Priscilla Moriuchi, director of strategic threat development at Recorded Future and non-resident fellow at Harvard Kennedy School, explains North Korean usage of the internet and how it has changed over time, how it is reserved only for the few most senior people in the regime, and what the mobile devices of the other 25 million citizens connects to, and who is watching the activity on those devices. She also describes the various ways North Korea has shown an interest in cryptocurrency, how it’s been determined that North Korea is engaging in those activities, such as cryptocurrency exchange hacks and malware, and its seeming interest in Monero. We also discuss how they convert crypto to fiat, and how well the government seems to have connected its cryptocurrency activities with its other real-world criminal networks used for other activities such as smuggling, drugs and counterfeiting cigarettes and US dollars. We also talk about which North Koreans have been trained to carry out such attacks and how and why they carry them out abroad rather than in North Korea. She also covers why Ethereum researcher Virgil Griffith’s visit to North Korea, even if he were dispensing “public” information, would have been helpful in a country where everyone but a tiny elite is denied access to the internet.
Thank you to our sponsors!
Givewell: http://givewell.org/unchained
CipherTrace: http://ciphertrace.com/unchained
Kraken: https://www.kraken.com
Crypto.com: http://crypto.com
Episode links:
Priscilla Moriuchi: https://www.linkedin.com/in/priscilla-moriuchi-410297127/
Recorded Future: https://www.recordedfuture.com
Recorded Future on North Korea’s internet activity: https://www.recordedfuture.com/north-korea-internet-activity/
Full report: https://go.recordedfuture.com/hubfs/reports/north-korea-activity.pdf
Recorded Future report on North Korea’s interest in cryptocurrency: https://www.recordedfuture.com/north-korea-cryptocurrency/
Full report: North Korea targeting South Korean cryptocurrency exchanges: https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/
Full report: https://go.recordedfuture.com/hubfs/reports/cta-2018-0116.pdf
Podcast: https://www.stitcher.com/podcast/recorded-future-inside-threat-intelligence/e/52982550
Priscilla on why Virgil’s attendance at a blockchain conference in North Korea was helpful to the regime: https://www.businessinsider.com/north-korea-virgil-griffith-cryptocurrencies-bad-idea-analyst-2019-12
Priscilla on how North Korea uses cryptocurrencies to evade sanctions: https://www.vox.com/world/2018/2/28/17055762/north-korea-sanctions-bitcoin-nuclear-weapons
North Korea’s interest in Monero: https://www.wsj.com/articles/in-north-korea-hackers-mine-cryptocurrency-abroad-1515420004
North Korea’s plan to build its own version of the Petro, I mean, Bitcoin: https://www.vice.com/en_us/article/9ke3ae/north-korea-is-building-its-own-bitcoin
DOJ Complaint against Virgil: https://www.justice.gov/usao-sdny/press-release/file/1222646/download
Transcript:
Laura Shin:
Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I’m your host Laura Shin. One quick announcement before we start the show. Unchained now has a merchandise shop. We’ve got a few t-shirts, a couple hats, a mug, several mugs, and stickers. My team and I got creative with one of the t-shirt designs and came up with an image of a crypto rabbit falling down a hole. Swirling into the hole, with the rabbit, are playing cards showing some of the coins, like Bitcoin, Ethereum, and Monero, a well as a DAO card ripped in half.
There’s a Guy Fawkes mask, a DeFi cake, a lambo, and a teapot that says HODL, as well as teacups showing the Reddit and Twitter logos. There’s even a Shit Coin. The rabbit is wearing a big Bitcoin key on a keychain, a unicorn and rainbow t-shirt, and of course, is listening to Unchained. We’ve also got rabbit versions of the mug and some decals as well as a special Bitcoin maxi mug and an Ethereum maxi mug. Check it all out at Shop.UnchainedPodcast.com. Again, that’s Shop.UnchainedPodcast.com.
Givewell.orgThis holiday season, how can your donation do the most good in the world? GiveWell spends 20,000 hours each year researching charity, looking for the places where your donation will save or improve lives the most. They provide a free list of the most impactful charities they’ve found. You can find out more or make a donation at GiveWell.org/unchained. First-time donors using that link will have their donations matched up to $1,000 while funds last. They accept traditional payment methods, Bitcoin, Ethereum, and several other cryptocurrencies. Keep this in mind while you make your end of year tax moves. Again, that’s GiveWell.org/unchained.
Crypto.com Crypto.com. The Crypto super app that lets you buy, earn and spend crypto in one place. Get a metal MCO Visa Card with up to 5% back on ALL your spending. Download the Crypto.com App today. KrakenKraken is the best exchange in the world for buying and selling digital assets. It has the tightest security, deep liquidity and a great fee structure with no minimum or hidden fees. Whether you’re looking for a simple fiat onramp, or futures trading, Kraken is the place for you.
CipherTraceCipherTrace cutting-edge cryptocurrency intelligence powers anti-money laundering, blockchain analytics, and threat intel. Leading exchanges, virtual currency businesses, banks, and regulators themselves use CipherTrace to comply with regulation and to monitor compliance.
Laura Shin:
Today’s guest is Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future and Non-Resident Fellow at Harvard Kennedy School. Welcome, Priscilla.
Priscilla Moriuchi:
Thank you for having me.
Laura Shin:
Before we get into the particulars of today’s topic, which is all about North Korea and its interest in cryptocurrency, why don’t you give a short background on your work with North Korea and tell us what areas it is that you focus on with respect to the country and how you came to be an expert in this area?
