North Korea News Podcast by NK News - Alec Zubrick: What 2025 taught us about North Korea’s crypto strategy
Episode Date: February 12, 2026Alec Zubrick of blockchain analytics company Chainalysis joins this week’s episode to break down how North Korea-linked actors are upgrading their tactics to steal cryptocurrency, why 2025 was a rec...ord year for large-scale hacks and what can be done to reduce risk. The expert explores the shift in North Korean operations toward fewer but much […]
Transcript
Discussion (0)
Bestsellers unveiled at NK News Shop.
Step out in style with our top-selling apparel from the NK News Shop.
Fly high with the Air Cordial T-shirt,
celebrating DPRK's golden era of aviation in vintage airline chic.
Explore the stars with our NADA,
inspired by North Korea's answer to NASA,
or toast to tradition with our Terdong Gang beer t-shirt,
capturing the essence of North Korea's renowned brew.
Each design is a conversation starter.
Find yours at shop.noughtnepnews.org.
Again, that's shop.nknews.org.
Hello listeners and welcome to the NK News podcast.
I'm your host, Jack O'Swetsuit.
And today it is Tuesday, the 3rd of February, 26.
And I'm sitting here in the NK News studio with Alec Zibrick,
who is the senior manager, Global Services APEC, at Chainalysis.
He's based in South Korea, where he leads cryptocurrency investigation,
for public and private clients.
He's a former U.S. detective and secret service task force officer,
and he's a subject matter expert in North Korea's crypto operations,
has investigated major North Korea linked hacks,
and has briefed the UN Security Council, the ARIA Formula Briefings.
Welcome on the show today, Alec.
Hello, yeah.
My name's Alec, as you said.
I'm very, very happy to be here and excited to get into it.
Thanks for your time.
Well, now, for someone who knows nothing about crypto, basically me,
what are the basic rules to avoid getting ripped off by North Koreans or anyone else?
Which apps or websites or habits should people avoid?
Yeah, no, that's an excellent question.
I think, you know, before we talk about what to avoid, probably first, you know, touch on the scale of it.
Right?
So if we look at last year's data, which analysis estimates around 158,000 personal wallet compromise incidents,
affecting at least 80,000 unique victims.
but with smaller average amounts per victim.
So what that means is attackers are spreading the net wide
and relying on people to click the wrong link
or potentially sign the wrong transaction.
Okay.
Now, when we look at personal wallet compromises,
that actually accounts for roughly 20%
of all value stolen last year.
Even as the total value stolen from individuals
fell from about $1.5 billion in the previous year, 2024,
to 713 million in 2025.
So what that translates to is the volume of victims is high,
even if the average loss per person is lower.
Now, if we circle back to your question,
how do you avoid becoming part of that statistic?
Well, anything that asks you to connect to a wallet
if you're going onto a website or navigating an app,
sign a transaction,
verify funds after you click on a social media link
or direct messages, emails,
you should basically assume that they're malicious until proven otherwise.
Another, you know...
How do you prove otherwise?
So that's a great question.
So basically you just treat it with caution.
Okay, yeah.
Yeah, that makes sense.
Now, I did say that I know nothing about crypto,
but one thing I do know is that there are two kinds of wallets.
There's the hot wallets which are connected to the net at all times.
And there's the cold wallet, which is...
you know, stored separately from a computer, and so therefore it's, you know, you have to
plug it in to use that money.
It seems to me that cold wallets are the safer way to go because, you know, the time that
you're spent connected to the rest of the world so that you're a potential victim is less.
Is it as that simple?
It's close, yeah.
You know, that's what we refer to as hardware wallets, and that's what I would recommend
everyone do to protect themselves, right?
So use hardware wallets or, you know, a reference.
computable mobile wallet app with strong device security, especially for long-term holdings, right?
If you're using something like a browser plug-in or experimental apps for your cryptocurrency,
you should treat those similar how you would like a high-risk trading account.
Okay. All right. Now, let's get into the snapshot of 2025. Can you give us that number again
for how much crypto we think North Korean group stole last year in aggregate terms?
Yeah, so when we look at, you know, hacks and stolen funds in total for last year and when we try to isolate, you know, what of that can be attributed to North Korea or suspected to have been North Korea, well, the total figures for last year from January through at least early December of last year was more than $3.4 billion in crypto was stolen.
