Unchained - Why North Korea Is Interested in Cryptocurrency - Ep.150
Episode Date: December 17, 2019Priscilla Moriuchi, director of strategic threat development at Recorded Future and non-resident fellow at Harvard Kennedy School, explains North Korean usage of the internet and how it has changed ov...er time, how it is reserved only for the few most senior people in the regime, and what the mobile devices of the other 25 million citizens connects to, and who is watching the activity on those devices. She also describes the various ways North Korea has shown an interest in cryptocurrency, how it's been determined that North Korea is engaging in those activities, such as cryptocurrency exchange hacks and malware, and its seeming interest in Monero. We also discuss how they convert crypto to fiat, and how well the government seems to have connected its cryptocurrency activities with its other real-world criminal networks used for other activities such as smuggling, drugs and counterfeiting cigarettes and US dollars. We also talk about which North Koreans have been trained to carry out such attacks and how and why they carry them out abroad rather than in North Korea. She also covers why Ethereum researcher Virgil Griffith's visit to North Korea, even if he were dispensing "public" information, would have been helpful in a country where everyone but a tiny elite is denied access to the internet. Thank you to our sponsors! Givewell: http://givewell.org/unchained CipherTrace: http://ciphertrace.com/unchained Kraken: https://www.kraken.com Crypto.com: http://crypto.com Episode links: Priscilla Moriuchi: https://www.linkedin.com/in/priscilla-moriuchi-410297127/ Recorded Future: https://www.recordedfuture.com Recorded Future on North Korea’s internet activity: https://www.recordedfuture.com/north-korea-internet-activity/ Full report: https://go.recordedfuture.com/hubfs/reports/north-korea-activity.pdf Recorded Future report on North Korea’s interest in cryptocurrency: https://www.recordedfuture.com/north-korea-cryptocurrency/ Full report: North Korea targeting South Korean cryptocurrency exchanges: https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/ Full report: https://go.recordedfuture.com/hubfs/reports/cta-2018-0116.pdf Podcast: https://www.stitcher.com/podcast/recorded-future-inside-threat-intelligence/e/52982550 Priscilla on why Virgil’s attendance at a blockchain conference in North Korea was helpful to the regime: https://www.businessinsider.com/north-korea-virgil-griffith-cryptocurrencies-bad-idea-analyst-2019-12 Priscilla on how North Korea uses cryptocurrencies to evade sanctions: https://www.vox.com/world/2018/2/28/17055762/north-korea-sanctions-bitcoin-nuclear-weapons North Korea’s interest in Monero: https://www.wsj.com/articles/in-north-korea-hackers-mine-cryptocurrency-abroad-1515420004 North Korea’s plan to build its own version of the Petro, I mean, Bitcoin: https://www.vice.com/en_us/article/9ke3ae/north-korea-is-building-its-own-bitcoin DOJ Complaint against Virgil: https://www.justice.gov/usao-sdny/press-release/file/1222646/download Virgil’s Facebook post inviting others to North Korea: https://www.facebook.com/virgil.gr/posts/10112756681859159 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi everyone. Welcome to Unchained, your no-hype resource for all things crypto. I'm your host, Laura Shin. One quick
announcement before we start the show. Unchained now has a merchandise shop. We've got a few t-shirts, a couple hats, a mug, several mugs, and stickers.
My team and I got creative with one of the t-shirt designs and came up with an image of a crypto rabbit falling down a hole.
Swirling into the hole with the rabbit are playing cards showing some of the coins like Bitcoin, Ethereum, and Monaro, as well as a doubt.
card ripped in half. There's a Guy Fox mask, a DeFi cake, a Lambo, and a teapot that says Hodel,
as well as teacups showing the Reddit and Twitter logos. There's even a shit coin. The rabbit is
wearing a big Bitcoin key chain, a unicorn and rainbow t-shirt, and of course, is listening to Unchained.
We've also got rabbit versions of the mug and some decals, as well as a special Bitcoin maxi
mug and an Ethereum maxi mug. Check it all out at shop.com.com.com. Check it all out at shop. Unchainedpod
Again, that's shop.unchainedpodcast.com.
This holiday season, how can your donation do the most good in the world?
Givewell spends 20,000 hours each year researching charity, looking for the places where your donation will save or improve lives the most.
They provide a free list of the most impactful charities they've found.
You can find out more or make a donation at givewell.org slash unchained.
First time donors using that link will have their donations matched up to $1,000.
They accept traditional payment methods, Bitcoin, Ethereum, and several other cryptocurrencies.
Keep this in mind while you make your end-of-year tax moves. Again, that's givewell.org slash unchained.
CipherTrace cutting-edge cryptocurrency intelligence powers anti-money laundering, blockchain
analytics, and threat intel. Leading exchanges, virtual currency businesses, banks, and regulators
themselves use CipherTrace to comply with regulation and to monitor compliance.
Got any EOS? With crypto.com, you can top up their card with EOS to spend. You can also earn up to 8% on EOS per year on the crypto.com app. Download the crypto.com app today.
Cracken is the best exchange in the world for buying and selling digital assets. It has the tightest security, deep liquidity, and a great fee structure with no minimum or hidden fees. Whether you're looking for a simple fiat on-ramp or futures trading, Cracken is the place.
for you. Today's guest is Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future,
and non-resident fellow at Harvard Kennedy School. Welcome, Priscilla. Thank you for having me.
Before we get into the particular of today's topic, which is all about North Korea and its interest in
cryptocurrency, why don't you give a short background to onto your work with North Korea and tell us what
areas it is that you focus on with respect to the country and how you came to be an expert in this area?