Priscilla Moriuchi:
Sure. So I spent a while at National Security Agency, and I left about three years ago, and that’s when I kind of gained some of my interest in North Korea, and at that same time, about three years ago, I started looking at what we would call, like, the network traffic, right? Network traffic coming from North Korea, to attempt to understand what we can learn about North Korean leaders, their behavior, their interests, you know, any insight, really, into the regime, you know, from looking at how they use the internet, and that’s really how I got onto this, guess I would call it, like, topic, but this kind of obsession, really, from both my end and the North Koreans with cryptocurrency and just the myriad ways in which they’ve been able to use and exploit blockchain and crypto technology.
Laura Shin:
And this might be a really basic question, but how do you do that? Are you literally just hacking into their computers, or are you monitoring web traffic, or I don’t even know, maybe you can’t reveal these things. I’m not sure.
Priscilla Moriuchi:
Yeah, so no hacking involved. All legal. What many people don’t realize is that when you sort of turn on your computer, right, and you go to a website, there’s what’s called metadata, right, so these data points, like an IP address, for example, of the website that you’re going to, the ports or protocol that your computer is using to communicate with the server that hosts that website, for example.
And all of that information, called metadata, can be harvested and collected, and that allows, you know, researchers like myself some insight into the behavior, you know, of, in this case, North Korean leadership. Some of that, of course, can be mitigated by using things like a VPN or something like that, but yeah, it’s studying the metadata, right? No content, just data points about what North Korean leaders are doing online.
Laura Shin:
And when you first started looking into this, what behavior were you seeing, and then how has that changed over time?
Priscilla Moriuchi:
Yeah. Sure. So, when we first started looking at how North Korean leaders were kind of using the internet, this was back in early 2017, and largely, leaders at this point in time were using it in what we would call leisure activities. So lots of video streaming, video gaming, social media use. So just, like, normal westerners, like ourselves. They would kind of get up in the morning and check social media, check even western…
Laura Shin:
Sorry, when you say video streaming, are you saying they’re watching YouTube, or what does that mean?
Priscilla Moriuchi:
Yes. Yes. Yes. So I think it’s important…I guess there’s a few caveats here. So, one, we’re able to profile this internet behavior of essentially an entire country because most of the country, the population, doesn’t actually have access to the global internet. Ordinary North Koreans now are able to use kind of smartphones and access a domestic intranet and a domestic cellular system, one that connects them to other North Koreans, but not ever to the rest of the world at large.
So when we look at global internet traffic sort of to and from these North Korean IP ranges, we are looking at a very, very, very tiny subset of North Koreans, sort of the 0.1%, you know, I would call them, the most senior leadership and their families who have both the ability and the permission to actually use the global internet and access it for leisure activities or for work.
So that’s why it looks kind of normal, because a lot of these most senior leaders, you know, and their family have what we would consider to be normal western pieces of life, and they aren’t the ones who are struggling to pay the bills or farm or get food on the table or provide heat for their houses. These are the pampered elite.
Laura Shin:
And if you were to put a number on how many people that is, what would you guess that number is?
Priscilla Moriuchi:
It’s hard to say because, again, like, the amount of traffic…for a country of 25 million people, we’re looking at, likely, under a few hundred who actually have access to the global internet, but I don’t have a specific number. I would say under 300 people would be my best guess.
Laura Shin:
Oh, wow. Okay, and so I’m sorry, because I actually cut you…I was so shocked when you said they stream videos. So could you just, yeah, finish describing what their internet behaviors are?
Priscilla Moriuchi:
Sure. So, I mean, you know, at that point, three years ago now, we could see when users kind of get up in the morning, you know, North Korea time, sort of checking news, and they’re on social media, streaming videos, playing video games, checking news in English, Japanese, a number of different providers and languages, but for the most part, right, at that point in time, most of the sort of peaks in activity were at what we would sort of consider off hours. So after work time periods or on weekends or evenings, and the time was highly indicative that it was more the internet for these senior leaders at that time was mostly like amusement, right, or a leisure tool, and over time, you know, over the past three years, that’s changed pretty significantly.
Laura Shin:
So, before we get to that, how it’s changed, I wanted to ask, when you were saying they were using social media, does that mean they actually had their own profiles? Like, you know, I’m this high-level North Korean person on Facebook, or how were they using social media?
Priscilla Moriuchi:
Yeah, so, again, because we were using metadata, right, I wasn’t able to see, like…I got this question a lot. What’s Kim Jong-un doing online? I don’t really know, right? I know what people in Kim Jong-un’s social circle are probably doing, you know, and other leaders, and so, yes, we could see, for example, scrolling through the Facebook newsfeed, but I don’t know what the content of that newsfeed was or what the account was, for example. Same with Twitter, scrolling through Twitter, but I couldn’t see what the user was.
Laura Shin:
Okay. Yeah, because I was trying to figure out, like, are they friending each other or are they trying to friend…okay, but we don’t know that, but one thing is I asked you the number of people. Do you have a sense of, like…when you say the most elite, can you give examples of types of people or titles that would be allowed to access the global internet?
Priscilla Moriuchi:
Sure. So I could give types of people, right? So it would be senior Korean Workers’ Party or KPA, the People’s Army leaders, most senior intelligence leaders. Certainly Kim Jong-un’s sister, right, would be among those who would be sort of trusted enough for global internet access, and possibly some university researchers doing research on behalf to the state.