That's a lot.
Yeah, it's a huge amount.
Is that up or down from the year before?
I actually don't have the answer to that.
But I can tell you that of that figure, North Korean hackers are suspected to have stole at least $2.02 billion in 2025.
$2.02 billion out of. And what was that total again?
3.4.
Okay. So it's well more than half.
Yeah. More than half. And a 51% increase year over year from their prior activity,
pushing their cumulative lower bound total to roughly $6.75 billion. So the cumulative number.
Right. Now, I've seen references to a few very large step.
skewing these totals. Can you sort of explain that in plain language?
Yeah. So of that number, roughly 70%. DPRK attacks actually account for about 76% of all
service compromises. Those big hacks definitely come from that category, the services. So despite
the record totals, you know, chain alias assesses a dramatic reduction in their attack frequency.
However, in February of last year, the bibrate compromise happened. This is the one, the big
Right, right. So that alone accounted for around $1.5 billion in losses, and it really heavily skewed
last year's total. So overall, the top DPRK-linked hacks are disproportionately larger in 2025.
Yeah. In fact, last year is the first time the largest hack is over a thousand times the median
incident by DPRK. And the top three hacks account for about 69% of all losses from services.
Do we have an idea why there are fewer but bigger attacks?
And does that say anything about where the weak spots in the industry are?
Yeah, why they're bigger.
So if we look at the last couple of years, right, from 2022 to 2025,
DPRK attributed hacks sit almost entirely at the top end of the value distribution,
while non-DPRK hacks are spread more evenly across a small, medium, and large incidents.
Now, there's evidence that DPRK is explicitly optimizes.
for maximum impact per operation.
So there's a tradeoff there, right?
Attacks on large services are significantly harder.
They're slower and more complex to launder.
Does that mean you also need a bigger team to do a larger attack?
Potentially, potentially.
However, you know, there's large payoff, right?
One successful hit can create huge funds for the regime.
Right.
So the cost-benefit calculus looks very different to a state actor
than to a typical, you know, cyber criminal crew, right?
In contrast, non-state criminals have leaned into the mass personal wallet compromise.
Sort of one by one.
Yeah, with, you know, like a wide net, right?
With over 158,000 incidents, as I spoke earlier, 80,000 plus victims last year.
Right.
Typically, for smaller amounts per victim, like a retail spray and prey model rather than
DPRK's, you know, fewer, bigger approach.
Talk about the attack vectors.
People often hear about the dangers of fishing, right?
Fishing with a pH where you get an email or, often it's an email or it could be a social media thing
that pretends to be someone you know or an organization that you trust and they're asking for something
and they get you in that way.
And that can then include a link like you mentioned that you click on that, you know, next thing you know, your money's gone.
But what are the newer tricks that North Korean teams are using now?
like breaking in through suppliers or third-party services.
And how does that work in everyday terms?
You're absolutely right.
We are seeing an evolution from that, I would say.
So DPRK hackers, they're really only going to get and continue to be more sophisticated.
And we've seen this across the previous years.
They will seek vulnerabilities and aim to exploit them.
In a recent MSMT report in Chainalysis's own analysis,
we actually highlighted a pivot from simple,
inbox fishing, as you discussed, to coordinated supply chain attacks, especially against third-party
asset providers and custodians of funds. Now, on centralized services, attacks now focus
on private key infrastructure and signing processes, including tricking legitimate signers
via compromised third-party integration or tools rather than just guessing passwords.
How does a supply chain hack work?
So when you look at infrastructure of, let's say, a VASP, virtual asset service provider, there's a number of things that happen, you know, approvers, signers, signers in the process, in the link of events. It's identifying the weak link in that in the supply chain and going for that, right? You're only as strong as your collective defense. And, you know, it's a matter of identifying that weak link.
So once they're in a supply chain, I mean, can you now, you know, can they then go sort of vertically up that chain until the, you know,
they have access to everything?
Yeah, that's certainly part of the goal, right?
And they use social engineering quite a bit for that.
And social engineering, for those who may not know,
this is where you basically use language to trick somebody into doing something for you, right?
Exactly.
And so DPRK are very well known for this.
This is one of the ways they get in and one of the ways they kind of optimize and take advantage
once they are in.