Sure. So I spent a while at National Security Agency, and it left about three years ago. And that's when I kind of gained some of my interest in North Korea. And at that same time, about three years ago, I started looking at what we would call like the network traffic, right? Network traffic coming from North Korea to attempt to understand what we can learn about North Korean leaders, their behavior, their interests, you know, any insight really.
into the regime, you know, from looking at how they use the internet. And that's really how I got
onto this, I guess I would call it, like, topic, but this kind of obsession, really, from both my end
and the North Koreans with cryptocurrency and just the myriad ways in which they've been able to
kind of use and exploit blockchain and crypto technology. And this might be a really basic question,
but how do you do that? Are you literally just like hacking into their computers or are you like
monitoring web traffic or like or I don't even know maybe you can't reveal these things. I'm not sure.
Yeah. So no hacking involved. All illegal. What many people don't realize is that when you
turn on your computer, right, and you go to a website, there's what's called metadata, right?
So these data points like an IP address, for example, of the website that you're going to,
the ports, right, or protocol that your computer is using to communicate with the server.
that hosts that website, for example. And all of that information, right, called metadata, right,
can be harvested and collected. And that allows, you know, researchers like myself,
some insight into the behavior, you know, of, in this case, North Korean leadership. You know,
some of that, you know, of course, can be mitigated by using things like a VPN or something like
that. But yeah, it's studying the metadata, right? No content, just data points about,
what North Korean leaders are doing online. And when you first started looking into this,
what behavior were you seeing? And then how has that changed over time? Yeah, sure. So when we first
started looking at, you know, how North Korean leaders were kind of using the internet,
this was back in early 2017. And largely leaders at this point in time were using it,
what we would call like leisure activities. So lots of video streaming, video gaming, social media
use. So just like normal Westerners like ourselves. They kind of get up in the morning and
check social media, check even Western. Sorry. Sorry, when you say video streaming, are you saying
like they're watching YouTube or what does that mean? Yes. Yes. Yes. So I think what like it's
important. I guess there's a few caveats here. So one, we're able to profile this internet
behavior of essentially an entire country because most of the country, the population,
doesn't actually have access to the global internet. North Korean, ordinary North Koreans
now are able to use kind of smartphones and access like a domestic intranet and a domestic
cellular system, right, one that connects them to other North Koreans, but not ever to the rest
of the world at large. So when we look at global internet traffic to and from these North Korean
IP ranges, we are looking at a very, very, very tiny subset of North Korea and sort of the 0.1
percent, you know, I would call them the most senior leadership and their families who have
both the ability and the permission to actually use the global internet and access it for
leisure activities or for work. So that's why
it looks kind of normal because a lot of these most senior leaders, you know, in their family,
have what we would consider to be kind of normal Western pieces of life. And they aren't the ones
who are struggling to pay the bills or farm or get food on the table or provide heat for their
houses. These are the pampered elite. And if you were to put a number on how many people that is,
what would you guess that number is? It's hard to.
to say because again, like the the amount of traffic, you know, for a country of 25 million people,
you were looking at likely under a few hundred, you know, who actually have access to the global
internet. But I don't have a specific number. I would say under 300 people would be my best guess.
Oh, wow. Okay. And so I'm sorry because I actually cut you. I was so shocked when you said they
stream videos. So could you just, yeah, finish describing what their internet behaviors are?
Sure. So, I mean, you know, at that point, you know, three years ago now, you know, we could see when users, you know, kind of get up in the morning, you know, North Korea time, you know, sort of checking news and, you know, there are social media, streaming videos, playing video games, checking news in, you know, English, Japanese, right, a number of different providers and languages. But from the most part, right, at that point in time,
most of the sort of peaks and activity were at what we would sort of consider off hours.
So after work time periods or on weekends or evenings.
And that's, you know, that the time was highly indicative that it was more the internet for
these senior leaders at that time was mostly like an amusement, right, or a leisure tool.
And over time, you know, over the past three years, that's changed pretty significantly.
So before we get to that, how it's changed, I want to
to ask when you were saying they were using social media, does that mean they actually had like their own
profiles? Like, like, you know, I'm this high level North Korean person on Facebook or how were they using,
you know, social media? Yeah. So again, because we were using metadata, right? I wasn't able to see,
like, I got this question like, what's Cam Jong-un doing online? I don't really know, right? I know what
People in Kim Jong-un's social circle are probably doing, you know, and other leaders.
And so, yes, you know, we could see, for example, like, you know, scrolling through the
Facebook news feed, but I don't know what the content of that news feed was or what the account was,
for example, you know, same with Twitter, you know, scrolling through Twitter, but I couldn't
see what the user was.
And it, okay, yeah, because I was trying to figure out, like, are they friending each other
or are they trying to friend like people?
Okay, but we don't know that.
But one thing is, you know, I asked you kind of the number of people.
Do you have a sense of like when you say the most elite?
Like can you give examples of like types of people or titles that would be allowed to access the global internet?
Sure.
So I could give like types of people, right?
So it would be senior Korean Workers Party, right, or KPA, the People's Army.
leaders, most senior intelligence leaders, you know, certainly Kim Jong-un's sister, right, would be among
those who would be sort of trusted enough for global internet access and possibly some sort of
university researchers, right, doing research on behalf of the state. And you may not know this,
but obviously since, you know, the other 25 million people are not allowed on the internet,
at like how how is access granted or how is permission granted? Because, you know, I'm sure there are some
people who are maybe close to having that privilege, but, but like until they're given it,
like, it would probably be very, very dangerous for them to try to access it on their own.
So do you have any sense of that?
So I don't know, like, what the procedure is for someone who's, like, granted access to the
internet. I mean, we have an idea of, like, the devices that users who do access the internet,
are using. This is a lot of mobile devices, iPhones and Huawei handsets, also a lot of Windows,
computers. So we know that from a technology perspective, users of North Korea's internet are
using everything from like the latest iPhone to like computers that are running Windows 7,
which is now like a deprecated operating system. So like in a certain case, it's like bring your own
device, North Korea style. And then for, you know, sort of the normal North Koreans, their cellular
network and their intranet doesn't even have a physical hardware connection to the global
internet. So there would be no way for them to like hack their way around things or hack their way
through, right? They don't even have that possibility to access the global internet from any
device that they own. Plus the devices they do own are supplied by the state and there's spyware
on them, right, which monitors the websites they go to, the files they download, the conversations
and messages that they send and receive. Oh, wow. Oh, okay. Wow, I didn't, I wasn't aware of that.