Laura Shin:
And you may not know this, but obviously, since, well, you know, the other 25 million people are not allowed on the internet, how is access granted, or how is permission granted, because I’m sure there are some people who are maybe close to having that privilege, but until they’re given it, it would probably be very, very dangerous for them to try to access it on their own. So do you have any sense of that?
Priscilla Moriuchi:
So I don’t know what the procedure is for someone who’s granted access to the internet. I mean, we have an idea of, like, the devices that users who do access the internet are using. This is a lot of mobile devices, iPhones and Huawei handsets, also a lot of Windows computers.
So we know that, from a technology perspective, users of North Korean’s internet are using everything from the latest iPhone to computers that are running Windows 7, which is now a deprecated operating system. So, in a certain case, it’s like bring your own device North Korea style, and then for sort of the normal North Koreans, their cellular network and their intranet doesn’t even have a physical hardware connection to the global internet.
So there would be no way for them to, like, hack their way around things or hack their way through. They don’t even have that possibility to access the global internet from any device that they own. Plus the devices they do own are supplied by the state, and there’s spyware on them, right, which monitors the websites they go to, the files they download, the conversations and messages that they send and receive.
Laura Shin:
Oh, wow. Oh, okay, wow, I wasn’t aware of that, and I don’t know if you know about this, but does that mean then there’s, like, some agency in the North Korean government that’s actually monitoring what the population is doing on their devices?
Priscilla Moriuchi:
Yes, most likely. Yeah. So, for the population, it’s not clear the extent to which, you know, all North Koreans understand the monitoring of their personal communications on their cell phones. I think most of them are aware of it, but sort of mobile phones in North Korea serve this dual purpose for leadership, which is, one, giving the population this feeling of modernity. North Koreans, for example, are watching, licitly and illicitly, more and more videos and media from the outside world. It’s making its way into North Korea, you know, on thumb drives, on CDs, on a number of ways.
And North Koreans are watching that, and they have at least some idea that, through the rest of the world, is embracing or has been able to use these technologies that they’re just beginning to see, mobile phone and the internet, and so allowing North Koreans to have mobile phones gives them this sense of sort of catching up to the rest of the world, on one hand, but on the other side, these are pretty much kind of built-in surveillance devices for the Kim regime and the security services to keep an eye on the population.
Laura Shin:
Okay, and now, I realize we’re maybe getting a little bit out of your area of expertise, but just one last question on this. So if you’re saying that, you know, people are accessing information from the outside and watching it, consuming it, like movies and songs and whatever, but at the same time, their devices are surveilling them, then are they using different devices to watch the illicit material?
Priscilla Moriuchi:
Yes. Yeah. So there’s some studies that have come out indicating that North Koreans will have separate devices, right? So they’ll have their mobile phones for their communications, and then they’ll have…portable CD players are kind of popular, or low-end other sort of mobile devices that won’t even connect to a network, but allow them to upload files via USB, for example.
Laura Shin:
Okay. So, you know, we started with you describing what you saw was the internet behavior of the North Korean elite when you first started monitoring it a few years ago, and then you said that it has changed. How has it changed?
Priscilla Moriuchi:
Yeah, so, over time…and I wouldn’t be so forthright to say that our research has been read by North Korean leadership. I think this is probably likely just patterns in how people are using the internet globally, but when we first started looking at it, it was, like, 99% of North Korean users were not even doing the most basic internet hygiene, right? So they wouldn’t go to sites and use HTTPS, for example, which enables what we call SSL encryption.
So when you use an HTTPS, for example, someone from the outside, a third party, cannot necessarily view the content of the communication between your computer and that computer. They can see the fact of that communication, for example, but they can’t see, like, that you, Laura, checked your Facebook account. They can see a communication between your computer and Facebook.
So that’s one of the things, over time, that we’ve observed, is that North Korean leaders, you know, whoever they are, are becoming more security conscious. They’re using VPNs, virtual private networks. They’re taking some of the most basic steps to internet hygiene, using SSL, for example, and that limits, to some degree, our ability to see what exactly the communications are, the sites exactly that North Koreans are going to.
So that’s one. They become more security conscious, and second is there’s been this shift over the past few years to what we call the professionalization of the internet. So we talked earlier about how much internet use was sort of in these off hours or on weekends, and it involved video streaming, and over time, the percentage of the use of media has stayed the same.
But the other types of content, right, and the hours in which North Koreans are using the internet has shifted to be much more now towards workday, work hours, and that’s an indicator to us that the internet is becoming more a tool, right, a professional tool for these North Korean leaders as opposed to just kind of a leisure activity.
Laura Shin:
Yeah. Well, clearly, that’s why we’re doing this show, because one of the areas that they’re focusing on is definitely cryptocurrency, and so why don’t we just give a high-level overview of what North Korea’s interest in cryptocurrency is. Like, you know, what are you seeing that’s showing you that they’re interested in that? How do you know that it is them that’s interacting with these cryptocurrencies, and in general, why do you think they’re interested?
Priscilla Moriuchi:
Sure. So I’ll try to break that down. So, first, we first saw that North Koreans were interested in cryptocurrency when we observed some mining activity, right, from the North Korean IP ranges.
Laura Shin:
And when was that?
Priscilla Moriuchi:
In March 2017. So that piqued our interest. It was really small scale. Looked like just a few machines conducting Bitcoin mining, and then, from my perspective, that led me to look into is North Korea using Bitcoin and other cryptocurrencies in any other ways? I mean, I just kind of started this odyssey, and especially in 2017 where we’ve gotten to this place now, you know, from 2017 through today, where I would say there are five ways in which North Korea either uses or exploits or gains cryptocurrencies.
