In cryptocurrency ecosystem, coins have a story, tracked in the immutable blockchains that underpin their economy. The only exception, in a sense, is cryptocurrency that has been freshly generated by the computing power of its owner. So it seems that North Korean hackers have started adopting a new trick to launder the coins they steal from victims around the world: paying their dirty, stolen coins to services that allow them to mine new, innocent ones.
Today, cybersecurity firm Mandiant released a report on a prolific North Korean state-sponsored hacking group it now calls APT43, sometimes known as Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea’s Reconnaissance General Bureau spy agency, has focused primarily on espionage, hacking into think tanks, academics and private industry from the United States to Europe, South Korea, and Japan since at least 2018, primarily with phishing campaigns designed to harvest victims’ credentials and install malware on their machines .
Like many North Korean hacker groups, APT43 also maintains a for-profit cybercrime sideline, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers’ own operations. And as regulators around the world have tightened their grip on laundering exchanges and services that thieves and hackers use to cash out coins tainted with criminal offenses, APT43 appears to be trying a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays for this stolen cryptocurrency in “hash services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent connection to criminal activity.
This mining trick allows APT43 to take advantage of the fact that cryptocurrency is relatively easy to steal while avoiding the forensic trail of evidence it leaves on blockchains, which can make it difficult for thieves to cash out. “It breaks the chain,” says Mandiant Threat Intelligence analyst Joe Dobson. “It’s like a bank robber stealing money from a bank vault, then going to a gold miner and paying the miner the stolen money. Everyone is looking for the money while the bank robber walks around with fresh and newly mined gold.
Mandiant says he started seeing signs of APT43’s mining-based laundry technique in August 2022. Since then, tens of thousands of crypto dollars have been pouring into hashing services, services like NiceHash and Hashing24, which allow anyone to buy and sell computing power. to calculate mathematical strings called “hashes” that are needed to mine most cryptocurrencies – from what it considers to be APT43 crypto wallets. Mandiant says he’s also seen similar amounts flow to APT43 wallets from mining “pools”, services that allow miners to contribute their hash resources to a group that pays a share of any cryptocurrency the group operates collectively. (Mandiant declined to name any hashing services or mining pools in which APT43 participated.)
In theory, payouts from these pools should be clean, unrelated to the APT43 hackers – that seems, after all, to be the purpose of the group’s laundering exercise. But in some instances of operational negligence, Mandiant says he found funds were nevertheless mixed with crypto in wallets he had previously identified through his years-long tracking of APT43 hacking campaigns.