built-in privacy features, this is a huge step for sanctions. Unfortunately for the Treasury, that XMR “address” is not an address at all, but rather a payment ID. 

Unlike Bitcoin, which allows anyone to view the contents of a wallet and trace any transactions to or from it indefinitely along the blockchain, Monero’s payment IDs hide wallet address data. Below, you can see the historical transactions associated with that payment ID.

Source: Monero Blocks

Monero has in fact been moving away from payment IDs in favor of the more private subaddresses. At this point, it’s easy not to use payment IDs, even if you happened to be the owner of the wallet behind the above transaction.

Though the Treasury has been updating its crypto capabilities, including last week targeting the crypto wallets of several Russian nationals allegedly involved in election interference and government-sponsored misinformation campaigns, this is the first time sanctions have attempted to single out an XMR address. For the time being, it doesn’t look like they know what they are doing. 

The investigation is the result of a now-familiar collaboration between the Treasury, the Department of Homeland Security and the Department of Justice. A criminal complaint has been opened charging the alleged hackers. Regarding the announcement, Treasury Secretary Steven Mnuchin said:

“The Treasury Department will continue to use our authorities to target cybercriminals and remains committed to the safe and secure use of emerging technologies in the financial sector.”

Crypto analytics firms that contract with the U.S. government such as Ciphertrace have been busy developing Monero-tracing tools. The Internal Revenue Service announced a bounty for anyone who can “crack” the infamously untraceable token.

How exactly did the Treasury isolate this payment ID? It is likely that they got that information from an exchange. But the question remains: How much further will they get with Monero?

Update Sept. 17: This article has been updated to reflect the fact that the XMR “address” in the Treasury’s announcement is actually a payment ID.

Source link

Continue Reading


XMR workgroup says IRS should study Monero — not try to break it



The United States Internal Revenue Service has better ways to spend taxpayer dollars than offering bounties to break Monero’s (XMR) privacy, a Monero working group says.

After the IRS announced it is offering up to $625,000 to anyone who can break Monero, a major Monero-focused workgroup expressed their take on the matter.

A spokesperson for Monero Outreach — an independent workgroup focused on XMR awareness and education — told Cointelegraph that the IRS should learn how Monero actually works instead.

Monero Outreach’s representative emphasized that the crypto’s features in fact provide users with a certain level of transparency, stating:

“$625,000 would be better spent by the IRS to hire a few consultants to teach their staff how Monero works and how its features allow users to opt-in to transparency.”

The spokesperson said that Monero is “designed to function just like cash,” highlighting that the U.S. dollar also has a certain amount of privacy:

“The U.S. dollar is used for a majority of the world’s nefarious activities and yet, it is what denominates the IRS’ balance sheet. […] The IRS doesn’t know how much cash you earned unless you report it, but you don’t see them trying to break the U.S. dollar.”

The IRS announced its bounty program to trace transactions on Monero and Bitcoin’s (BTC) Lightning Network in early September 2020. The authority stressed that the program is driven by a lack of investigative resources for tracing transactions involving privacy coins used by illicit actors.

The IRS is not the only institution that wants to break Monero’s privacy. In August, a major cryptocurrency intelligence firm, CipherTrace, reportedly claimed that their crypto tracking tool is capable of tracing Monero transactions. Previously, Russia’s Federal Financial Monitoring Service announced that its new crypto tracking tool will “partially reduce anonymity” of Monero transactions.

While authorities and companies worldwide are apparently racing to crack Monero’s privacy, the coin’s protocol has some built-in transparency features.

According to a Sept. 15 report by American law firm Perkins Coie, Monero enables users and virtual asset service providers, or VASPs, to disclose certain transaction details associated with a given account to a third party. According to the firm, these features are part of the key functionality built into the Monero protocol:

“This enables users and VASPs to disclose certain transaction details associated with a given account to a third party without publicly disclosing that user’s transactional information. In addition, VASPs can require up-front disclosures as part of their registration process and on an ongoing basis to meet their obligations.”

Designed to provide a private and untraceable cryptocurrency, Monero is the top privacy-focused coin by market capitalization at publishing time. According to Monero Outreach, the coin also has the third-highest number of code contributors of all cryptocurrencies, behind only Bitcoin and Ether (ETH). Monero is currently trading at $91.41 with a market cap of $1.6 billion.

Source link

Continue Reading