So one is mining, right? We see them, North Korean leaders, some UN member states have sort of submitted anecdotes to the United Nations, which the UN has then put out on their reports about potentially the military also engaging in cryptocurrency mining. So we’ve got mining from either senior leaders and / or the military, to we’ve got these thefts, large-scale thefts from cryptocurrency exchanges, mainly in South Korea and cryptocurrency users.
Third, North Korea has really embraced, we call it crypto scams. So either standing up a fake blockchain company or cryptojacking, which I’m sure your users will be aware, right? It’s this concept of stealing the computing power of an unwitting user’s machine to mine cryptocurrency. Fourth, through low-level crime. So another kind of interesting aspect of North Koreans’ use of the internet is this idea that they engage in a lot of low-level criminal activity, like thefts from online casinos or thefts from gaming users’ accounts, like theft of armor, for example, and resale of that.
The writing of scripts, right, to cheat at certain games and then selling those scripts on. So that generates some…some of those transactions take place in cryptocurrency, as well, and then the fifth is the most kind of speculative at this point, but there’ve been reports that North Korea’s looking to develop its own token or some kind of coin.
Laura Shin:
Right, and for some of the other ones, like the cryptojacking or the thefts, how is it that North Korea was determined to be behind those?
Priscilla Moriuchi:
Sure. So when a…we call it a cyber operation or an intrusion is executed, typically, the attackers leave I guess what we would little breadcrumbs, right, whether they know it or not, behind evidence that has accumulated over the course of conducting the cyber operation, whether it be sort of inside the victim network or outside on the infrastructure, the computers, the IPs, the domains that they had to use to sort of trick the victims and conduct the operation.
So they leave these little data points that, when you pull it together, allow you to develop a signature for something that looks like a North Korean operation, and so, in this case, with the cryptocurrency exchanges, we had a number of those data points. Plus, for me, I only kind of assess that North Korea was behind an intrusion when, one, I’ve got enough of those data points so I have at least 70% confidence, and two, in many of the cryptocurrency exchange cases, the South Korean NIS, so their intelligence service, has made some kind of public statement in which they’ve implicated North Korea.
Laura Shin:
And I wanted to also ask about the exchange hacks when you were saying that they have especially targeted South Korean exchanges. Is that simply because there’s a shared language? Is it just as simple as that? Because, obviously, there’s a ton of cryptocurrency exchanges around the world. Many of them have greater sums of money, so, you know, I don’t know why it is that they’re focusing there. The only thing I could think of was the language.
Priscilla Moriuchi:
So I think there are probably three reasons. So one is the language. Two is South Korea is kind of enemy number one for North Korean military and intelligence services. You know, they have entire units that are focused just on disrupting aspects of South Korea and government communications, foreign policy, society, stealing from South Koreans, and so, as a target, South Korea is really the pointy end of the sphere when it comes to North Korean cyber operations, and third, I think your listeners will probably understand this.
Is that there’s a slightly different environment for cryptocurrency use in South Korea than in much of the rest of the world. Many more of your, like, average citizens use cryptocurrencies in South Korea than in many other countries. There are a lot more physical exchanges in South Korea, as well, like physical ATMs, physical branches, right, where people can exchange a wide variety of cryptocurrencies for fiat currency. So I think between the sort of combination of those three, that makes South Korea just a really appealing target for North Koreans.
Laura Shin:
That’s true, yeah. The penetration of the average population there is much higher than I think any other place on Earth, and one other thing I wanted to ask was when you mentioned the mining earlier, you said that it was the military that was mining cryptocurrency. So I don’t understand everything about the regime, but that’s like part and parcel of Kim Jong-un’s regime, right? It’s not like…was the military doing that independently? Did they decide that themselves, or why is it the military and not just the regime generally? Do you kind of understand what I’m asking?
Priscilla Moriuchi:
Yeah. Yeah. So the military are one of the main benefactors of the Kim regime, one of the sort of factions that the Kim regime needs to keep happy, and one which they devote significant resources to. So, you know, the Kim regime has a military first policy in which resources, food, revenue are diverted to the military first and then ordinary citizens later. So, one, military are extremely important to have on the side of Kim Jong-un and to support him.
Second, you know, the senior military leaders and for special military operations would certainly have access to the global internet, and in this case, from what we’ve seen of both sort of the hardware and the software installed on North Korean networks, it’s not likely that anything happens or mining, even on a small scale, because the volume of traffic it creates couldn’t really be achieved without the internet monitors or administrators being aware of it.
Laura Shin:
Right, because I read the UN report talking about how the money being earned from cryptocurrency by North Korea is probably being used to fund its nuclear power. So is that also why it is that the military is the one doing the mining, or is that not related?
Priscilla Moriuchi:
It’s possible. I mean, so there are many interesting / bizarre things about North Korea, but one of those interesting things is that, you know, for the most part, and especially in the military, everyone, every mission, every person, their first job is to support the state and the goals of the state, and so, in this case, with the military, whether the military were involved or not, the state have very specific goals. The continuation of the regime, the Kim regime, establishment of themselves and their ballistic and nuclear missile program, and potentially, right, the reunification of the Korean Peninsula under the Kim regime. So all people, there’s no sort of independence…
Laura Shin:
I don’t think that’s going to happen, but anyway.
Priscilla Moriuchi:
Well, eternal optimism up there in North Korea, and there’s really no room for independent careers or independent efforts in North Korea, to a large extent. So when the military’s engaged in something, it’s because it’s supportive of 1 of these 3 goals.