And I don't know if you know about this, but does that mean then there's like some agency in the
North Korean government that's actually monitoring what the population is doing on their devices?
Yes, most likely. Yeah. So for for the population, it's not clear the extent to which, you know,
all North Koreans understand the monitoring of their personal communications on their cell phones.
I think most of them are aware of it. But it sort of mobile phones in North Korea sort of this dual
purpose for leadership, which is one, you know, giving the population this feeling.
of at Ma'a Dainerdi. You know, North Koreans, for example, are watching illicitly and
illicitly, like more and more videos and media from the outside world. It's making its way
into North Korea, you know, on thumb drives, on CDs, on a number of ways. And North Koreans
are watching that. And they have at least some idea that, you know, sort of the rest of the
world is embracing or has been able to use these technologies, right, that they're just
beginning to see, right, mobile phones, you know, the internet. And so this, you know, allowing
North Koreans, you know, to have mobile phones, you know, gives them this sense of sort of catching
up to the rest of the world on one hand. But on the other side, these are pretty much kind of built-in
surveillance devices for the Kim regime and the, you know, the security services to keep an eye on
the population. Okay. And now I realize we're maybe getting a little bit out of your air of
expertise, but just one last question on this. So if you're saying that, you know, people can't,
people are accessing information from the outside and watching it, consuming it, you know,
like movies and songs and whatever, but at the same time, their devices are surveilling them,
then are they using different devices to watch the illicit material? Yes. Yeah. So there's,
there's some studies that have come out indicating that North Koreans will have separate devices,
So they'll have their mobile phones for their communications, and then they'll have like portable CD players are kind of popular or kind of low end other sort of mobile devices, right, that won't ever kind of connect to a network, right, but allow them to upload files via USB, for example.
Okay. So, you know, we started with you describing what you saw was the internet behavior of the North Korean elite when you first started monitoring it a few years ago. And then you said that it's,
has changed. How has it changed? Yeah. So over time, and I wouldn't be so forthright to say that
our research has been read by North Korean leadership. I think this is probably likely just
patterns and how people are using the internet globally. But when we first started looking at it,
it was like 99% of North Korean users were not even doing the most basic internet hygiene.
right? So they wouldn't go to sites and use HTTP, for example, which enables what we call
like SSL encryption. So when you use a HTTP site, for example, someone from the outside,
a third party cannot necessarily view the content of the communication between your computer
and that computer. They can see the fact of that communication, for example, but they can't
see that you, Laura, checked your Facebook account. They can see a communication between
your computer and Facebook. So that's one of the things that over time that we've observed is that
North Korean leaders, you know, whoever they are, are becoming more security conscious. They're using
VPNs, virtual private networks. They're using some of the most basic, taking some of the
most basic steps to internet hygiene, right, using SSL, for example. And that limits, you know,
to some degree, our ability to see what exactly the communications are, the sites exactly that
North Koreans are going to. So that's one, they become more security conscious. And second,
has this been this shift over the past few years to what we call it the professionalization
of the internet? So we talked earlier about how much internet use was sort of in these off hours
or on weekends and involved video streaming. And over time, the use of or the percentage of
the use of media has stayed the same, but the other types of content, right? And the hours in which
North Koreans are using the internet has shifted to be much more now towards workday, work hours.
And that indicates, it's an indicator to us that the internet is becoming more of a tool,
right, a professional tool for these North Korean leaders as opposed to just kind of a leisure activity.
Yeah. Well, clearly, that's why we're,
doing this show because one of the areas that they're focusing on is definitely cryptocurrency.
And so why don't we just give a high level overview of what North Korea's interest in
cryptocurrency is? Like, you know, what are you seeing that's showing you that they're interested
in that? How do you know that this is going, that, you know, it is them that's interacting
with these cryptocurrencies and in general, why do you think they're interested? Sure. So I'll try
to break that down. So first, we first saw that North Koreans were interested in cryptocurrency
when we observed some mining activity, right? From the North Korean IP ranges in March 2017,
right? So that that peaked our interest. It was really small scale, looked like just a few
machines conducting Bitcoin mining. And then from my perspective, that led me to look into,
is North Korea using sort of Bitcoin and other cryptocurrencies in any other ways.
I mean, just kind of started this Odyssey, and especially in 2017, where you have,
where we've gotten to this place now, you know, from 2017 through today, where I would say
there are like five ways, right, in which North Korea either uses or exploits or gains
cryptocurrencies. So one is mining, right? We see them North Korean leaders.
some UN member states have sort of submitted anecdotes to the United Nations, which the UN has then put out in their reports about potentially the military also engaging in cryptocurrency mining.
So we've got mining from either senior leaders and or the military.
Two, we've got these thefts, right?
Large-scale thefts from cryptocurrency exchanges mainly in South Korea and cryptocurrency users.
Third, North Korea has really embraced what we call it crypto scams. So either like standing up a fake blockchain company or crypto jacking, which I'm sure your users will be aware, right? It's this concept of stealing the competing power of another and unwitting users machine to mine cryptocurrency.
Fourth, through low-level crime. So another kind of interesting aspect of North Koreans' use of the Internet.
is this idea that they engage in a lot of like low-level criminal activity, like thefts from
online casinos or thefts from users, gaming users' accounts, like theft of armor, for example,
and resale of that, the writing of scripts, right, to cheat at certain games and then selling
those scripts on. So that generates some of those transactions take place in cryptocurrency as well.
And then the fifth is the most kind of speculative at this point. But there have been reports that
North Korea is looking to develop its own kind of token or some kind of coin.
Right. And for some of the other ones, you know, like the cryptojacking or, you know, the thefts,
how is it that North Korea was determined to be behind those?
