The Evolution of Kim Jong Un’s ‘All-Purpose Sword’

Introduction

For decades, the Kim regime has used weapons tests, border conflicts, and acts of terrorism to gain attention and raise tensions. The regime then demands economic and political benefits in exchange for reducing the tensions it provoked.¹ Pyongyang has the potential to add cyberattacks to this repertoire. Kim Jong Un reportedly described cyber warfare in 2012 as North Korea’s “all-purpose sword,” which provides “a capability to strike relentlessly.”² In the decade since then, Pyongyang has wielded its growing cyber capabilities to reap financial, political, and strategic benefits to prolong the Kim regime’s survival.

Over the past four years, Pyongyang’s financially motivated cybercrime has become more prolific. North Korean cyberattacks increased by 32 percent year over year in 2020, according to South Korea’s National Intelligence Service.³ The blockchain data firm Chainalysis observed a steady increase in attacks on cryptocurrency exchanges between 2019 and 2021.⁴ This may reflect the regime’s desperation as it faces one of the most challenging economic crises in decades. North Korea has likely stolen “hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs,”⁵ the U.S. intelligence community concluded in April 2021. Pyongyang’s hackers steal money directly from international banks and cryptocurrency exchanges, in addition to employing ransomware and cryptocurrency mining tools to generate funds.⁶

Cybercrime is an integral element of the Kim regime’s hybrid warfare strategy. Accordingly, Pyongyang’s foreign intelligence agency, the Reconnaissance General Bureau, houses its cyber capabilities within Bureau 121,⁷ which is responsible not only for cybercrime but also for espionage, reconnaissance, and inciting “social chaos by weaponizing enemy network vulnerabilities.”⁸

Within the North Korean military, the General Staff Department — the armed forces’ senior leadership organ — has developed cyber capabilities to quickly incapacitate the adversary by disabling command, control, and communications systems.⁹ To compensate for its limited resources and conventional military capabilities, Pyongyang seeks to exploit its adversaries’ weaknesses.¹⁰ In that vein, it may launch cyberattacks against critical civilian infrastructure such as banks, public transportation, the electric grid, and telecommunications in South Korea (or the United States). Doing so could spark mass chaos, delay evacuations, and complicate Seoul’s decision making in a wartime scenario.¹¹ Such efforts could require only rudimentary cyber capabilities, such as DDoS attacks, wipers, or ransomware.¹²

The Kim regime demonstrated this sort of capability in 2013, when the North Korean hacker group Dark Seoul launched destructive attacks against three banks and three media companies in Seoul, which inflicted over $800 million in total damage and sowed confusion across South Korea’s financial sector for several days.¹³ Fortunately, Seoul has reportedly improved its cyber defenses in recent years. The Korea Internet Safety Agency has successfully blocked numerous North Korean spear-phishing attempts.¹⁴ However, Seoul’s ability to thwart a major attack has yet to be tested.

FDD’s 2018 study of North Korea’s CEEW strategy concluded that the Kim regime has calibrated its cyber provocations to remain within the gray zone so as not to elicit a military response from South Korea and the United States, focusing instead on financially motivated cybercrime.¹⁵ This chapter examines the evolving tactics and motives of Pyongyang’s cybercrime and explores how North Korea’s financially motivated cyberattacks and theft of cryptocurrencies mitigate the effect of sanctions.

The chapter also explores how, as the North Korean economy deteriorates further, the regime may seek to divorce itself conclusively from the U.S.-led international financial order. Currently, North Korea’s illicit funds must often transit formal financial institutions or U.S.-based cryptocurrency exchanges to reach their final destination.¹⁶ A robust cryptocurrency marketplace disconnected from the U.S.-led banking system could provide Pyongyang with a long-term solution to this vulnerability.

This chapter concludes with policy recommendations designed not only to bolster the U.S. and allied governments’ cyber defense and deterrence strategies, but also to strengthen financial safeguards against the exploitation of cryptocurrencies by North Korea and other rogue states.