Laura Shin:
So one other thing that I wanted to ask about, which is pretty well known in the cryptocurrency space, is that North Korea was likely behind the WannaCry ransomware attack. First of all, for listeners who maybe aren’t familiar with that or have forgotten the details, can you describe that attack and then also explain why it’s believed that North Korea was behind it?
Priscilla Moriuchi:
Sure. So WannaCry was a piece of ransomware, and the sort of attack that we’re talking about occurred in May of 2017, in which, as we now know, the North Koreans kind of tweaked this largely publicly available piece of ransomware called WannaCry to incorporate what’s known sort of in the cyber security community, at the time, was a zero day exploit, right?
This one was endemic to Microsoft systems, and at this point, many users were aware, but hadn’t patched their systems. So there were many, many computers globally, millions, that were still vulnerable to this particular exploit that North Korea sort of installed in the WannaCry ransomware and deployed on the world, and really, what sort of raised I guess the specter of WannaCry.
And why people still refer to it is because it had such a global impact. It spread to computers and users around the world no matter what country you were in, if you had not updated or patched, and that had some really huge impacts. For example, it took out the UK’s National Health Service, the NHS computers, and it kind of swept the world for a few days. So, yeah, that’s WannaCry.
Laura Shin:
Wow. So, in a moment, we’ll discuss what North Korea did with the Bitcoins they earned from the WannaCry attack, but first, a quick word from the sponsors who make the show possible.
Cipher TraceWill the world follow France and advocate banning privacy-coins? Will government-backed stable-coins become the new fiat? Are distributed and peer-to-peer exchanges just a flash in the pan? The answer is maybe. Virtual currencies can flourish and create a new, private and more versatile economy. But that grand vision can’t happen without keeping crypto clean —AND that requires support of governments and accountability for bad actors. Privacy Enhanced Compliance using cryptographic controls has the potential to preserve anonymity without compromising legitimate investigations. CipherTrace is working on this vision of the future. Sign up stay up to date on the Privacy Enhanced Compliance initiative and receive authoritative Crypto AML reports quarterly. https://www.CipherTrace.com/KeepCryptoClean Kraken
Today’s episode is brought to you by Kraken. Kraken is the best exchange in the world for buying and selling digital assets. With all the recent exchange hacks and other troubles, you want to trade on an exchange you can trust. Kraken’s focus on security is utterly amazing, their liquidity is deep and their fee structure is great – with no minimum or hidden fees. They even reward you for trading so you can make more trades for less. If you’re a beginner you will find an easy onramp from 5 fiat currencies, and if you’re an advanced trader you’ll love their 5x margin and futures trading. To learn more, please go to kraken.com.
Crypto.com Crypto.com sees a future of cryptocurrency in every wallet. Have you seen the MCO Visa Card? Loaded with perks including up to 5% back on ALL your spending and unlimited airport lounge access. They pay for your Spotify & Netflix too! What’s not to love? With Crypto.com, not only can you spend your crypto, but you can grow it too! Earn up to 6% per year on the most popular coins like BTC, ETH, XRP and up to 12% per year. on Stablecoins. Crypto.com has recently launched its Exchange and crypto fundraising platform, The Syndicate. There is a 50% off Stellar listing event on 15 Jan 2020. Sign up on the exchange now and stay tuned for more listings.Laura Shin:
Back to my conversation with Priscilla Moriuchi. So North Korea perpetrates this attack around the globe to try to obtain Bitcoin. Bitcoin, famously, has this public blockchain, and yet I believe the North Koreans actually were able to profit from the attack. So what did they do with those Bitcoins?
Priscilla Moriuchi:
Sure. So I think, you know, there’s still some debate about what the goal of WannaCry was for the North Koreans. I mean, if you look at it from a revenue-generating standpoint, by the end of the attack or when the three Bitcoin wallets where the ransom was directed, right, by the time those accounts were cashed out in August of 2017, the value of those kind of 52-ish Bitcoin were about 142 thousand US dollars, which is a lot, but not a substantial amount.
So I think a couple years later when the US government kind of came out and publicly attributed North Korea to the WannaCry attack, their assumption was that North Korea had engaged in this sort of to cause global chaos, and it’s possible that they didn’t realize how far this piece of ransomware would spread, because while the exploit they were using was relatively new and it had been in zero day prior, there had been time for some people to patch their machines.
So that’s kind of the first step. So, you know, as sort of one of the people who was kind of following this at the time, looking back, a lot of people in the information security community were smiling, because as WannaCry spread and the ransom note would pop up on people’s machines, it directed people to pay the ransom to only three Bitcoin wallets.
And people were pretty certain that we, the global we, right, could track these three Bitcoin wallets. We could keep an eye on them, and we could track where the transactions were going, and we could then find out who is responsible. So, if you fast-forward from May where everybody’s kind of smiling, to early August, August 2 of 2017, those three wallets were emptied within minutes of each other in six transactions. So two transactions each emptied all of those wallets.
What we know from there is that the transactions or the Bitcoin were then fed into what’s called the mixer, which, I’m sure your users will be aware of what a mixer is, and then when the coins come out on the other side, they were then converted to Monero. As your listeners will be aware, Monero blockchain is much different than the Bitcoin blockchain, and each Monero transaction is encrypted so that only the user and the receiver can see the transaction.
And that’s essentially where the trial runs cold for researchers, and for me, like, what was really interesting about the way North Koreans moved the coins around was, one, that they were willing to take hits in terms of fees, Bitcoin fees, mixer fees, Monero fees, transaction fees, right, in order to maintain that anonymity, and it seemed to be a conscious decision to move, after the coins were kind of run through the mixer, to a sort of privacy-focused token.