Sure. So when a, what we call it like a cyber operation or an intrusion is executed,
Typically, the attackers leave, I guess what we would call like little breadcrumbs, right,
whether they know it or not, right, behind evidence that is accumulated over the course of conducting
the cyber operation, whether it be sort of inside the victim network or outside on the infrastructure,
right, the computers, the IPs, the domains, right, that they had to use to sort of trick the victims
and conduct the operation.
So they leave all of these little data points that when you pull it together, allow you to develop a signature for something that looks like North Korean operation.
And so this case with like the cryptocurrency exchanges, we had a number of those data points.
Plus for me, right, I only kind of assess that North Korea was behind an intrusion when one, I've got enough of those data points.
so I have at least 70% confidence. And two, in many of the cryptocurrency exchange cases,
the South Korean NIS, so their intelligence service, has made some kind of public statement
in which they've implicated North Korea. And I wanted to also ask about the exchange hacks
when you were saying that they have especially targeted South Korean exchanges.
Is that simply because there's like a shared language? You know what I mean? Like is it just as
simple as that because obviously there's a ton of cryptocurrency exchanges around the world. Many of them
have greater sums of money. So, you know, I don't know why it is that they're focusing there.
The only thing I could think of was the language. So I think there are probably three reasons. So
one is the language, right? Two is South Korea is kind of enemy number one for North Korean military
and intelligence services. You know, they have entire units that are focused just on, you know,
disrupting aspects of South Korea and government, communications, foreign policy, society,
stealing from South Koreans.
And so as a target, South Korea is really the pointy end of the sphere, the spear when it comes to
North Korean cyber operations.
And third, I think your listeners will probably understand this, is that there's a slightly
different environment for cryptocurrency use in South Korea than in much of the rest of the
world. Many more of your average citizens use cryptocurrencies in South Korea than in many other countries.
There are a lot more like physical exchanges in South Korea as well, like physical ATMs, physical branches,
right, where people can exchange a wide variety of cryptocurrencies for fiat currency. So I think between
this sort of combination of those three that makes South Korea just a really appealing target
for North Koreans.
That's true. Yeah, the penetration of the average population there is much higher than I think any other place on Earth.
And one other thing I wanted to ask was when you mentioned the mining earlier, you said that it was the military that was mining cryptocurrency.
So, you know, I don't understand everything about the regime, but is that, that's like part and parcel of Kim Jong-un's regime, right?
It's not like, was the military doing that independently? Like, did they decide that themselves? Or like, why, why is it the military and not just like the regime generally? Do you don't, do you kind of understand what I'm asking? Yeah, yeah. So, um, the military are one of the main benefactors of the Kim regime. Um, one of the sort of factions that the Kim regime needs to keep happy. Um, and one which they devote significant resources to.
So, you know, the Kim regime have kind of a military first policy, right, in which resources,
food, revenue, right, are diverted to the military first and then kind of ordinary citizens
later.
So one, military are extremely important to have on the side of Kim Jong-un and to support him.
And second, you know, the senior military leaders, right, and for special military operations
would certainly have access to the global internet.
And then in this case, from what we've seen of both sort of the hardware and the software
installed on North Korean networks, it's not likely that anything sort of happens, right?
Or mining, even on a small scale, right, because the type of the volume of traffic it creates
could really be achieved without the sort of monitors, internet monitors or administrators being aware of it.
it. Right. And is that, because I read the UN report, you know, talking about how the money being
earned from cryptocurrency by North Korea is probably used, being used to fund its nuclear power. So is that also
why it's connected, why it is that the military is the one doing the mining? Or is that not related?
It's possible. I mean, so the, I mean, one of the, there are many interesting.
thing slash bizarre things about North Korea. But, you know, one of those interesting things is that,
you know, for the most part, they're, and especially in the military, you know, everyone, every mission,
every personal, every person, their first job is to support the state and the goals of the state.
And so in this case, you know, with the military, you know, whether the military were involved and not,
the state have very specific goals, the continuation of the regime, the Kim regime,
establishment of themselves and their ballistic and nuclear missile program,
and potentially, right, the reunification of the Korean Peninsula under the Kim regime.
So all people, right, there's no sort of independence.
I don't think that's going to happen, but anyway.
It's a lot of optimists up there in the North Korea.
And there's really no room, right, for independent.
careers, right, our independent efforts in North Korea to a large extent. So when the military is
engaged in something, right, it's because it's supportive of one of these three goals.
So one other thing that I wanted to ask about, which is pretty well known in the cryptocurrency
space is that, yeah, in the cryptocurrency space is that North Korea was likely behind
the Wanna Cry ransomware attack. First of all, for listeners,
who maybe aren't familiar with that or have forgotten the details, can you describe that attack
and then also explain why it's believed that North Korea was behind it?
Sure. So WannaCry was a piece of ransomware. And the sort of attack that we're talking about
occurred in May of 2017, in which, as we now know, the North Koreans kind of tweaked this
largely publicly available piece of ransomware called WannaCry to incorporate,
what's known sort of in the cybersecurity community at the time was a zero-day exploit, right?
This one was kind of an endemic to Microsoft systems, and at this point in May, many users were aware but hadn't patched their systems.
So there were many, many computers globally, right, millions that were still vulnerable to this particular exploit that North Korea then sort of installed in the Wanna Cry ransomware and deployed on the world.
And really what sort of raised the, I guess the specter of want to cry and why people still refer to it is because it had such a global impact.
It spread to computers and users around the world, right, no matter what country you were in if you had not updated or patched.
And it had some really huge impacts.
For example, it took out the UK's National Health Service, the NHS computers.
And, you know, it kind of swept the world for a few days.
So yeah, that's Warnatry.
So in a moment, we'll discuss what North Korea did with the Bitcoins they earned from the
Wanna Cry attack.
But first a quick word from the sponsors who make this show possible.
Today's episode is brought to you by Cracken.
Cracken is the best exchange in the world for buying and selling digital assets.
With all the recent exchange hacks and other troubles, you want to trade on an exchange
you can trust.
Cracken's focus on security is utterly amazing.
their liquidity is deep and their fee structure is great with no minimum or hidden fees.