We've seen DPRK-linked operators increasingly embed, for example, IT workers inside
crypto services. This helps them gain privilege access ahead of major threats. In fact, more
recently, we see them even impersonating recruiters for well-known Web3 and AI firms running fake
hiring processes that eventually end up in the technical screen. These are designed to harvest
credentials, source code, VPN, SSO access to the victim's current employer. Now, even at the
executive level, they mimic strategic investors or acquires using fake due diligence.
intelligent conversations to probe for system architecture, details, and access pathways in a high-value
infrastructure.
So they're somehow able to get into what online investor meetings?
I think it's typically through emails, right, where they'll pose as, you know, somebody that's,
you know, an investor, and that could be attractive to somebody on the business.
Now, a person listening to this might assume that, well, you know, if you're doing social engineering,
you have to be able to communicate in the language of the would-be victim.
North Koreans, certainly some of them, the guides that we meet in North Korea,
they're very good in English, they've learned it very well.
But wouldn't language make South Koreans a natural and obvious target for North Korean crypto,
or are they casting the net wider than that?
You know, I personally haven't seen that.
I think they're casting a much wider net than that.
When we look at a lot of these international, we talked about by bit earlier,
these international exchanges where they have customers.
customer bases across many geographies, they're more likely since they have more customers to have
more assets. I think it's a very rich target for them. And I think in the age of AI, language barriers is
less of a kind of impact there. Right. So they're actually using, I mean, we can assume that
they're using AI language tools to translate their social engineering and do a better job of fooling
people in non-Korean languages. Well, I've certainly seen examples.
of them using AI to generate, you know, fake video footage during an interview. So I think it stands
the reason they're probably using it for language. Gee. So just talked earlier about
to fake recruiters and credentials and things. Could you possibly walk us through a single example
of how that starts with North Korean and turns into a hack through this impersonating of
recruiters or through credential harvesting? Yeah. So one of these is called a contagious interview, right?
is a very just, this is a new terminology. Oh, okay. Very common technique. So if you, if you've ever
worked in the tech sector, you're probably familiar with this. When you're interviewing for a job,
there's multiple stages of the process. It's quite standard that one of the stages is a type of
technical assessment, right? If it's a software engineering job, for example, it might be a coding test.
Sure. They might send you some code and ask you to identify errors with it. They might send you some
code and ask you to build upon it or expand upon it or build an additional feature.
Again, very, very standard in the industry.
Now, what we're seeing with a contagious interview, it's typically the employees at these
tech companies that might have privileged access to the underlying infrastructure, right,
the tech stack.
And so that would be a great target if you're trying to compromise.
Get into the back end.
Get into the back end, right?
And so if you were to approach one of them as an interviewer,
for a large-scale company, you know, you're offering an extremely high salary, and, you know,
they might fall for or at least communicate with you, you know, be interested in a potential
job. And when you get to that stage where you supply code or an assignment for the technical
assessment, they embed malicious code, right, which allows them to gain access to intrude on that
network that that person on maybe their company laptop would have access to. So that is a very,
very common a pathway. Okay. So North Korea, the North Korean hackers in this case are pretended to be
company A and they're interviewing somebody who works at company B for a non-existent job at company C.
And they're providing some sort of coding and that by working on that coding, the would-be victim at
company B is actually bringing that into the back end of company B. Yes, exactly that. And we've
seen that happen a couple times last year actually. Wow. That's really crafty, isn't it? Yeah.
You mentioned earlier that the North Koreans are aiming at bigger targets, exchanges and custodians rather than individual oils because it brings a bigger payoff.
Are there tradeoffs for that?
There are.
The tradeoff is that attacks on large services are, they're harder to pull off.
It's slower, also more complex to launder.
So, you know, that is a challenge, but one successful hit, you know, can create huge wins for them, huge wins.
So By-Bet, for example, was a very very important.
sophisticated attack. It took quite a lot of skill to do. And again, $1.5 billion is one of the largest
thefts in history, not just in crypto, in history. But isn't there also a risk for North
Korean hackers that people like you from chain analysis and other companies will eventually
follow the trail back to the source and find them? It's a complicated question. In my experience,
DPRK hackers are slightly different than we look at, you know, your average cyber criminal. So if
you imagine somebody that works as a ransomware affiliate, they may be engaged in cyber crime.