Tactics and Motives of North Korean Cybercrime

FDD’s 2018 study concluded that “the majority of North Korea’s current cyber activity is focused on making — or stealing — money or collecting data for the regime.”¹⁷ This holds true today. The primary mission of Pyongyang’s cyber operators is financial gain, Kim Heung-kwang, a North Korean escapee and a former computer science professor at North Korea’s Hamheung Computer Technology University, explained in 2017.¹⁸ ClearSky, a UK- and Israel-based cybersecurity company, similarly concluded that a unique characteristic of North Korean hackers is their “dual attack mission” of monetary theft and espionage. Other state-backed cyber actors tend to focus on national security priorities, not financial gain, the researchers noted.¹⁹

In addition to requiring funds for its nuclear weapons and ballistic missile programs, North Korea needs cash to offset an ongoing domestic economic crisis. In August 2020, the Kim regime made an unprecedented admission that it failed to achieve the goals of its last five-year plan. Pyongyang blamed sanctions, foreign enemies, COVID-19, natural disasters, and poor policy implementation by lower-level leaders, but the admission was a clear sign of distress.²⁰

It is true that external factors exacerbated the regime’s economic woes. Sanctions are putting pressure on Pyongyang’s finances, and Typhoon Bavi in August 2020 hammered North Korea’s agricultural sector. It is the regime’s response to the COVID-19 pandemic, however, that has been particularly devastating.²¹ To prevent a viral outbreak inside North Korea, the regime closed its borders and cut itself off from foreign trade. According to the Korea Trade-Investment Promotion Agency in Seoul, North Korea’s trade volume with China dropped by 80.7 percent in 2020.²² This forced several North Korean factories to close because they rely on materials and inputs from China to keep facilities and power plants running. Alexander Matsegora, Russia’s ambassador to North Korea, said that “without imported materials, raw materials and components, many enterprises stopped, and people, accordingly, lost their jobs.”²³ As North Korea’s economy continues to deteriorate, cybercrime remains a key source of revenue.

Over the last four years, Pyongyang’s hackers diversified their methods by experimenting with business email compromise (BEC) and card skimming schemes.²⁴ BEC schemes involve stealing a company’s financial records and client contact information so that hackers can disguise themselves as vendors and receive payment for fraudulent invoices.²⁵ In card skimming, or “Magecart,” schemes, hackers intercept customers’ credit card information from retail websites and then sell it on the black market.²⁶ While this tactic is not new in the cybercrime world, North Korea’s first publicly known successful card skimming operation began in May 2019.²⁷

Still, the priority for Pyongyang’s hackers remains banks and cryptocurrency exchanges. The U.S. government reported that between 2015 and 2020, North Korea infiltrated banks and cryptocurrency exchanges in over 30 countries.²⁸ This yielded Pyongyang over $200 million between 2017 and 2019 and an additional $300 million in 2020.²⁹

North Korean hackers have two primary ways of stealing funds from traditional financial institutions. First, they may seize control of a bank’s financial transfer system run by the Society for Worldwide Interbank Financial Telecommunications, or SWIFT, and then use that control to conduct fraudulent transactions. North Korean hackers employed this method to steal $80 million from the Bank of Bangladesh in 2017.³⁰ The second tactic involves breaching ATMs. After gaining control, hackers remotely order select ATMs to dispense cash, which Pyongyang’s accomplices collect.³¹

To steal from cryptocurrency exchanges, North Korean hackers have launched spear-phishing campaigns against exchange employees. Exchanges are attractive targets because, as FireEye explains, once hackers breach an exchange, “they potentially can move cryptocurrencies out of online wallets, swapping them for other, more anonymous cryptocurrencies or send them directly to other wallets on different exchanges to withdraw them in fiat currencies,” such as dollars or euros.³²

Three attacks on cryptocurrency exchanges in North America, Europe, and Asia between 2020 and 2021 yielded $50 million, according to the March 2022 report of the UN Panel of Experts on North Korea.³³ Chainalysis, meanwhile, concluded that Pyongyang successfully stole nearly $400 million in cryptocurrency from seven intrusions in 2021.³⁴ In April 2022, the FBI attributed a $620 million cryptocurrency hack to North Korea.³⁵ In that operation, the hackers used stolen credentials (rather than a software vulnerability) to compromise the blockchain bridge — the tool for moving cryptocurrencies between different blockchains.³⁶

