Global virtual asset hacking losses '3.9 trillion won'…mostly 'North Korea' responsible

Minimum losses alone: 3.99 trillion won

North Korea focuses on large centralized exchanges

Attack and money-laundering methods become more sophisticated

This year, losses from virtual asset (cryptocurrency) hacks worldwide have reached $2.7 billion (about 3.99 trillion won). Analysts say a majority of this was the work of North Korea. In particular, North Korea has been concentrating attacks on centralized exchanges, which can yield large sums in a single attack. The funds stolen by North Korea have been laundered on a large scale through China's underground financial networks.

Blockchain research firm 'TRM Labs' said in a report released on the 18th that North Korea has weaponized virtual asset hacking at the state level for years to support weapons development and foreign currency earnings. According to the report, North Korea's targets have shifted completely from small decentralized finance (DeFi) services to large centralized exchanges (CEX).

The Bybit hack that occurred in February is a representative example. North Korea stole about $1.5 billion (about 2.21 trillion won) in that single incident.

Attack methods have also become more sophisticated. They infiltrate systems by sending files containing malware to developers at target companies, offering fake jobs or investments. TRM Labs said such a 'from code to custody (Code to Custody)' strategy has made the developer environment the most efficient route for accessing exchange assets.

The way stolen funds are processed has evolved as well. In the past, they relied on mixing services that split and mix funds. But when U.S. sanctions blocked those channels, they began using an underground financial network called the 'Chinese Laundromat.' They split stolen virtual assets, moved them across multiple blockchain networks, and then passed them to a money-laundering network composed of Chinese underground bankers, over-the-counter (OTC) brokers, and money couriers to be cashed out.

Hacked funds sometimes re-enter North Korean companies under the guise of payment for goods after going through these processes. TRM Labs analyzed that the reason North Korea's large-scale money laundering persists despite Western sanctions is due to China's industrialized money-laundering network.

Chris Wong, an investigator at TRM Labs and a former U.S. Federal Bureau of Investigation (FBI) agent, emphasized, "North Korea's hacking is a highly specialized operation with strategic objectives," and "It requires real-time intelligence gathering, innovative networks, and cross-border cooperation."

Park Su-bin, Hankyung.com reporter waterbean@hankyung.com