They make a certain amount of money as an individual.
They may choose that they've made enough, enough to retire per se or buy their yacht.
Or they get caught and they get arrested by law enforcement somewhere.
And so if you think of it like a chess board, right, they're taken off the chess board.
So they're out of play.
They don't necessarily learn from their mistake, not as a way to.
to be able to do it again because they've been arrested. They've been taken off the chess board.
North Korea, though, it's a little bit different for them. You know, they certainly make mistakes.
And in those mistakes, you know, there's opportunities to attribute with, you know, high, you know,
confidence that they are the culprit of it. We see, you know, enforcement action taken against them where,
you know, funds are frozen. Hopefully, you know, in many cases, return back to the victims. But they're not
taken off the board, right? They have, again, they're state sponsored. So they do,
operate under a certain umbrella that an individual cybercriminal, let's say, based in Europe or in the
U.S. would not benefit from. And so when they make that mistake, they learn from it.
They learn from it and they get better and more sophisticated. Now, when the headlines say
a North Korean hacking group, what do we actually know about the humans behind the keyboard,
about how they're organized or trained or directed? Is there anything that's publicly known
about them? There's a trove of information on that that's publicly available. I would
recommend looking at that. I'm certainly not the expert to speak on the human element on the
ground side of that. Do you recognize any individuals in these groups who stand out either as
strong leaders or successful social engineers or really good coders and hackers?
Yeah, again, I don't think that's something that I'm going to be able to speak about.
Okay, but you don't have any nicknames for guys like, you know, this one's Moby Dick and that one's,
I don't know, the big whale. Well, that's the same thing. I don't know, but.
Internally, amongst ourselves, we have nicknames, but not things that I would be able to share.
Okay.
Well, okay, so let's talk about laundering and the flows of money.
After a big theft, where does the cryptocurrency go first, second, and third in order to launder it?
Can you explain the typical steps over the first month or two?
Yeah.
So, you know, we recently in our report, discussed what we call the 45-day kind of breakdown of DPRK laundering.
Okay, so a month and a half.
Yeah, about a month and a half.
And so what this is, you know, following previous major DPRK-Ling tax, looking back from, I believe, 2022 to last year, we saw a consistent kind of three-wave laundering pattern over this roughly 45-day period, right?
And so the first wave, this occurs in the first five days, right, from day zero to five.
It's immediate layering, right?
So we see sharp spikes and decentralized finance protocol usage as a kind of primary entry point for.
them and along with a very high usage of mixing services to break that direct link to the source.
Right. So they're basically chopping, chopping up the money into small amounts and putting
into different.
Yeah, obfuscating, right? It's, you know, the layering stage of money laundering. And then from
there you go to wave two. That's between days six and ten. This is where they moved to integration.
So flows start shifting towards limited KYC or know your customer services and sent and
centralized exchanges.
That's normally KYC
know your customer, it's there to set up
it's set up to avoid
exactly this kind of thing, right? I mean, the whole point is
know where the money is coming from, so
that you're not unwittingly helping someone
launder money or receiving stolen funds
or corrupt money, right? Exactly.
But they're able to get through that?
In some cases, yes.
Now, there's sophisticated obfuscation
techniques they do to try and defeat these.
Here at chain analysis, we work with a lot of
partners to help overcome that.
We have an offering, I think, aptly named like KYC, is called KYT, know your transaction.
And this allows services to actually screen and identify, you know, inflows and outflows to them,
you know who they're sending to, to be able to, you know, make and assess any high-risk activity.
So, yeah, if we circle back to kind of what happens in the next set, the next wave,
so for wave two, flows start shifting toward limited KYC in centralized exchanges.
But additionally to a secondary round of mixtures and cross-trained bridges.
Are they remixing the money they've mixed earlier?
Yeah, oftentimes they'll use multiple mixers.
And the funds then begin to move towards off-ramps, right?
Trying to convert it to eventually, of course, Fiat or.
Right, dollars or yen or euro that can be used on the market to buy things.
Exactly.
And then, you know, lastly, from days 20 to 45, this is kind of that long-tail cash out period.
There's a strong emphasis on non-KYC exchanges.
We see actually the emergence of Chinese language guarantee platforms like Tudu, Donbao,
instant exchanges and services like Hui Wan.
Is that a Cambodian platform?
