In the cryptocurrency ecosystem, coins have a story, tracked in the unchangeable blockchains underpinning their economy. The only exception, in some sense, is a cryptocurrency freshly generated by its owner's computational power. Unsurprisingly, Kim Jong-Un’s North Korean hackers have begun adopting a new trick to launder the coins they steal from victims worldwide and use their dirty, stolen coins in services that allow them to mine innocent new ones.
Recently, cybersecurity investigators published a report on a prolific North Korean state-sponsored hacking group it is now calling APT43, often known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
See: https://redskyalliance.org/xindustry/stealing-millions-yet-a-twist-of-fate
Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to researchers, stealing any cryptocurrency that can enrich the North Korean regime or even fund the hackers' operations. Regulators worldwide have investigated exchanges and laundering services thieves and hackers use to cash out their criminally tainted coins. APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen, it pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
That mining trick allows APT43 to take advantage of the fact that cryptocurrency is relatively easy to steal while avoiding the forensic trail of evidence it leaves on blockchains, making it difficult for thieves to cash out. “It breaks the chain,” says a threat intelligence analyst Joe Dobson. “This is like a bank robber stealing silver from a bank vault and then going to a gold miner and paying the miner in stolen silver. Everyone's looking for the silver while the bank robber's walking around with fresh, newly mined gold.”
Investigators noted that they first began seeing signs of APT43's mining-based laundry technique in August 2022. They have seen tens of thousands of dollars of cryptocurrencies flow into hashing services. Services such as NiceHash and Hashing24 allow anyone to buy and sell computing power to calculate the mathematical strings known as “hashes” necessary to mine most cryptocurrencies from what it believes are APT43 crypto wallets. Researchers who follow this activity have also seen similar amounts flow to APT43 wallets from mining “pools.” These services allow miners to contribute their hashing resources to a group that pays out a share of any cryptocurrency they collectively mines.
In theory, the payouts from those pools should be clean, with no ties to APT43's hackers that seems, after all, to be the point of the group's laundering services. But in some cases of operational sloppiness, it has been found that the funds were commingled with crypto in wallets it had previously identified from previous APT43 hacking campaigns.
Analysts concede that the five-figure sums that were laundered through this mining process are nowhere near the size of the massive crypto heists North Korean hackers have pulled off in recent years, stealing hundreds of millions of dollars in cases like the breaches of the Harmony Bridge or Ronin Bridge services. That may be because only a small fraction of North Korea's mining-based laundering has been detected. But it may also be because APT43 is not primarily tasked with stealing cryptocurrency. Instead, the group appears to have been ordered to generate enough profits through cybercrime to fund its espionage work. As a result, it has sought to steal smaller sums of crypto from many victims to subsist independently.
Cryptocurrency trading firms, including Chainalysis and Elliptic, have seen criminal actors seek freshly mined cryptocurrency to fund their activities or dilute and hide their profits. Elliptic notes that it has tracked a group affiliated with the militant organization Hamas mines cryptocurrency for terrorist financing. Researchers point out that mining pools are not as regulated and scrutinized as other crypto players, sometimes used for money launderings, such as cryptocurrency exchanges, “mixing” services designed to hide the trail of users' coins, and NFT marketplaces. It is concerning that many mining pools do not screen who participates in them, so you could potentially have illicit actors contributing computing power to the mining pools, and those mining pools do not have the tools to identify them.
Perhaps government authorities seeking money launderers and criminal financiers may have to shift some of their focus away from the intermediaries of the crypto economy toward the miners that serve as part of the problem, indicating that all of that fresh digital cash is not as clean as represented.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments