Full Report
Cryptocurrency investments continue to rise, and the wallets that hold these coins have become major targets for threat actors.
Analysis Summary
# Threat Actor: North Korean State-Sponsored Threat Actors
## Attribution & Identity
Attributed to state-sponsored threat actors originating from North Korea. The article notes these actors are allegedly acting on behalf of North Korea.
## Activity Summary
These actors are heavily focused on stealing cryptocurrency, particularly Bitcoin, to bolster North Korea's struggling economy. In the current year, North Korean state-sponsored threat actors stole an estimated \$1.34 billion in cryptocurrency, accounting for more than half of all crypto stolen during that period. Their targeting shifted over the year: historically focusing on Decentralized Finance (DeFi) platforms, they began increasingly targeting centralized cryptocurrency services in the second and third quarters.
## Tactics, Techniques & Procedures
- Compromises leading to the theft of private keys, which accounted for 43.8% of the stolen cryptocurrency.
- Targeting both DeFi platforms and centralized cryptocurrency services.
- **Note:** Specific technical TTPs (like initial access vectors or specific malware) were not detailed, but the TTP centers on illicit financial gain via digital asset theft.
## Targeting
- Sectors: Financial services, specifically targeting cryptocurrency holders, DeFi platforms, and centralized cryptocurrency service providers.
- Geography: Global, targeting cryptocurrency holders worldwide.
- Victims: Unspecified centralized services (e.g., DMM Bitcoin was mentioned as an example of a targeted entity type) and individual/organizational cryptocurrency wallet holders.
## Tools & Infrastructure
- Specific malware/tools were not enumerated.
- The infrastructure revolves around exploiting weaknesses in platforms holding cryptocurrency keys or directly compromising private keys.
## Implications
The high volume of successful cryptocurrency theft (\$1.34 billion stolen this year) directly funds the North Korean regime, circumventing global sanctions. The increasing value of Bitcoin is predicted to increase the volume of these attacks. Furthermore, the presence of fraudulent crypto recovery services (as indicated by FBI seizures) poses a secondary risk to already victimized organizations and individuals.
## Mitigations
- Enhance security around cryptocurrency wallets, especially private keys (which are a significant attack vector).
- Organizations should be vigilant regarding shifting attack focus from DeFi to centralized services.
- Law enforcement agencies are improving cryptocurrency tracking capabilities, which suggests a reliance on expert legal and forensic services for recovery should an incident occur.
- Caution should be exercised when dealing with organizations claiming to specialize in stolen Bitcoin recovery, as fraudulent actors exist (FBI seized several fraudulent services).