Yes.
Yeah.
Cambodia, they're often in jurisdictions with weaker oversight.
So it's obviously very important for North Korean crypto crime groups to get this money.
I mean, stealing the money is one part, but making it available for use is,
is the other part. And that's, I think, where they learned from the, what, the Bank of Bangladesh
heist a few years ago, right, where they got the money out, but they weren't able to ultimately
use it for very much because it got locked up too quickly. And so this is why this 40-day,
45-day period exists and all these different levels of layering and mixing and integrating
and off-ramps. How have we seen tactics and patterns of laundering change after the by-bit
heist last year to move stolen crypto in larger amounts faster than ever before? Yeah. So we actually
have seen changes in their laundering patterns.
And they're pretty structured and distinctive, especially compared to other stolen fund actors.
So I'll break it into a couple different ways or I guess you could say fingerprints that
identify with North Korea laundering.
First is actually dealing with the size of the transfers.
So just over roughly 60% of DPRK laundering volume is in like tranches of under $500,000,
even though the underlying thefts are much larger.
So this is a sign of very deliberate structuring.
So if we look at, you know, by bit, for example, they still $1.5 billion.
Right.
But they weren't moving $1.5 billion at a time.
Sure.
Right.
Significantly less.
Right.
And there's a number of reasons for this.
You know, one is to minimize the blast radius of enforcement action.
So if you are to, you know, send, let's say, under $500,000, so $200,000 to a service, and that gets frozen,
aren't you glad you didn't send them a billion?
Yeah.
Right?
And so they're able to minimize risks.
I think that's one of the largest reasons.
Another thing that we see is their utilization of Chinese language money, movement,
and guarantee services.
I touched on that earlier.
Yes.
But there's a very distinctive hallmark of usage.
Usages is hundreds of percent higher than other actors reflecting a kind of a reliance on
Chinese language laundering networks and OTC traders.
And then we touched.
on this earlier with mixing, but that really is a huge part. Mixing services and to some extent
cross-chain bridges. What's a cross-chain bridge? This allows you to move one asset from
a network to another. So if you think of Bitcoin, that's on the Bitcoin network, to move assets,
Bitcoin onto, let's say, Ethereum network. Okay, sure. These bridges help facilitate that cross-chain
movement of funds. And DPRK utilizes that end-mixures quite a bit, actually significantly great of use
of bridges and mixtures than other criminals.
Is that because a bridge is one more way to obfuscate
where the money's coming from and going to?
There's a number of reasons.
Obfuscation is certainly a part of it,
although that's relatively easily defeated by competent analysts.
Another aspect is some of their mixing services
that they prefer to use only support certain cryptocurrencies.
So you have to move it from wherever it is.
To move it to that, right?
So, for example, tornado cash used to be sanctioned,
not so much anymore, pretty notorious mixing service. DPRK has heavily utilized over the past.
It does not accept Bitcoin as a good example. So if you had Bitcoin and you wanted to
laundry through tornado cash, you would have to first get it into a different asset that is
accepted by this mixing service. Right. So let's say Ethereum. And in many cases, they do
utilize these cross-chain bridges to get them into whatever network they best suits their
purposes. When we mentioned earlier about Chinese money laundering services, a lot of those operate in
USDT, right? It's a US dollar tag stable coin, and they'll convert funds into UST to help them use
those types of services there as well. Yeah, you've mentioned China and Cambodia, and I think also
Hong Kong and Russian networks are important in this process. You said that they were jurisdictions that
are less observant or less strict.
I mean, China can be sometimes more strict in other areas there because you've got a lot of
oversight from the CCP.
Is there a risk in operating in doing a lot of this work in China for North Korea?
Like, is there a risk in losing all the money and having no recourse?
I want to draw the distinction between services and businesses in China and Chinese language
services, right?
So I don't have, you know, the numbers on hand of whether or not, you know, they're based in
mainland China, for example. That's a separate topic. Right, right, right. Yeah, so.
Okay. What can you say about Cambodia or Russian or Hong Kong networks? What's safe to say
about them in public at the moment? Yeah, I guess we'll start with Cambodia. Yeah. So we actually
see significant volumes from DPRK hacks. Interesting. Including Bybitt have been laundered into
if we want pay, which we discussed earlier, which is a Cambodia-linked ecosystem that was recently
targeted by Finson for special measures. That's the financial crimes.
enforcement network of the United States?
