Source: Chainalysis

Compiled by: Tao Zhu, Golden Finance

Cryptocurrency hacks remain a persistent threat, with more than $1 billion worth of cryptocurrency stolen in four of the past ten years (2018, 2021, 2022, and 2023). 2024 marks the fifth year that this troubling milestone has been reached, highlighting that as cryptocurrency adoption and prices rise, so too does the amount of money that can be stolen.

In 2024, stolen funds increased by approximately 21.07% year-over-year to $2.2 billion, and the number of individual hacking incidents increased from 282 in 2023 to 303 in 2024.

What do North Korean hackers do with the money they steal from crypto platforms? Interestingly, the intensity of cryptocurrency hacks has changed around the first half of the year. In our mid-year crime update, we noted that the cumulative value stolen between January and July 2024 had reached $1.58 billion, about 84.4% higher than the value stolen during the same period in 2023. As we can see in the chart below, by the end of July, the ecosystem was easily on track for a year that could rival the $3 billion+ stolen in 2021 and 2022. However, the upward trend in cryptocurrency thefts in 2024 slowed significantly after July and has remained relatively stable since then. Later, we’ll explore potential geopolitical reasons for this change.

What do North Korean hackers do with the money they steal from crypto platforms?

Interesting patterns also emerged in 2024 in terms of the amount stolen by victim platform type. Decentralized finance (DeFi) platforms were the primary target of cryptocurrency hackers in most quarters from 2021 to 2023. DeFi platforms may be more vulnerable because their developers tend to prioritize rapid growth and bringing products to market rather than implementing security measures, making them a prime target for hackers.

While DeFi still accounted for the largest share of stolen assets in Q1 2024, centralized services were the most targeted in Q2 and Q3. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).

What do North Korean hackers do with the money they steal from crypto platforms?

This shift in focus from DeFi to centralized services highlights the growing importance of security mechanisms commonly used by hackers, such as private keys. In 2024, private key compromises accounted for the largest share of stolen cryptocurrency at 43.8%. Securing private keys is critical for centralized services as they control access to user assets. Given that centralized exchanges manage large amounts of user funds, the impact of a private key compromise can be devastating; we only need to look at the $305 million DMM Bitcoin hack, one of the largest cryptocurrency breaches to date, which may have occurred due to poor private key management or a lack of adequate security.

What do North Korean hackers do with the money they steal from crypto platforms?

After compromising private keys, malicious actors often launder stolen funds through decentralized exchanges (DEX), mining services, or mixing services to obfuscate transaction trails and complicate tracking. By 2024, we could see money laundering by private key hackers differ significantly from money laundering by hackers leveraging other attack vectors. For example, after stealing private keys, these hackers often turn to bridging and mixing services. For other attack vectors, decentralized exchanges are more commonly used for money laundering.

What do North Korean hackers do with the money they steal from crypto platforms?

North Korean hackers will steal more from crypto platforms in 2024 than ever before

Hackers associated with North Korea are notorious for their sophisticated and ruthless tactics, often using advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and circumvent international sanctions. U.S. and international officials assess that Pyongyang uses stolen cryptocurrency to fund its weapons of mass destruction and ballistic missile programs, endangering international security. By 2023, hackers associated with North Korea will steal approximately $660.5 million through 20 incidents; by 2024, this number increases to $1.34 billion in 47 incidents, a 102.88% increase in the value of theft. These figures account for 61% of the total amount stolen that year and 20% of the total number of incidents.

Please note that in last year’s report, we published information that North Korea stole $1 billion through 20 hacks. Upon further investigation, we determined that certain large hacks previously attributed to North Korea may no longer be relevant, so the amount was reduced to $660.5 million. However, the number of incidents remained the same as we discovered additional smaller hacks attributed to North Korea. Our goal is to continually reevaluate our assessment of hacking incidents linked to North Korea as we obtain new on-chain and off-chain evidence.

What do North Korean hackers do with the money they steal from crypto platforms?

Unfortunately, North Korea’s cryptocurrency attacks appear to be becoming more frequent. In the chart below, we examine the average time between successful DPRK attacks by exploit size and find that attacks of all sizes are down year-over-year. Notably, attacks valued at $50-100 million and over $100 million occurred much more frequently in 2024 than in 2023, suggesting that North Korea is getting better and faster at large-scale attacks. This is in stark contrast to the previous two years, when profits were often less than $50 million per attack.

What do North Korean hackers do with the money they steal from crypto platforms?

When comparing North Korean activity to all other hacker activity we monitor, it is clear that North Korea has been responsible for the majority of large-scale attacks over the past three years. Interestingly, North Korean hackers have also been increasing in the density of attacks with lower dollar amounts, especially those worth around $10,000.

What do North Korean hackers do with the money they steal from crypto platforms?

Some of these incidents appear to be linked to North Korean IT workers, who have increasingly infiltrated cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These workers often use sophisticated tactics, techniques, and procedures (TTPs), such as false identities, hiring third-party recruitment agencies, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) on Wednesday indicted 14 North Korean nationals who worked as remote IT workers in the United States. Companies earned more than $88 million by stealing proprietary information and extorting employers.

To mitigate these risks, companies should prioritize thorough hiring due diligence — including background checks and identity verification — while maintaining strong private key security to protect critical assets, where applicable.

