In the cryptocurrency ecosystem, coins have a story, tracked in the unchangeable blockchains underpinning their economy. The only exception, in some sense, is cryptocurrency that’s been freshly generated by its owner’s computational power. So it figures that North Korean hackers have begun adopting a new trick to launder the coins they steal from victims around the world: pay their dirty, stolen coins into services that allow them to mine innocent new ones.
Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it’s now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea’s Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers’ own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
That mining trick allows APT43 to take advantage of the fact that cryptocurrency is relatively easy to steal while avoiding the forensic trail of evidence that it leaves on blockchains, which can make it difficult for thieves to cash out. “It breaks the chain,” says Joe Dobson, a Mandiant threat intelligence analyst. “This is like a bank robber stealing silver from a bank vault and then going to a gold miner and paying the miner in stolen silver. Everyone’s looking for the silver while the bank robber’s walking around with fresh, newly mined gold.”
Mandiant says it first began seeing signs of APT43’s mining-based laundry technique in August of 2022. It’s since seen tens of thousands of dollars worth of crypto flow into hashing services—services like NiceHash and Hashing24, which allow anyone to buy and sell computing power to calculate the mathematical strings known as “hashes” that are necessary to mine most cryptocurrencies—from what it believes are APT43 crypto wallets. Mandiant says it has also seen similar amounts flow to APT43 wallets from mining “pools,” services that allow miners to contribute their hashing resources to a group that pays out a share of any cryptocurrency the group collectively mines. (Mandiant declined to name either the hashing services or the mining pools that APT43 participated in.)
In theory, the payouts from those pools should be clean, with no ties to APT43’s hackers—that seems, after all, to be the point of the group’s laundering exercise. But in some cases of operational sloppiness, Mandiant says it found that the funds were nonetheless commingled with crypto in wallets it had previously identified from its years-long tracking of APT43 hacking campaigns.
The five-figure sums Mandiant saw laundered through this mining process, the company’s analysts concede, are nowhere near the size of the massive crypto heists North Korean hackers have pulled off in recent years, stealing hundreds of millions of dollars in cases like the breaches of the Harmony Bridge or Ronin Bridge services. That may be because only a small fraction of North Korea’s mining-based laundering has been detected.
But it may also be because APT43 isn’t primarily tasked with stealing cryptocurrency, says Mandiant analyst Michael Barnhart. Instead, the group appears to have been ordered to generate enough profits through cybercrime to fund its espionage work. As a result, it has sought to steal smaller sums of crypto from a broad number of victims, he says, with the goal of subsisting independently. “They’re not going for a cash grab,” says Barnhart. “They’re trying just to make ends meet.”
Cryptocurrency tracing firms, including Chainalysis and Elliptic, say they’ve seen criminal actors seek freshly mined cryptocurrency to fund their activities or dilute and obfuscate their profits. Elliptic says, for instance, that it’s seen a group affiliated with the militant organization Hamas mine cryptocurrency as a means of what it describes as terrorist financing. But Arda Akartuna, a threat analyst at Elliptic, says paying dirty cryptocurrency into a hashing service to mine clean crypto is a particularly troubling phenomenon.
Akartuna points out that mining pools are not as regulated and scrutinized as other crypto players that are sometimes used for money laundering, such as cryptocurrency exchanges, “mixing” services designed to obfuscate the trail of users’ coins, and NFT marketplaces. “But they probably should be,” he says.
“It’s quite concerning that a lot of mining pools don’t actually screen who participates in them,” says Akartuna. “So you could potentially have illicit actors that are contributing computing power to the mining pools, and those mining pools don’t have the tools to identify them.”
That suggests government authorities seeking money launderers and criminal financiers may have to shift some of their focus away from the intermediaries of the crypto economy toward the miners that serve as the original wellspring. Not all of that fresh digital cash is quite as innocent as it might seem.
Update 2 pm ET, March 28, 2023: Clarified the views of Eliptic’s Arda Akartuna regarding APT23’s crypto-laundering tactics.