Yes.
Now, their heavy use of these professional Chinese language money launding services and over-the-counter
or OTC traders suggest that DPRK threat actors are really tightly integrated with listed
actors across the Asia-Pacific region.
And it is also consistent with Pyongyang's historical use of Chinese-based networks to gain
access to the more international financial system.
Now, when it comes to Russia, I would want to draw your attention to a recent MSMT report.
So what's the MSMT for our listeners at home?
Multilateral sanction monitoring team.
Right.
This is the sort of Urzat's replacement for the former UN panel of experts, right?
Yes.
Okay.
So they recently released a report, I believe it was in October for this one, that highlighted
a deepening collaboration with Russian money laundering networks, which, you know,
complementing the presence of DPRKIT workers, also operating.
in Russian territory.
And so collectively, this kind of paints a picture of a very Asia-centric laundering pipeline
with DPRK relying on kind of a patchwork of Chinese and Russian facilitators to move funds
from hacks into a more usable asset-like.
Now, here's a question out of left field.
There's been a lot of focus here in South Korean media recently about Cambodia and South
Koreans who go there to work on these pig-slaughtering scams to scam other Koreans.
Is there any evidence that this is somehow part of a broader network that North Korea is also involved with?
The pig-soring scam centers and the crypto, the Hui-1 type services, is it all, you know, are they being run by the same groups in Cambodia?
Are the North Koreans working with them somehow?
I would certainly say that it deserves attention and that I think you are likely to find connections when you're dealing with billions of dollars of illicit funds.
going through these networks, you are likely to find mingling where potentially funds or proceeds
from DPRK activity are potentially reaching the same hands as proceeds of these scams.
Now finding linkage between the scam operators and North Korea, that's a, like I said earlier,
I think it's definitely deserving of attention.
Right.
Now, in terms of networks and some sanctions, some cases, we've seen recent sanctions in
features against entities like the Mangyong De Computer Technology Corporation, jail, credit bank,
linked addresses, and Chin Yong and KKBC, and also facilitated individual facilities like Liu
Hiao Yang and Shim Hjohn Sop. So in plain terms, tell us a little bit about these and how actions
like these make North Korea's work harder. Yeah. So taken together, actions by Ophak,
say, hang on, let me remember what's Oax again? That's the Office of Financial Asset Control.
Okay, which is part of the U.S. Department of Treasury. Treasury. That ring the bill.
Yeah. South Korea's MOFA or Ministry of Foreign Affairs, their MSMT partners, DOJ, FinC. This really shows a trend moving beyond just hacker aliases and into the banks with what they're sanctioning to also include OTC brokers and IT firms, part of that kind of knit ecosystem. The elements that knit that ecosystem together.
By sanctioning IT facilitators, bank-linked wallets and OTC brokers.
Just for our listeners at home, OTC means over-the-counter.
Yes, over-the-counter brokers.
By sanctioning them, authorities make it harder and more expensive
for DPRK to convert crypto in usable fiat or procurement channels,
which raises the cost of every subsequent operation.
And to go beyond that, I've been asked that question quite a lot,
especially by regulators and policymakers.
You know, what are the impact of sanctions?
Is there a point to sanction, let's say, a mixing service that even post-sanctioning, it would still operate?
You know, my general thought is yes.
I think if something is sanctioned, the risk profile of using it goes up.
And so if the risk goes up, they might charge more fees to use it.
So it becomes more expensive.
Yes, the laundering process becomes more expensive.
and that absolutely has an impact on the final amount that they ultimately get in their hands.
And how successfully are the different agencies in different countries acting together?
You've mentioned many of them already.
And how successfully are they working together in terms of sanctions, seizures, and indictments?
Yeah, when we look at like their activity and their kind of assessment of effectiveness,
actually the MSMT in that report back in October, they had released a joint threat assessment kind of playbook.
combining on-chain intelligence, including our data, with kind of traditional signals.
And this report attempted to quantify the scale of DPRK crypto theft and IT worker revenue,
map expanding laundering networks, and regional facilitators in China, Russia, Cambodia, and Hong Kong,
and also to outline like the attack vectors and revenues for partners to prioritize.