They even reward you for trading so you can make more trades for less.
If you're a beginner, you'll find an easy on-ramp from five Fiat currencies.
And if you're an advanced trader, you'll love their 5x margin and futures trading.
To learn more, please go to kraken.com.
That's kr-a-k-en.com.
Got any Eos?
Crypto.com is adding more.
utility to it. You can top up their card with EOS and spend anywhere visa is accepted. Not only can
you spend your crypto, but you can grow it too. Earn up to 8% on EOS per year on their app.
Crypto.com has recently launched its exchange and crypto fundraising platform, the syndicate.
There is a 50% off EOS sale starting next Tuesday, December 17th, 6am, UTC for 24 hours only.
Sign up on the new exchange to enjoy the sale now.
Will the world follow France and advocate?
banning privacy coins? Will government-backed stable coins become the new fiat? Are distributed and
peer-to-peer exchanges just a flash in the pan? The answer is maybe. Virtual currencies can flourish
and create a new, private, and more versatile economy. But that grand vision can't happen without
keeping crypto clean. And that requires support of governments and accountability for bad actors.
Privacy enhanced compliance using cryptographic control.
has the potential to preserve anonymity without compromising legitimate investigations.
Cypertrace is working on this vision of the future.
Sign up to stay up to date on the Privacy Enhanced Compliance Initiative
and receive authoritative crypto-aML reports quarterly.
www.cifertrace.com slash keep crypto clean.
Back to my conversation with Priscilla Moriuchi.
So North Korea perpetrates this attack.
around the globe to try to obtain Bitcoin, Bitcoin famously has this public blockchain. And yet,
I believe the North Koreans actually were able to profit from the attack. So what did they do with
those Bitcoins? Sure. So I think, you know, there's still some debate about what the goal of
Wanukry was for the North Koreans. I mean, if you look at it from a revenue generating standpoint,
by the end of the attack, or when the accounts, the three Bitcoin wallets,
where the ransom was directed, right?
But the time those accounts were cashed out in August of 2017,
the value of those kind of 52-ish Bitcoin were about 142,000 U.S. dollars,
which is a lot, right?
But not a substantial amount.
And so I think, you know, a couple years later,
when the U.S. government kind of came out
and publicly attributed North Korea to the want to cry attack,
their assumption was that North Korea had engaged in this sort of caused global chaos, right?
It's possible that they didn't realize how far this piece of ransomware would spread
because while the exploit they were using was relatively new and it had been a zero day prior,
there had been time for some people to patch their machines.
So that's kind of the first step.
So once, you know, as sort of one of the people,
was kind of following this at the time, looking back, you know, a lot of people in the sort of
information security community were kind of smiling because as, you know, want to cry spread
and the ransom note would pop up on people's machines, it directed people to pay the ransom
to only three Bitcoin wallets, right? And people were pretty certain that we, the global,
we, right, could track these three Bitcoin wallets. We could keep an eye on them. And we could track
where the transactions were going, and we could then find out who is responsible.
So if you fast forward from May, where everybody's kind of smiling, to early August, August 2nd of 2017,
those three wallets were emptied within minutes of each other in six transactions.
So two transactions each emptied all of those wallets.
What we know from there is that the transactions or the Bitcoin were then fed into what's
called the mixer, right, which I'm sure your users will be aware of what a mixer is. And then when
the coins come out on the other side, they were then converted to Monero. You know, as your listeners
will be aware, Monero blockchain is much different than the Bitcoin blockchain. And each
Monero transaction is encrypted so that only the user and the receiver can see the transaction.
And that's essentially where the trail runs cold, right, for researchers. And for me, like,
What was really interesting about the way North Koreans moved the coins around was one that
they were willing to take, you know, hits in terms of fees, right? Bitcoin fees,
mixer fees, minero fees, transaction fees, right, in order to maintain that anonymity.
And it seemed to be a conscious decision to move, right, after the coins were kind of run through
the mixer to a sort of privacy-focused, right, token. Yeah, I feel like Monero is kind of a theme with
North Korea because I believe that the main cryptojacking malware that's associated with
North Korea was being used to mine Monero. You know, do you feel that this regime has a
particular interest in Monero? And if so, you know, how do you think they're using it and benefiting
from it. Yeah. So we've seen the regime use three coins, Bitcoin, Manero, and Lightcoin. So for a while in
2018, we saw some really small-scale light coin mining from North Korean leaders as well. That has since
ceased, right? So we've got overall kind of a focus on Bitcoin and Monero. And you're correct that we do
see Manero used by North Koreans, but also certainly not moving away from Bitcoin. My sense is that
North Koreans are using Monaro because of the focus on privacy and anonymity, even though Bitcoin can
be utilized in a way that would make, so the end recipients of transactions virtually anonymous anyway.
And I think, you know, from from sort of our studies of the criminal community at large,
Bitcoin is still very, very widely used and even preferred among many and sort of we would consider like the dark web, right?
Or the Russian language, especially criminal underground, because of the ease of use, right?
There are so many, you know, sort of Bitcoin users, participants.
And, you know, it's a quick, it makes for quick transaction.
So Manero is sort of slower transactions, but again, I think it's really that focus on anonymity for North Korea.
So obviously, you know, cryptocurrency is useful to North Korea. However, it's probably only useful once it's converted into Fiat.
So how does North Korea convert cryptocurrency into Fiat? I can't imagine it's very easy for them.
Yeah, that's the last mile in this whole dramatic story that we have the least insight into.
I think there are a number of educated hypotheses and theories.
So one, I used to get asked a lot about whether North Korea has this huge stash of coins, right?
That they're just kind of stockpiling and hiding, and they're just going to cash out whenever they want.
My sense is that North Korea needs the money.
So within a short period of time, after they acquire the cryptocurrency, whether it be in a large-scale
theft from an exchange or through cryptojacking or wherever crime, they need to be converting
it into a fiat currency.
So one, they're not kind of storing it.