Laura Shin:
Yeah, I feel like Monero is kind of a theme with North Korea because I believe that the main cryptojacking malware that’s associated with North Korea was being used to mine Monero. Do you feel that this regime has a particular interest in Monero, and if so, you know, how do you think they’re using it and benefitting from it?
Priscilla Moriuchi:
Yeah. So we’ve seen the regime use three coins, Bitcoin, Monero, and Litecoin. So, for a while, in 2018, we saw some really small-scale Litecoin mining from North Korean leaders, as well. That has since ceased, right? So we’ve got, overall, kind of a focus on Bitcoin and Monero.
And you’re correct that we do see Monero used by North Koreans, but also certainly not moving away from Bitcoin. My sense is that North Koreans are using Monero because of the focus on privacy and anonymity, even though Bitcoin can be utilized, you know, in a way that would make the end recipients of transactions virtually anonymous anyway.
I think from sort of our studies of the criminal community at large, Bitcoin is still very, very widely used and even preferred among many in sort of what we would consider the Dark Web, right, or the Russian language, especially a criminal underground, because of the ease of use. There are so many Bitcoin users, participants, and it makes for quick transactions. So Monero is a sort of slower transaction, but again, I think it’s really that focus on anonymity for North Korea.
Laura Shin:
So, obviously, you know, cryptocurrency is useful to North Korea. However, it’s probably only useful once it’s converted into fiat. So how does North Korea convert cryptocurrency into fiat? I can’t imagine it’s very easy for them.
Priscilla Moriuchi:
Yeah. That’s the last mile in this whole dramatic story that we have the least insight into. I think there are a number of educated hypotheses and theories. So, one, I used to get asked a lot about whether North Korea has this huge stash of coins, right, that they’re just kind of stockpiling and hiding and they’re just going to cash out whenever they want. My sense is that North Korea needs the money.
So within a short period of time, after they acquire the cryptocurrency, whether it be in a large-scale theft from an exchange or through cryptojacking or wherever crime, they need to be converting it into a fiat currency. So, one, you know, they’re not kind of storing it. I’m not sure how well or not well they kind of play the market. Whether they cashed out all of their 2017 earnings in December, for example, when Bitcoin was at its peak or not, I’m not certain.
But I think we do know that they need the money, and there are sort of existing networks. We would call them physical networks that North Korea has established over the past 40 years. These illicit networks in countries in Southeast Asia, for example, in Europe, as well, that these networks kind of exist in the embassies and consulates as attached to overseas embassies and consulates that have facilitated North Korean illicit activity for decades, right?
So everything from drug smuggling to precious gem smuggling to counterfeit cigarettes in US dollars, these networks have facilities for decades, and I strongly believe the these networks are also involved in exchanging cryptocurrencies for fiat currencies or even, you know, I’m not sure what you can actually purchase as a physical commodity with cryptocurrency these days. It’s possible that someone somewhere is willing to take Bitcoin for coal, for example, or for an offshore oil rig, oil transfer. I think we just don’t know how much you can really get these days.
Laura Shin:
So I’m going to read a bit from the AP report, which actually was about the UN report. They say, “According to a report from one unnamed country, cited by the experts, stolen funds following one cryptocurrency attack in 2018 were transferred through at least 5 thousand separate transactions and further routed to multiple countries before eventual conversion to currency that a government has declared legal money, making it highly difficult to track the funds.” That sounds so sophisticated to me. So, you know, in general, from what you’re seeing, do you feel like the North Korean hackers have a very high level of sophistication and fluency with regard to cryptocurrency?
Priscilla Moriuchi:
Without a doubt. So, I mean, if you talk to some South Korean researchers, they have seen North Korean cryptojacking malware since 2015, right, when, for most of the world, most of the world didn’t even really know what Bitcoin was at that point, and then North Koreans were already creating malware that would mine Bitcoin without users’ awareness.
So there’s been an underestimation in general by the global community of North Korean capabilities when it comes to cyber operations, North Korean knowledge around the banking system, for example, and you can see this when you start to look at North Korean cyber operations, the sophistication of the North Korean bank thefts, for example.
North Korea and the North Koreans who are executing these operations have a very deep understanding of how cryptocurrency and the crypto ecosystem works and how to mesh that with their physical networks. The physical people on the ground who already understand how to launder money through casinos, for example, is a popular one, and it’s this integration I think that really strikes me, right? In terms of North Korea, cryptocurrency doesn’t just stay in the virtual world. It very much supports these real-world outcomes, and they integrate these two networks to make it just even more impactful.
Laura Shin:
Yeah, and actually, that reminded me of, actually, what I meant to ask you earlier, was I was surprised when you said that one of the ways in which they probably cash out is through networks in Europe, because, in general, I think of Europe being a place where it’s mostly democracies. So are there any particular countries there that tend to work a lot with the North Korean regime?
Priscilla Moriuchi:
So, in this case, from what we see anyway, it’s not that the countries work with North Korea or even that the countries are aware that there are North Koreans conducting illegal activities in their countries, right? It’s more of using these countries for, for example, the financial system or for the embassies and consulates or for the networks that they’ve established with the criminal underground in those countries that North Korea’s able to use and exploit.
So, like, if you, for example, take a look at the banking operations, so these cases in which North Korea has managed to gain access to the SWIFT, which is the interbank transfer system. The SWIFT servers of banks where many of the…we would call them, like, fraudulent transactions are directed. You have fraudulent transactions going to banks in Hong Kong, Southeast Asia, financial centers such as London, right, some transactions to banks in New York, for example.