So, you know, a lot of it is getting that knowledge out there, you know, not just with the sanctions,
but, you know, ensuring that the industry as a whole knows what it can do.
Now, to answer your question more exactly, realistically, MSMT and their partners can't stop all hacks, right?
But they can make it harder to move and spend the money by feeding designations, typologies,
and risk indicators in a sanction, supervision, and enforcement.
But it must surely be very difficult to realistically achieve anything against a state-sponsored actor, right?
I mean, as you mentioned earlier, that if you're a hacker for a North Korean team, you've got the coverage of the North Korean state, and so you're not going to be removed, that chess piece won't be removed from the board so easily.
Yeah, it's incredibly difficult, but, you know, again, it makes it harder and it's still worth doing.
We often hear that this money stolen by North Korea ends up in the weapons program.
How confident are experts that that's the case, and what public evidence can we point to to say that?
Yeah, for public evidence, I think, again, I would point back to the MSMT report, right?
So that report does document how stolen cryptocurrency has been used to procure items, ranging from armored vehicles to portable air defense missile systems, which directly linking that crypto theft to weapons, development, and procurement.
And I know in the U.S., Senator Elizabeth Warren was recently also in a hearing, said something.
of a similar effect. I believe it was they estimated a certain percentage was high, maybe half
of funds that they were able to steal from crypto did go to such purposes. Okay. Now, talking about
defense and detection, in the first 45 days after a hack, where are the best choke points for
exchanges or compliance teams or law enforcement to intervene? Yeah, when we look at where they can
intervene, I would kind of circle back to that period of laundering that we discussed earlier,
that 45-day period, right? And there's various windows of opportunity in each of those periods.
Right? So that three-wave laundry cycle creates kind of a predictable intervention window
for both compliance teams and law enforcement. So when we look at wave one, zero to five days.
The chopping and the mixing. Yeah, and the use of like decentralized finance. You know,
The focus should be on that, mixing services and defy, blacklisting hacklinked addresses,
emergency coordination across protocols.
That's a big one.
Getting the message out there that there has been an exploit and that these addresses are
associated with it, just industry-wide.
The second way, the six to 10-day period, and there, the focus should be on heightened controls,
on especially on limited KIC and centralized exchanges, with fast-tracked.
case sharing when flagged funds match these DPRK typologies. And then finally, in that 20 to 45-day
period, targeting non-KYC exchanges, these guarantee services, instant swaps with things like
special measures and subpoenas, because this is where funds often approach that Fiat conversion.
So it seems like the golden thread that runs through all of that is very rapid, urgent
communication among different actors. Yeah, exactly. And we actually worked with,
one recently. There's a Venus Protocol case was September of last year. Oh, great. You have an
actual example. Fantastic. Let us know as much as you can. Yeah, absolutely. So in the Venus Protocol
actually occurred from a compromised Zoom client. And again, this was a social engineering attack,
which allowed an attacker to gain a kind of delegation status over an account with $13 million
roughly worth of assets. However, because Venus, I had actually onboarded Hexigate, this is a
analysis risk solution. So they had onboarded our hexagate security monitoring just a month earlier.
And so this anomalous activity was actually flagged to them, 18 hours before the attack, and again,
when the malicious transaction actually occurred. So thanks to this, within about 20 minutes,
the protocol was paused. And within a 12-hour period, all the stolen funds were recovered.
Wow. The attacker actually ended up losing money in the attack. So, you know,
So this is a good example.
It could be a lesson for other exchanges, custodians, or defy teams, that continuous on-chain monitoring,
having a robust preventative security solution, fast incident response playbooks, and strong governance
controls can turn potentially catastrophic events into very recoverable ones.
Right.
And obviously, if you were able to either recover funds or avoid them being stolen in the first place,
the monitoring pays for itself.
Oh, absolutely. Absolutely. Are you able to say anything more specific about how that compromised Zoom, how the social engineering worked through Zoom? That sounds really interesting. I'm not familiar with the specifics of how that Zoom client was compromised. I believe it's publicly available. Okay. All right. Listeners, I encourage you to go and check that out. All right. So running towards the end of our talk today, if you had to brief a non-technical policymaker, what are the one or two most likely things that we're going to? We're going to one or two most likely things that
we will see North Korean Actors' Trives this year in 2026.
And where should the industry focus its defenses first?