I'm not sure how well or not well, you know, they kind of play the market, you know, whether
they cash out all of their 2017 earnings in December.
for example, when Bitcoin was at its peak or not, I'm not certain. But I think we do know that they need the money. And there are sort of existing networks. We would call them physical networks that North Korea has established over the past 40 years. These illicit networks in countries in Southeast Asia, for example, in Europe as well, that these networks kind of exist in the embassies and consulates.
attached to overseas embassies and consulates that have facilitated North Korean illicit activity
for decades. So everything from drug smuggling to precious gems smuggling to counterfeit cigarettes
in US dollars. These networks have facilitated that for decades. And I strongly believe that
these networks are also involved in exchanging cryptocurrencies for fiat currencies or even,
And I'm not sure what you can actually purchase as a physical commodity with cryptocurrency these
days. It's possible that someone somewhere is willing to take Bitcoin for coal, for example,
or for an offshore oil transfer. I think we just don't know how much you can really get right these days.
So I'm going to read a bit from the AP report, which actually was about the UN report.
They say, quote, according to a report from one unnamed country cited by the experts, stolen funds following one cryptocurrency attack in 2018 were transferred through at least 5,000 separate transactions and further routed to multiple countries before eventual conversion to currency that a government has declared legal money, making it highly difficult to track the funds.
that's not so sophisticated to me. So, you know, in general, from what you're seeing, do you feel like the North Korean hackers have a like very high level of sophistication and fluency with regard to cryptocurrency?
Without a doubt. So, I mean, if you talk to some South Korean researchers, they have seen North Korean cryptojacking malware since 2015, right? When for most of the world, most of the world,
didn't even really know what Bitcoin was at that point.
And the North Koreans were already creating malware, right?
That would mine Bitcoin, right, without users' awareness.
So there's been an underestimation in general by the global community of
North Korean capabilities when it comes to cyber operations, North Korean knowledge around
the banking system, for example.
And you can see this when you start to look at North Korean cyber operations.
operations, the sophistication of the North Korean bank thefts, for example, North Korea and the
North Koreans who are executing these operations have a very deep understanding of how cryptocurrency
and the crypto ecosystem works and how to mesh that with their physical networks, right?
The physical people on the ground who are already understand how to launder money through casinos,
for example, is a popular one. And it's this integration, I think, that
that really strikes me, right? In terms of North Korea, right, cryptocurrency doesn't just stay in the
virtual world. It very much, you know, supports these real world outcomes, and they integrate these
two networks, you know, to make it just even more impactful. Yeah. And actually, that reminded me of,
actually, what I meant to ask you earlier was I was surprised when you said that one of the ways in which
they probably cash out is through networks in Europe, because in general, I think of Europe as being a place
where it's mostly democracy. So are there any particular countries there that tend to work a lot
with the North Korean regime? So in this case is not from what we see anyway. It's not that the countries
work with North Korea or even that the countries are aware that there are North Koreans
conducting illegal activities in their countries. It's more of using these countries for,
for example, the financial system or for the embassies and consulates or for the networks, right,
that they've established with the criminal underground in those countries, you know,
that North Korea is able to use an exploit. So like if you look, for example, you take a look
at the banking operations. So these cases in which North Korea has managed to gain access to
the SWIFT, right, which is the interbank transfer system, the SWIFT servers of banks.
where all of their,
or where many of their,
we call them like fraudulent transactions are directed.
You have fraudulent transactions going to banks in Hong Kong,
Southeast Asia,
financial centers such as London, right?
Some transactions into banks in New York, for example.
So I think there's a focus and an idea,
you know,
But certainly in the West, there are also North Korean, North Korean collaborators,
people who are unknowingly collaborating with North Korea as well,
who is this large system of support, right?
You know, we really have a hard time kind of putting our finger on and explaining
because it's been cultivated for so long.
And so I mentioned that UN report a couple times,
but can you talk a little bit more about how it was determined that this $2 billion
that they earned in cyber tax was used to fund their WebEx?
program? Yeah, so I think the $2 billion is the total for the cryptocurrency thefts and the
banking operations, so the fraudulent swift transactions from late 2015 up until early 2019,
so about a four-year period of time. And if I read the UN report correctly, I think the
understanding is that that was funding the weapons program through looking at kind of the North
Korean defense sector and also, to be honest, just through what I would call just high confidence
assessments that, you know, when you look at North Korean funds, how the large majority of it
does go to the military in these programs. Oh, I see. Okay. So, you know, as we talked about in the
beginning, the general North Koreans do not have access to the internet. There's only this
like very select few at the very top who do have access to the global internet. So who is
performing all these cyber attacks? How have they been trained in this way? Because clearly it's,
they're probably not just like everyday North Koreans who, you know, like like here in the US,
like somebody who becomes a very skilled programmer probably grew up playing with computers. But
in North Korea, there probably aren't that many kids that grow up that way. So who are these
hackers? Sure. So certainly in like the early days of the program, I'd say they're probably
maybe the next generation of North Korean hackers will have grown up playing with, at least
smartphones and will be a sort of technology users, right, because of the internet and their
mobile devices. But, you know, for the sort of the original generation, and to a certain
extent still today. North Korea develops its kind of hackers in a kind of state run sort of
if you think of the Soviet Union's development of gymnasts system in which I knew you're going to say
that. It's like I don't have another great metaphor because it's kind of bizarre. Like you have a
proclivity right to math for example. You know and North Korean kids they're identified at like the
middle school stage right having a number of
you know, whether they have a good, you know, capacity for math. They're then shipped into a one
specific high school, right, or follow on a couple of different universities, Kim Il-sung University,
Kimchukh University, for example, where these, you know, Koreans are trained, right? And I think in the,
there's some defector testimony that kind of in the early, early days, you know, we're talking about like
the 90s, the late 90s, you know, users or students at the universities would learn how to code by typing on
like paper keyboards, because they didn't even really have computers or keyboards.
Wait, what is a paper key?
I don't even know what that means.
