North Korea stole more cryptocurrency assets in 2022 than in any other year and targeted the networks of foreign aerospace and defense companies, according to a currently confidential United Nations report seen by Reuters on Monday.
“(North Korea) used increasingly sophisticated cyber techniques both to gain access to digital networks involved in cyber finance, and to steal information of potential value, including to its weapons programmes,” independent sanctions monitors reported to a U.N. Security Council committee.
The monitors have previously accused North Korea of using cyber attacks to help fund its nuclear and missile programs.
“A higher value of cryptocurrency assets was stolen by DPRK actors in 2022 than in any previous year,” the monitors wrote in their report – submitted to the 15-member council’s North Korea sanctions committee on Friday – citing information from U.N. member states and cybersecurity firms.
North Korea has previously denied allegations of hacking or other cyberattacks.
The sanctions monitors said South Korea estimated that North Korean-linked hackers stole virtual assets worth $630 million in 2022, while a cybersecurity firm assessed that North Korean cybercrime yielded cybercurrencies worth more than $1 billion.
“The variation in USD value of cryptocurrency in recent months is likely to have affected these estimates, but both show that 2022 was a record-breaking year for DPRK (North Korea) virtual asset theft,” the U.N. report said.
A U.S.-based blockchain analytics firm last week reached the same conclusion.
The U.N. report noted: “The techniques used by cyberthreat actors have become more sophisticated, thus making tracking stolen funds more difficult.”
The report is due to be released publicly later this month or early next month, diplomats said.
The monitors said most cyber attacks were carried out by groups controlled by North Korea’s primary intelligence bureau – the Reconnaissance General Bureau. It said those groups included hacking teams tracked by the cybersecurity industry under the names Kimsuky, Lazarus Group and Andariel.
“These actors continued illicitly to target victims to generate revenue and solicit information of value to the DPRK including its weapons programmes,” the U.N. report said.
The sanctions monitors said the groups deployed malware through various methods including phishing. One such campaign targeted employees in organizations across various countries.
“Initial contacts with individuals were made via LinkedIn, and once a level of trust with the targets was established, malicious payloads were delivered through continued communications over WhatsApp,” the U.N. report said.
It also said that, according to a cybersecurity firm, a North Korean-linked group known as HOlyGhOst had “extorted ransoms from small- and medium-sized companies in several countries by distributing ransomware in a widespread, financially motivated campaign.”
In 2019, the U.N. sanctions monitors reported that North Korea had generated an estimated $2 billion over several years for its weapons of mass destruction programs using widespread and increasingly sophisticated cyberattacks.
In their latest annual report, the monitors also said Pyongyang continued producing nuclear fissile materials at its facilities and launched at least 73 ballistic missiles, including eight intercontinental ballistic missiles last year.
The United States has long been warning that North Korea is ready to carry out a seventh nuclear test.
North Korea has long been banned from conducting nuclear tests and ballistic missile launches by the Security Council. Since 2006, it has been subject to U.N. sanctions, which the Security Council has strengthened over the years to target Pyongyang’s nuclear and ballistic missile programs.
But North Korea has continued illicit imports of refined petroleum and exports of coal, evading sanctions, the monitors said. They also said they have started an investigation into reports of ammunition exports by North Korea.
The United States has accused the Russian mercenary company Wagner Group of receiving arms from North Korea to help bolster Russian forces in Ukraine. North Korea has rejected the accusation as groundless and Wagner’s owner, Yevgeny Prigozhin, denied getting arms from North Korea.
Last May, China and Russia vetoed a U.S.-led push to impose more U.N. sanctions on North Korea. This included a proposed asset freeze on the Lazarus hacking group.
The Lazarus group has been accused of involvement in the “WannaCry” ransomware attacks, hacking of international banks and customer accounts, and the 2014 cyber-attacks on Sony Pictures Entertainment.
The United States linked North Korean hackers to the theft of hundreds of millions of dollars’ worth of cryptocurrency tied to the popular online game Axie Infinity, the United States said in April. Ronin, a blockchain network that lets users transfer crypto in and out of the game, said digital cash worth almost $615 million was stolen on March 2022.