Yeah.
So if we look at the previous year as kind of a precursor
to help us in our understanding of this year,
the previous year's data suggests, again,
DPRK is becoming more patient and selective, right?
They're executing fewer, but far more damaging attacks
with operations like Bid, of course,
dominating the annual loss picture.
Now, we expect continued focus on large centralized services and these high-value custodians,
where a single compromise can change the strategic balance for the entire year.
And again, IT workers schemes, these also have already evolved from simple employment scams
into very sophisticated multi-identity operations, earning up to $100,000 per worker per month.
So going forward, we expect more blending of IT workers.
access, social engineering of executives, and on-chain laundering, really blurring the lines
between what would be insider threat or maybe a supply chain compromise and, of course,
a classic hacking. So what's needed really is continue coordination actions by, you know,
agencies and organizations like OFAC, MOFA, DOJ, MSMT members against, you know, banks, OTC brokers,
IT facilitators, and service providers that touch DPRK flows.
This can meaningfully raise operating costs,
and as we talked about, forced tactical shifts,
both on-chain and off-chain.
The biggest challenge for this year
is going to be to spot and disrupt these high-impact operations
before we see another by-bit scale incident.
Right.
And that's really going to depend on how quickly exchanges,
regulators, and investigators can recognize an act
on DPRK's very distinctive on-chain footprint, like what we saw with the Bemis protocol.
What are the weakest links that North Korea is likely to keep exploiting? Is it people,
is it processes, or is it specific types of services?
That's an excellent question. I think people are typically the weakest link.
And hence the focus on social engineering and use of AI tools to make videos and improve the language.
Yes, absolutely.
So the one improvement that would make the biggest difference would be to what if people just stop clicking on links and be more careful about who they respond to?
Yeah, a lot of the protection can be in very standard kind of cybersecurity best practices that, again, it could actually be applied to, you know, many things, not just preventing against North Korea hacks.
But again, that's not always enough, right?
I think to be realistic, you know, humans are going to make mistakes.
stakes. Humans are going to make error. And if you are going to try and protect yourself,
you have to, of course, do your due diligence there, educate, try and mitigate that. But you
need to let technology work for you. And having ways to detect anomalies, to screen activity,
you know, using software technology, that is the best way forward. And to me, the only way.
Now, I'm not a crypto investor, but I'm just wanting, there's something that I, another security
protocol that I have, if I get a message from somebody with a link in it with no explanation,
and it's unexpected, even if I know that person, I'll generally go to another platform,
either I'll call that person voice or I'll message to another app and say,
hey, I just got something from me with no context at all. Is that safe?
Is there something similar that people can do in the crypto world?
I would say that's a very good practice. I would recommend doing similar. Again, you know, I spoke earlier about treating everything suspiciously. If it's like an unsolicited email, a message from someone that you hadn't, you know, spoken to a while or unknown number. Right. Always treat these, you know, very carefully and cautiously, you know, me and I guess yourself as well, looking at this kind of activity, you know, as part of our work. Yeah. Probably makes us pretty paranoid. And so I do the same thing.
Absolutely. And I definitely did not if we looked back 10 years ago.
Yeah. Well, Alex Ebrick, thank you very much for coming on the NK News podcast today.
And thanks to the chain analysis for having you on.
Thank you. Yeah, it was my pleasure to be here and look forward to the next time.
And be careful out there, people. Watch out for your crypto wallets.
Yes.
Looking to stay informed about South Korea's fast-evolving political business and cultural landscape,
Join us on Korea Pro, the go-to resource for in-depth analysis
expertly curated by top-tier professionals.
And now you can pick the membership level that best suits your needs
thanks to our new subscription packages.
Starting at just $199 annually, you can access daily analysis
and our weekly podcast.
Or try our premium membership package,
which offers additional perks such as executive briefings,
monthly reports and forecasts, networking,
perceptions and event opportunities, as well as much, much more.
To find the best fit for you, just head to signup.compro.org and become a member today.
Ladies and gentlemen, that brings us to the end of our podcast episode for today.
Our thanks go to Brian Betts and David Choi for facilitating this episode,
and to our post-recording producer Alana Hill, who cuts out all the extraneous noises,
awkward silences, bodily functions, and fixes the audio level.
Thank you for listening and listen again next time.