So think there’s a focus and an idea that there certainly is a large network of North Koreans in Southeast Asia, but certainly in the west, there are also North Korean collaborators, people who are unknowingly collaborating with North Korea, as well, who…this large system of support, right? We really have a hard time kind of putting our finger on it and explaining because it’s been cultivated for so long.
Laura Shin:
And so I mentioned that UN report a couple times, but can you talk a little bit more about how it was determined that this 2 billion dollars that they earned in cyber attacks was used to fund their weapons program?
Priscilla Moriuchi:
Yeah, so I think the 2 billion dollars is the total for the cryptocurrency thefts and the banking operations, so these fraudulent SWIFT transactions from, like, late 2015 up until early 2019. So about a four-year period of time, and if I read the UN report correctly, I think the understanding is that that was funding the weapons program through looking at kind of the North Korean defense sector, and also, to be honest, just through what I would call just high confidence assessments that, you know, when you look at North Korean funds, how the large majority of it does go to the military in these programs.
Laura Shin:
Oh, I see. Okay. So, you know, as we talked about in the beginning, the general North Koreans do not have access to the internet. There’s only this very select few at the very top who do have access to the global internet. So who is performing all these cyber attacks? How have they been trained in this way? Because, clearly, they’re probably not just everyday North Koreans who…like, here in the US, somebody who becomes a very skilled programmer probably grew up playing with computers, but in North Korea, there probably aren’t that many kids that grow up that way. So who are these hackers?
Priscilla Moriuchi:
Sure. So, certainly, in the early days of the program, I would say that probably maybe the next generation of North Korean hackers will have grown up playing with at least smartphones and will be sort of technology users, right, because of the internet and their mobile devices, but for sort of the original generation and to a certain extent, still today, North Korea develops its hackers in a kind of state-run…sort of if you think of the Soviet Union’s development of gymnasts system in which…
Laura Shin:
I know you were going to say that.
Priscilla Moriuchi:
I got to have another great metaphor because it’s kind of bizarre. Like, you have a proclivity, right, to math, for example, and North Korean kids, they’re identified at the middle school stage having a number of…whether they have a capacity for math. They’re then shipped into one specific high school and follow on a couple of different universities, Kim Il-sung University, Kim Chaek University, for example, where these North Koreans are trained. I think there’s some defector testimony that kind of in the early, early days, you know, we’re talking about the late ‘90s, students at the universities would learn how to code by typing on paper keyboards, because they didn’t even really have computers or keyboards.
Laura Shin:
Wait, what is a paper…I don’t even know what that means.
Priscilla Moriuchi:
Yeah. So it’d be like a printout of a keyboard on a piece of paper, and they would kind of type on it way back in the early days. I think we’re well beyond that at this point. You see pictures of sort of computers labs, right, at these universities. No more paper keyboards, but in the way early days, that’s how some people learned, and so, again, they have this internet on which you can learn a lot of basic computer skills, networking, coding, et cetera just by operating on this intranet.
And then for those that exhibit…you know, kind of graduate from the program, either accede into the military, which is in most cases what we think of, or the intelligence service. The Reconnaissance General Bureau, the RGB will then send people overseas, and it’s at that point that…there’s a lot of unique things about North Korea, as we talked about earlier, but this is particularly unique, in which there’s a substantial subset of North Korean cyber operations.
These crypto scams, the crypto generation, right, the thefts, for example, some banking operations, some of the low-level crime, that takes place in countries overseas, not actually in North Korea. This is where you think about India and China, for example, where North Korea will send their students to study to learn a little bit more, and then sort of house all of their hackers in, I don’t know, the best word for it is hacker dorms, you know, if we take some defector testimony to heart in which there’ll be 10, 20, 30, tens of operators housed in kind of a warehouse environment.
They have to purchase their own computer, and it’s their job all day long, under the eyes of their either intelligence or military minder, to conduct operations to generate revenue for the regime, and from a volume perspective, most of those operations are just low-level crime, low-level crypto scams, IT work, legitimate IT work, and then, of course, you have the kind of big splashy stuff, as well.
Laura Shin:
So why is it that they send these cyber operators overseas? You know, I do this podcast from my apartment. Why does it matter where they are physically?
Priscilla Moriuchi:
So, for a long time, North Korea has such limited IP space. So, you know, they’re anywhere between about three IP ranges that North Korea uses on a regular basis to access the internet. Those three IP ranges are very well known. As our research has shown, people are aware of them. It’s easy to track, and in most cases, while there has not been necessarily large cost to North Korea for being attributed to some of these attacks, they, at the same time, don’t want to be…
Or they want to make it as hard as possible for researchers and for other governments, for example, to link North Korea to any of these attacks. So, for one, when all of your operations come from a very small subset of IP addresses that are already well known to be North Korea, takes some of the guesswork out of attribution, but second, also for a long time, you know, arguably, up until about 2017, North Korea had very few physical connections to the actual internet.
And most of those were controlled by China or Chinese companies, which meant, right, that North Korea was sort of subject to, at any point, a Chinese decision to cut off the internet. So it’s this idea that cyber operators and hackers, they were so critical to the regime, that they have to send them overseas and take that risk, the risk that some of their most highly trained assets could be arrested in a foreign country, because it was so important for them to be able to continue their operations unimpeded.