So it would be like a printout of a keyboard on like a piece of paper, and they would
kind of type on it way back in the early days.
They were well beyond that at this point.
You know, you see pictures of sort of computer labs, right, at these universities.
No more paper keyboards, but in the way early days, right, that's how some people learned.
And so, again, they have this intranet, right, in which you can learn a lot of basic computer skills, right?
Networking, coding, et cetera, right, just by operating on this intranet.
And then for those that exhibit, you know, kind of graduate from the program, you know, be either a seed into the military, which is in most cases what we think of, or the intelligence service, the reconnaissance general bureau, the RGB, right, will then send people overseas.
And it's at that point that even, you know, there's a lot of unique things about North Korea, as we talked about earlier, but this is particularly unique in which there's a substantial subset of North Korean cyber operations. These crypto scams, these crypto generation, right, the thefts, for example, some banking operations, right? Some of the low-level crime, right, that takes place in countries overseas, not actually in North Korea.
that we're talking about India and China, for example, where North Korea will send their students
to study, to learn a little bit more, and then sort of house all of their hackers in, I don't know,
the best word was like hacker dorms, you know, if we take some defector testimony to heart,
in which, you know, there'll be 10, 20, 30, tens of cyber operators housed in kind of a warehouse
environment.
they have to purchase their own computer.
And it's their job kind of all day long under the eyes of their either intelligence or military minder
to conduct operations to generate revenue for the regime.
And from a volume perspective, right, most of those operations are just kind of low-level crime,
low-level crypto scans, IT work, like legitimate IT work.
And then, of course, you have the kind of big splashy stuff as well.
And so why is it that they send these cyber operators overseas? Like, you know, I do this podcast from my apartment. Like, why does it matter where they are physically?
So for a long time, North Korea has such limited IP space. So, you know, they're about anywhere between about three IP ranges, you know, that North Korea uses on a regular basis to access the Internet. Those three IP ranges are very well known. They're as, as, you know, our research has shown, right? People are aware of them. It's easy to track. And in most cases, while there has not been,
like necessarily large cost to North Korea for being attributed to some of these attacks.
They at the same time don't want to be or they want to make it as hard as possible for researchers
and for other governments, for example, to link North Korea to any of these attacks.
So for one, when all of your operations come of a very small subset of IP addresses that are already
well known to be North Korea, take some of the guesswork out of attribution.
But second, also for a long time, you know, arguably up until about 2017, North Korea had very few like physical connections to the actual internet. And most of those were controlled by China or Chinese companies. And were relatively, which meant, right, that North Korea was sort of subject to, you know, at any point, a Chinese decision to cut off the internet. So it's this idea that cyber operators and hackers, they were so critical right, to the regime.
they have to send them overseas and take that risk. It's a risk that some of their most highly
trained assets could be arrested right in a foreign country because it was so important for them
to be able to continue their operations unimpeded. Well, okay. Yeah, it just goes to show how
little I have the mind of a cyporetaker, but anyway. For better. For better.
So let's now discuss the sanctions piece because
obviously, you know, the reason why discussing North Korea's interest in cryptocurrency is especially
timely right now in the cryptocurrency world is because of the arrest of Virgil Griffith, a researcher
for the Ethereum Foundation, who was arrested for allegedly helping the North Korean government,
or attempting to help the North Korean government evade sanctions. And in some of the discussions
in the crypto community on Twitter, people were saying to me that actually sanctions hurt the
everyday people more than the regime. So I was wondering, you know, from your understanding of how
Korea works, what would you say about that? Is that true? Yeah. So, I mean, there's always this
back and forth argument when sanctions are imposed on a country about who is actually hurt,
right, by the sanctions. You know, we have this discussion with Iran, for example. And there,
I think there's no doubt that the population is certainly suffers in North Korea when
and sanctions are imposed. But I think my counter to that argument is that the population was
suffering anyway. The population waven without sanctions, right? To a large extent, the Kim regime
subverts the needs of its people, the physical needs, right? Food, shelter, you know, those type of
things, security, right, to the needs of the state. And they have policies in which their population
are directed, right?
And to subvert their own needs to that of the state.
So, you know, the Kim regime doesn't support its population anyway.
And, you know, I think certainly that sanctions do harm the population as well.
But Kim himself, in his 2018 New Year speech, last year,
acknowledged that the sanctions were also, you know, harming the government and the military.
and their ability to execute their own goals.
So I think my own personal view on the sanctions is that they're ultimately necessary
if we as the world believe that North Korea should not have a nuclear weapon.
And we want to one day hope that to give North Korean people a better life.
Yeah.
And for listeners who missed last week's episode with North Korea to affector Yanmi Park,
I highly, highly recommend you listen to that.
She suffered as a child under the North Korean regime.
And when I asked her this question, she said, look, he wants the sanctions to be lifted.
That means that they hurt him.
And that means that lifting them benefits him.
And she said, you know, when I was living there, I was basically starving.
I was passing dead bodies on the street.
I just thought that was normal.
And she said, you know, even if they were lifted,
It's not like he's going to, you know, be feeding people. All of the benefit of that will go to the elite. And she said it in a much more impassioned way than I just did. But it's such an incredible episode. I highly recommend people listen to that. So then I also wanted to ask about the Virgil situation specifically where, you know, so we don't know all the facts, but some of the facts that we do know, these are just public things that he was tweeting or posting on Facebook or whatever, were that he spoke at a blockchain,
conference in Pyongyang. He had permission from the North Korean government to travel there,
and unfortunately not from the U.S. government, which is why he's in trouble. And that afterward,
he was also in communication with what he called the Pyongyang Sy Tech Complex. And he talked
about how, you know, he was helping them invite new people to talk there. So just even that
alone without going into whether or not what DOJ alleged was true or not, based on those
things, what would you say would have been the impacts of what he was doing? Who could have benefited
from his talk at this conference and, you know, the fact that he would travel there with
the permission of the North Korean government, et cetera? Yeah. So from my perspective,
you know, I think North Koreans have a, as we talked about earlier, you know, a very deep
understanding of cryptocurrency and blockchain technology. But that doesn't mean that sort of
every North Korean with a job that may tangentially relate to blockchain technology understands it
as fully as some others do. So even the ability to have experts on site in person to bounce ideas
off of or ask questions to, you know, it's sort of like if you work remotely and you get in the
same room as the rest of your team, there's a lot of value there, right, to be able to ask those
questions and balance those ideas off. So, you know, I don't, I don't have a perspective or,
you know, a viewpoint on whether what he did was right or wrong. But I do think that North Korea
could have derived some value, right, from his interactions. And you're saying that because of
how people were saying that the information he was giving was already public on the internet?