The FBI has suggested that North Korean hackers may prefer targeting cryptocurrency exchanges because they provide “relatively fewer complications” compared to traditional banks.³⁷ In the past, banks’ safeguards have tripped up Pyongyang’s operatives. For instance, during the hack of the Bank of Bangladesh, the New York Federal Reserve detected suspicious activity, namely that one of the recipient addresses at a Filipino bank was named “Jupiter,” a name it shared with a U.S.-sanctioned oil tanker from Iran. The Fed then paid closer attention to the hackers’ payment requests and blocked them. Although the Bank of Bangladesh did lose $80 million, the Fed’s intervention prevented the hackers from executing their planned theft of $1 billion.³⁸

Another drawback of bank heists is they require a “larger network of criminals to help steal and then launder the money,” while cryptocurrency hacks “cut out nearly all the middlemen.”³⁹ Indeed, North Korean hackers require extensive help to steal from ATM machines. For example, in 2017, Japan’s National Police Agency reported that up to 260 individuals affiliated with the Japanese yakuza and other international criminal organizations helped Pyongyang’s hackers steal up to $16.6 million from 1,700 ATM machines across 17 Japanese prefectures.⁴⁰ In February 2021, the U.S. Justice Department revealed that North Korea collaborated with a North American criminal network to support ATM schemes targeting Pakistan’s BankIslami and an unnamed Indian bank in 2018.⁴¹

While North Korea does not need as many accomplices to move its cryptocurrency revenues, hackers must still rely on money launderers to transfer virtual currency into fiat currency. For example, in March 2020, the Justice and Treasury departments respectively indicted and sanctioned two Chinese currency traders, Tian Yinyin and Li Jiadong, for helping North Korean hackers convert over $100 million in stolen cryptocurrency into fiat currency through Chinese banks via several hundred small transactions.⁴² To eliminate these middlemen, North Korea would likely need to rely on emerging crypto-based payment and transaction systems.

To that end, Pyongyang invited Virgil Griffith, an American cryptocurrency software developer based in Singapore, to present at the DPRK Cryptocurrency Conference in 2019 on the topic of “potential money laundering and sanctions evasion applications of cryptocurrency and blockchain technologies.” The U.S. Justice Department later indicted Griffith for providing “highly technical information to North Korea, knowing that this information could be used to help North Korea launder money and evade sanctions.”⁴³ Griffith pleaded guilty and was sentenced to five years in federal prison.⁴⁴

Cryptocurrency as an Engine of Sanctions Resistance

The Kim regime may shift its cryptocurrency strategy from an emphasis on acquiring cash to building resistance against sanctions. Rather than converting digital currency into fiat currency, Pyongyang could build large reserves of numerous cryptocurrencies to spend in a cryptocurrency exchange independent of the U.S.-led financial system. For the moment, that goal is mostly aspirational. Yet North Korea is adept at identifying its enemies’ structural weaknesses. The lax governance and regulatory structure surrounding digital currency is ripe for exploitation. This strategy would align with the ideological tenets of juche, the regime’s doctrine of self-reliance, by providing Pyongyang with greater financial autonomy.

However, North Korea’s ability to leverage cryptocurrency for these objectives will likely be contingent upon technological advances by other rogue states with more robust economies. Alone, North Korea cannot challenge the U.S.-led financial order.

On September 6, 2018, in Los Angeles, California, First Assistant U.S. Attorney Tracy Wilkison announces charges against a North Korean national for a range of cyberattacks. (Mario Tama/Getty Images)

Fortunately for Pyongyang, Moscow and Beijing are already exploring ways to reduce their dependence on the dollar through digital currency. In March 2021, Russian Foreign Minister Sergey Lavrov recommended during a visit to China that “we [Russia and China] need to reduce sanctions risks by bolstering our technological independence by switching to payments in our national currencies and global currencies that serve as an alternative to the dollar.”⁴⁵ That need has only increased since Russia’s invasion of Ukraine and the West’s imposition of sanctions. China, Russia, and even Iran have started creating their own national digital currencies and blockchain platforms. Moscow, Beijing, and others are looking for ways to operate “economies outside the U.S.-led financial system” to “reduce Washington’s ability to impose sanctions,” as FDD scholars observed in 2019.⁴⁶

