US, Japan and S. Korea urge crypto industry to take action against North Korean hackers

Japan, South Korea and the U.S. on Tuesday accused North Korea of orchestrating several of the largest cryptocurrency thefts in 2024, warning the blockchain industry that the rogue state will continue to pose a major threat in the year ahead.

“The DPRK’s cyber program threatens our three countries and the broader international community and, in particular, poses a significant threat to the integrity and stability of the international financial system,” the governments said, highlighting North Korea’s role in siphoning $308 million from DMM Bitcoin and $235 million from WazirX.

“Our three governments strive together to prevent thefts, including from private industry, by the DPRK and to recover stolen funds with the ultimate goal of denying the DPRK illicit revenue for its unlawful weapons of mass destruction and ballistic missile programs.”

The statement says North Korea’s notorious Lazarus Group hackers “continue to demonstrate a pattern of malicious behavior in cyberspace by conducting numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users.”

In addition to the more than $500 million taken from DMM Bitcoin and WazirX, another $116 million was taken in North Korean attacks on crypto platforms Upbit, Rain Management and Radiant Capital. 

U.S. officials noted that as recently as September they have seen North Korean hackers deploy malware strains like TraderTraitor and AppleJeus in attacks that enabled the theft of millions of dollars worth of cryptocurrency. 

Blockchain security firm Chainalysis released a report in recent weeks that said hacking groups connected to North Korea’s government stole $1.34 billion worth of cryptocurrency across 47 incidents in 2024. 

Experts at the United Nations are investigating 58 cyberattacks on cryptocurrency firms allegedly conducted by North Korean hackers that allowed attackers to rake in about $3 billion over a six-year span. 

Another tactic that has caused alarm among the three countries is the trend of North Korean hackers attempting to get hired illicitly as IT workers at U.S. companies — both in an effort to steal sensitive information and earn high-paying salaries.

Last month, the DOJ indicted 14 North Koreans for their participation in the scheme, noting that they were able to collectively earn at least $88 million through employment as IT workers at U.S. companies and through extorting the organizations. Some worked multiple IT jobs and brought in more than $10,000 a month. 

Tuesday’s statement notes the dozens of actions taken by each country since 2022 to stop the campaign, but they urged companies in the blockchain space to be particularly stringent in their interview process when hiring IT workers.

Chainalysis added North Korean IT workers have been increasingly infiltrating crypto and Web3 companies and “compromising their networks, operations, and integrity.” 

While the focus has primarily been on the salaries earned by the workers, experts have raised concerns in recent months about the potential for confidential company data to be stolen and sold.

Michael Barnhart, Mandiant Principal Analyst at Google Cloud, told Recorded Future News that they have seen an increase in extortion attempts linked to North Korean IT workers.

“For the first time, we’re seeing IT workers follow through on releasing sensitive data of organizations they’ve infiltrated to pressure victims into paying exorbitant ransoms. They’re also demanding more cryptocurrency than they ever have before,” he said via email.

“We assess that the heightened media attention and ongoing government disruptions targeting their cyber operations this past year are forcing an escalation in their tactics.”

Barnhart said the sales increased in tempo following law enforcement operations by the U.S. Justice Department to charge Americans involved in running U.S.-based laptop farms needed to make it look like the North Koreans are working from within the U.S. 

The U.S. has also sanctioned many of the companies and groups assisting in helping the North Koreans get hired. 

Barnhart explained that the extortion efforts by North Korean IT workers historically happened to smaller organizations, but the authenticity of the information was typically undetermined. 

“With the recent uptick in these types of events, and working with our partners and victim organizations, we see them attempting to extort the larger organizations and following through with their threats for the first time,” he said. 

“Additionally, the monetary demands are increasing at a level we have not seen thus far. The attempts can have many factors. Some rely on disgruntled IT workers demanding back pay for work they had or had not done. Some are threats to release intellectual property and data if a crypto ransom is not met.”

Other extortion attempts imply that with the potentially leaked data, other more sophisticated actors can utilize it to attack different parts of the affected organization, Barnhart added.

Mandiant has also seen instances where all three tactics were used in a single extortion email. Several of the fake IT workers have threatened to give the information to company rivals or release it publicly.

Barnhart declined to say where the information is being sold “due to ongoing investigations” and did not know who is buying the data being offered. 

He noted that much of the data involves intellectual property like source code and “could provide competitors a major advantage and also can severely damage the reputation of an organization that has been infiltrated.”

Scott Algeier, executive director at non-profit Information Technology-Information Sharing and Analysis Center (IT-ISAC), said his organization has been monitoring and discussing these threats with members for about a year — warning them to have robust vetting processes and internal controls to identify suspicious behavior if an applicant is hired.