Yeah, I think, I mean, the other half of that is like, you know, as we sort of spent much
of our time talking about is like most North Koreans don't have access to.
the internet. So they can't just Google something that they're having a problem with.
You know, they don't have that ability, right? And especially some of the mid-level people,
you know, that might be attending these conferences, right, don't have the ability just to
hop on a computer and look anything up. So it'd be this idea of being able to ask, right,
troubleshoot, bounce ideas, right? Even to the extent that, you know, the foreign visitors
may not really think what they're contributing is of value. There's no question that North Korea
would not allow, right, you know, these experts in if what they were contributing was not of value.
Yeah. And when you say that, you mean the regime, not the everyday people. Right. I mean,
you know, there's arguments back and forth, but I think from the sort of research and scholarly
community, there's widespread agreement that, you know, the North Korean government, you know, the North
Korean government, you know, controls visitors who come in and out. They approve visas and they're
widely scrutinized, you know, any visitor who wants to come into the country. And if it's not to the
benefit of the Kim regime to allow this visitor into the country, they are not allowed. Yeah. So,
given everything that you have researched about North Korea's usage of cryptocurrency and also
knowing, you know, in general, kind of sort of the wider geopolitical things going on with, you know, the regime trying to maintain power in its pursuit of nuclear weapons, etc.
Do you think there's any point in maybe like trying either to prevent North Korea from benefiting in cryptocurrency or is there just like anything that can be done to, you know, because I mean, I think in general a lot of people would would not say it's a great thing for them to have more nuclear weapons.
you know, except for those few hundred people maybe that are accessing the internet from North Korea.
So, you know, I'm curious if you have any thoughts on whether that can be done.
And if so, how?
Yeah, sure.
So, you know, the first is on the idea of sanctions and financial controls.
For the most part, you know, most of the international and the U.S. sanctions have focused on territorial North Korea and on traditional means of revenue generation, right?
or trade. So, for example, prohibitions against trading coal, right, or oil with North Korea,
focused on North Korean companies that are tied physically, right, to North Korea. And I think what,
you know, we in the research community have learned over the past, you know, several years is that
much of the revenue that the Kim regime does generate is not tied to these sort of traditional
means of generation and, you know, that this, the internet is a much bigger tool, right, for a number of
ways cryptocurrency is one of them than really governments realize and are equipped to deal with at this
point. So one, you know, either updating, right, the scope of sanctions or, you know, UN resolutions
to allow, you know, countries or the UN or the financial system, you know, to bring these into
the 21st century, right? Track cyber operations, understand.
understand, right, the cryptocurrency system. And two, on the cryptocurrency side, you know, there are
attempts in a number of countries to instill some more regulation, like know your customer
laws, for example. And that's something that would certainly help, you know, drive or maybe
shine a light on North Korea and their use of cryptocurrency, but also sort of the criminal
element in cryptocurrency broadly.
Yeah, I wonder what this section of the show is going to, what reaction this is going
to elicit on Twitter because there's definitely the cypherpunk element where they're going to
be like, what, she suggested more KYC, more AML.
Right, right, right.
Yeah, I mean, like this is my position as a researcher who, you know, studies North Korea
and who really, you know, that's just one perspective.
They can hate it or love it.
But, you know, sort of my interest is in outing North Korea and making sure the Kim regime
doesn't continue to bring in hundreds of millions of dollars of year to repress its people
and, you know, fund a ballistic missile program.
Yeah, yeah.
And for sure.
I mean, you know, and I interview a lot of, I interview a lot of people on both sides.
You know, there are obviously the companies that are working exactly in that area.
You know, many of them are my sources.
And, you know, I talk to them a lot.
And so there is that group in the crypto community as well.
So last question, because of those types of people who I have listening to my show,
you know, cryptocurrency investors and developers and builders of startups and other general enthusiasts,
for people who are interested in using such skills to help the situation in North Korea,
what would you suggest they do?
That's a great question.
I think for the most part, most of these blockchain technologies are not aware of North Korean interest or usage, right?
Most of the people who run them or develop them or use them are not aware.
So certainly there are some basic things that you can do if you're interested in like at the technology perspective and just these really little low level things.
Like, for example, you know, if you have blockchain updates or if you run a blockchain company
and there are connections, right, to your resources from North Korean IP range, right, you can block
those because, as we said, for the most part, those will be the most elite, right?
The most senior leaders in North Korea, not the people that were trying to help, but the people
who are actually trying to circumvent financial controls and, you know, support the missile program.
So there's some basic technological, right, blocks that you can institute and certainly understanding who your user base is, right, to the extent that you can.
I think that those are sort of the only ways to get around it.
All right.
Great.
Well, where can people learn more about you and Recorded Future?
Sure.
So we publish most of our research at blog.
org.orgutifuture.com.
We've got another report coming out shortly on North Korea.
so come check it out there. Great. Well, thanks so much for coming on Unchained. Thank you so much for having me. This was great.
Thanks so much for joining us today. To learn more about Priscilla and Recorded Future, check out the show notes inside your podcast player.
If you're looking for a fun holiday gift or if you just really love the show, check out our new merchandise shop at shop.com.
Unchained is produced by me, Laura Shin, with help from factual recording, Anthony Youen, Daniel Ness, Josh Durham, and the team at CLK transcription.
for listening.