Separately, according to the UN Panel of Experts, North Koreans based in Hong Kong developed a blockchain-enabled digital currency in 2018 called Marine Chain Token for use in shipping-related transactions. The Panel hypothesized that the Marine Chain platform was funded by stolen cryptocurrencies, pointing to the platform’s ties to North Korean operatives “who have extorted Bitcoin from online companies.”⁴⁷ In a 2021 indictment against three North Korean hackers, the Justice Department added that the Marine Chain Token enabled Pyongyang to evade sanctions and “secretly obtain funds from investors” abroad who purchased partial ownership of shipping vessels.⁴⁸

However, these advances still fall far short of Beijing’s and Moscow’s achievements. China began developing its own digital currency and payment systems as early as 2014⁴⁹ and has made significant progress.⁵⁰ China’s most recent five-year plan noted the significance of blockchain applications for supply chain management, e-governance, fintech, and other purposes. President Xi Jinping seeks “a new industrial advantage” through blockchain. As a result, Chinese companies are filing more blockchain patents than their U.S. counterparts.⁵¹ Beijing’s leadership intends to leverage this new digital currency not only to support its commercial and trade activities, but also “to displace the U.S. dollar as a global reserve currency,” FDD scholars concluded in 2019.⁵²

If China succeeds in establishing an alternative system, North Korea will quickly try to attach itself to that system because Pyongyang conducts over 80 percent of its trade with Beijing.⁵³ Despite significant decreases in the volume of bilateral trade — which in 2021 was down 40 percent from the previous year and 90 percent compared to pre-pandemic levels⁵⁴ — China remains North Korea’s main trading partner.⁵⁵

China’s cooperation with North Korea in this emerging fintech space may have its limits if Beijing concludes that a visible role for North Korea would deter other nations from participating in a Chinese-led system, for which Beijing has global ambitions. Nonetheless, China is unlikely to reject North Korea’s participation entirely, because preventing instability inside North Korea is a long-term strategic objective for Beijing.⁵⁶

Recommendations

As North Korean cyber operations evolve, the U.S. government must bolster American defenses and strengthen deterrence measures. The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security has distributed numerous technical alerts on North Korean malware to help private-sector entities harden their networks. The U.S. government has also sought to impose costs on North Korea’s hackers and programmers through sanctions and criminal indictments. However, the measures have been insufficient. The United States and its allies must consider innovative ways to change the regime’s calculus. The first four recommendations below originally appeared in FDD’s 2018 report on North Korean CEEW but have been updated with current information.⁵⁷ What follows are three additional recommendations for how the U.S. government should address the risks and opportunities presented by the accelerating global adoption of cryptocurrencies and blockchain technology.

1. Escalate economic measures targeting the financial networks that launder North Korean funds. Over the long-term, North Korea may reduce or eliminate its need for financial middlemen to launder funds and convert digital currency into fiat currency. In the meantime, however, this is a strategic weakness. The U.S. Treasury Department should sanction the individuals, companies, and banks that facilitate financial transactions on behalf of Pyongyang’s hackers and the Kim regime in general. Washington’s earlier sanctions and indictments related to North Korean cyber operations were largely symbolic because they did not target the key nodes supporting North Korean cyber operations. To be effective, sanctions should target the foreign partners, front companies, and overseas financial institutions that work with North Korea.⁵⁸ For example, the Justice Department case against Tian Yinyin and Li Jiadong revealed that nine Chinese banks helped launder North Korea’s stolen cryptocurrency. Treasury should confirm that these banks have blocked additional suspicious transactions and are no longer complicit in such activity. If Treasury finds any further issue, it should impose additional penalties, fines, and sanctions.