While all of these trends indicate that North Korea has been very active this year, the majority of its attacks occurred early in the year, with overall hacker activity stagnating in the third and fourth quarters, as shown in the earlier chart.

What do North Korean hackers do with the money they steal from crypto platforms?

In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong Un will also hold a summit in Pyongyang to sign a mutual defense agreement. So far this year, Russia has released millions of dollars in North Korean assets previously frozen under UN Security Council sanctions, a sign of the two countries' growing alliance. Meanwhile, North Korea has deployed troops to Ukraine, supplied Russia with ballistic missiles, and reportedly sought advanced space, missile, and submarine technology from Moscow.

If we compare the average daily losses from the DPRK breach before and after July 1, 2024, we can see a significant drop in the amount of stolen value. As shown in the figure below, the amount stolen by North Korea has dropped by about 53.73%, while the amount stolen by non-North Korea has increased by about 5%. Therefore, in addition to shifting military resources to the conflict in Ukraine, North Korea, which has significantly increased its cooperation with Russia in recent years, may also have changed its cybercrime activities.

What do North Korean hackers do with the money they steal from crypto platforms?

The drop in North Korean theft after July 1, 2024 is clear and the timing is notable, but it’s worth noting that the drop isn’t necessarily tied to Putin’s visit to Pyongyang. Additionally, events in December could change the pattern at the end of the year, and attackers often attack during holidays.

Case Study: North Korea’s Attack on DMM Bitcoin

A notable example of a North Korea-related hack in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which suffered a hack that resulted in the loss of approximately 4,502.9 Bitcoins, worth $305 million at the time. The attackers targeted vulnerabilities in the infrastructure used by DMM, resulting in unauthorized withdrawals. In response, DMM, with the support of group companies, paid out customer deposits in full by finding funds of equal value.

We were able to analyze the flow of funds on-chain following the initial attack, and in the first phase we saw the attackers transfer millions of dollars worth of cryptocurrency from DMM Bitcoin to several intermediate addresses before ultimately arriving at the Bitcoin CoinJoin mixing server.

What do North Korean hackers do with the money they steal from crypto platforms?

After successfully mixing the stolen funds using a Bitcoin CoinJoin mixing service, the attackers transferred some of the funds through a number of bridging services to Huioneguarantee, an online marketplace associated with Cambodian conglomerate Huione Group, a major player in the field of facilitating cybercrime.

What do North Korean hackers do with the money they steal from crypto platforms?

DMM Bitcoin has already transferred its assets and client accounts to SBI VC Trade, a subsidiary of Japanese financial conglomerate SBI Group, with the transition set to be completed by March 2025. Fortunately, new tools and predictive techniques are emerging, which we will explore in the next section, to help you prepare to prevent such devastating hacks from happening.

Using predictive models to stop hacker attacks

Advanced predictive technologies are transforming cybersecurity by detecting potential risks and threats in real time, providing a proactive approach to protecting the digital ecosystem. Let’s look at the following example involving the decentralized liquidity provider UwU Lend.

On June 10, 2024, the attacker obtained approximately $20 million in funds by manipulating the price oracle system of UwU Lend. The attacker launched a flash loan attack to change the price of Ethena Staked USDe (sUSDe) on multiple oracles, resulting in incorrect valuations. As a result, the attacker was able to borrow millions of dollars in seven minutes. Hexagate detected the attack contract and its similar deployments approximately two days before the exploit.

Although the attacking contract was accurately detected in real-time two days before the exploit, its connection to the exploited contract was not immediately apparent due to its design. This early detection can be further leveraged to mitigate the threat with additional tools such as Hexagate’s security oracle. Notably, the first attack that resulted in $8.2 million in losses occurred minutes before the subsequent attacks, providing another important signal.

Such alerts, issued prior to major on-chain attacks, have the potential to transform security for industry participants, allowing them to prevent costly hacks altogether rather than respond to them.

What do North Korean hackers do with the money they steal from crypto platforms?

In the image below, we see the attacker moving the stolen funds through two intermediary addresses before the funds reached Tornado Cash, an OFAC-approved Ethereum smart contract mixer.

What do North Korean hackers do with the money they steal from crypto platforms?

However, it is worth noting that simply having access to these predictive models does not ensure protection against hacking attacks, as protocols may not always have the proper tools to effectively act.

Stronger encryption security is needed

The increase in stolen cryptocurrency in 2024 highlights the need for the industry to respond to an increasingly complex and evolving threat landscape. While the scale of cryptocurrency theft has not yet returned to the levels seen in 2021 and 2022, the resurgence described above highlights gaps in existing security measures and the importance of adapting to new exploitation methods. To effectively address these challenges, collaboration between the public and private sectors is essential. Data sharing programs, real-time security solutions, advanced tracking tools, and targeted training can enable stakeholders to quickly identify and eliminate malicious actors while building the resilience needed to protect crypto assets.

Additionally, as the regulatory framework for cryptocurrency continues to evolve, scrutiny of platform security and customer asset protection is likely to intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. The cryptocurrency industry can strengthen its anti-theft capabilities by building stronger partnerships with law enforcement and providing teams with the resources and expertise to respond quickly. These efforts are critical not only to protecting personal assets, but also to building long-term trust and stability in the digital ecosystem.