2. Pressure China to dismantle North Korean cyber infrastructure. Pyongyang dispatches hackers abroad — particularly, although not exclusively, to China — to access more robust internet infrastructure capable of supporting more complex operations.⁵⁹ Operating abroad also increases plausible deniability for the Kim regime. By contrast, relying on personnel and computer networks based solely in North Korea would create a “significant operational weakness” and leave Pyongyang vulnerable to cyberattacks that would “limit current North Korean cyber operational freedom,” according to Recorded Future.⁶⁰ Washington should therefore urge China to repatriate all North Korean hackers. If Beijing and other foreign governments fail to dismantle Pyongyang’s illicit cyber infrastructure, the White House should consider deploying the North Korean Sanctions and Policy Enhancement Act, which grants Treasury the authority to designate individuals and entities who “have knowingly engaged in, directed, or provided material support to conduct significant activities in undermining cybersecurity.”⁶¹

3. Publicize information about cryptocurrency hacks. Cryptocurrency exchanges have become regular targets of cyber criminals but often do not share the details of those hacks. Without this information, researchers, law enforcement, and government officials have limited ability to decode criminal methodologies. The United States, South Korea, and other partner countries should therefore issue breach-notification rules. They should also establish a framework for sharing information about attacks that combines regulatory and government authorities with virtual currency exchanges and providers.⁶²

4. Conduct information operations against Pyongyang. In 2017, Cyber Command reportedly launched DDoS attacks on suspected North Korean networks to limit the regime’s cyber operations.⁶³ While the Defense Department should continue to employ such tactics as part of its “defend forward” strategy,⁶⁴ cyber measures alone will not impose sufficient costs. Washington should leverage North Korean elites’ access to the global internet to expose them to foreign media and other restricted information.⁶⁵ The Kim regime fears uncensored information that could compromise its ideological grip on the North Korean populace, such as evidence of its atrocities, corruption, and economic malpractice. Over the long term, creating a rift between these elites and Kim’s inner circle could lay the groundwork for a change in leadership and, in the short term, may convince Kim to restrict North Korean cyber operations because their cost is too great.⁶⁶

More broadly, the United States must develop policies to cope with the long-term risks that cryptocurrencies and blockchain technology may pose to the U.S.-led global financial system and the role of the dollar in international trade. A March 2022 executive order on digital currencies directs the Treasury Department, the Federal Reserve, the Consumer Financial Protection Bureau, and other agencies to study these issues.⁶⁷ This is a critical first step toward safeguarding financial stability, innovation, and consumer protection.

5. Commission research on public blockchains. While the Chinese and Russian governments have advanced their study and early implementation of various blockchain tools to harden their network defenses, Beijing and Moscow have invested less in public blockchain systems, preferring private blockchains in which a single entity controls the chain and knows the identity of all participants.⁶⁸ A public blockchain is decentralized, anonymous, and open to anyone’s participation if the individual verifies data added to this blockchain.⁶⁹ According to the Blockchain Council, a U.S.-based group of experts, public blockchains are more secure than private networks because it is difficult for a single bad actor to compromise enough of the decentralized network to corrupt the data within the blockchain.⁷⁰ The United States should become a leader in public blockchain technology, which not only adheres to American liberal norms and values but also is garnering more use within the consumer marketplace.⁷¹

6. Foster more public-private cooperation and innovation in cryptocurrency, blockchain, and fintech.⁷² A core finding of the U.S. Cyberspace Solarium Commission is the need for greater public-private collaboration on cybersecurity.⁷³ The U.S. government should sponsor business incubator programs that promote blockchain-based solutions for regulatory challenges related to cryptocurrencies’ impact on global finance and banking.⁷⁴ Specifically, Congress should appropriate funding for the National Science Foundation to help companies working on blockchain and other distributed ledger technologies. A report from the Center for a New American Security assessed that leading the development of blockchain applications would position Washington to maintain the value of coercive economic tools, including sanctions.⁷⁵

7. Conduct studies within the U.S. intelligence community and other agencies to forecast trends in the use of cryptocurrency, blockchain and fintech by U.S. adversaries. The Biden administration should task the intelligence community with studying adversarial ambitions to undermine the existing financial order using cryptocurrencies, blockchain, and other fintech. The objective should be to identify future threats along with the long-term implications of current trends. Beijing has stated that it intends to design a universal digital payment network over the next 10 years to support digital currency transfers and payments worldwide.⁷⁶ Understanding threats to America’s long-term national and financial security must be a priority.

Conclusion

To counter the North Korean cyber threat, the United States and its allies must employ a tailored approach that focuses both on the immediate needs of cyber defense and deterrence and future challenges posed by illicit financial networks and their state sponsors. With proactive measures, America and its allies can ensure that cryptocurrencies and blockchain technology become assets to protect the integrity of the global financial order.