Laura Shin:
Wow. Okay, yeah, it just goes to show how little I have the mind of a cyber attacker, but anyway…
Priscilla Moriuchi:
For better. For better.
Laura Shin:
So let’s discuss the sanctions piece, because, obviously, the reason why discussing North Korea’s interest in cryptocurrency is especially timely right now in the cryptocurrency world is because of the arrest of Virgil Griffith, a researcher for the Ethereum Foundation, who was arrested for allegedly helping the North Korean government or attempting to help the North Korean government evade sanctions, and in some of the discussions in the crypto community on Twitter, people were saying to me that, actually, sanctions hurt the everyday people more than the regime. So I was wondering, you know, from your understanding of how North Korea works, what would you say about that? Is that true?
Priscilla Moriuchi:
Yeah, so, I mean, there’s always this back and forth argument when sanctions are imposed on a country about who is actually hurt by the sanctions. You know, we have this discussion with Iran, for example, and I think there’s no doubt that the population certainly suffers in North Korea when sanctions are imposed, but I think my counter to that argument is that the population was suffering anyway.
The population with and without sanctions, right? To a larger extent, the Kim regime subverts the needs of its people, the physical needs, right, food, shelter, those type of things, security to the needs of the state, and they have policies in which their population are directed and to subvert their own needs to that of the state. So, you know, the Kim regime doesn’t support its population anyway.
And I think, certainly, that sanctions do harm the population, as well, but Kim himself, in his 2018 New Year’s speech last year, acknowledged that the sanctions were also harming the government and the military and their ability to execute their own goals. So I think my own personal view on the sanctions is that they’re ultimately necessary if we, as the world, believe that North Korea should not have a nuclear weapon, and we want to one day hope that to give North Korean people a better life.
Laura Shin:
Yeah, and for listeners who missed last week’s episode with North Korean defector Yeonmi Park, I highly, highly recommend you listen to that. She suffered as a child under the North Korean regime, and when I asked her this question, she said, look, he wants the sanctions to be lifted. That means that they hurt him, and that means that lifting them benefits him, and she said, you know, when I was living there, I was basically starving. I was passing dead bodies on the street. I just thought that was normal.
And she said, you know, even if they were lifted, it’s not like he’s going to be feeding people. All of the benefit of that will go to the elite, and she said it in a much more impassioned way than I just did, but it’s such an incredible episode. I highly recommend people listen to that. So then I also wanted to ask about the Virgil situation specifically where, you know, so we don’t know all the facts.
But some of the facts that we do know, these are just public things that he was tweeting or posting on Facebook or whatever, were that he spoke at a blockchain conference in Pyongyang. He had permission from the North Korean government to travel there, and unfortunately, not from the US government, which is why he’s in trouble, and that, afterward, he was also in communication with what he called the Pyongyang Sci-Tech Complex, and he talked about how he was helping them invite new people to talk there.
So, just even that alone, without going into whether or not what the DOJ alleged was true or not, based on those things, what would you say would have been the impacts of what he was doing? Who could’ve benefitted from his talk at this conference and the fact that he traveled there with the permission of the North Korean government, et cetera?
Priscilla Moriuchi:
Yeah. So, from my perspective, I think North Koreans have a, as we talked about earlier, very deep understanding of cryptocurrency and blockchain technology, but that doesn’t mean that sort of every North Korean with a job that may tangentially relate to blockchain technology understands it as fully as some others do. So even the ability to have experts on site in person to bounce ideas off of or ask questions to, you know, it’s sort of like if you work remotely and you get in the same room as the rest of your team, there’s a lot of value there to be able to ask those questions and bounce those ideas off. So I don’t have a perspective or a viewpoint on whether what he did was right or wrong, but I do think that North Korea could’ve derived some value from his interactions.
Laura Shin:
And you’re saying that because of how people were saying that the information he was giving was already public on the internet?
Priscilla Moriuchi:
Yeah, I mean, the other half of that is, like, you know, as we sort of spent much of our time talking about, is most North Koreans don’t have access to the internet, so they can’t just Google something that they’re having a problem with. They don’t have that ability, right, and especially some of the midlevel people that might be attending these conferences don’t have the ability just to hop on a computer and look anything up. So it’d be this idea of being able to ask, troubleshoot, bounce ideas, even to the extent that the foreign visitors may not really think what they’re contributing is of value, there’s no question that North Korea would not allow these experts in if what they were contributing was not of value.
Laura Shin:
Yeah, and when you say that, you mean the regime, not the everyday people?
Priscilla Moriuchi:
Right. I mean, you know, there are arguments back and forth, but I think from the sort of research and scholarly community, there’s widespread agreement that the North Korean government controls visitors who come in and out. They approve visas, and they’re widely scrutinized, you know, any visitor who wants to come into the country, and if it’s not to the benefit of the Kim regime to allow this visitor into the country, they are not allowed.
Laura Shin:
Yeah. So given everything that you have researched about North Korea’s usage of cryptocurrency and also knowing in general, kind of the wider geopolitical things going on with the regime trying to maintain power in its pursuit of nuclear weapons, et cetera, do you think there’s any point in maybe trying either to prevent North Korea from benefitting in cryptocurrency or is there just anything that can be done to…you know, because I think, in general, a lot of people would not say it’s a great thing for them to have more nuclear weapons, except for those few hundred people maybe that are accessing the internet from North Korea. So I’m curious if you have any thoughts on whether that can be done, and if so, how?
Priscilla Moriuchi:
Yeah. Sure. So, you know, the first is on the idea of sanctions and financial controls. For the most part, most of the international and the US sanctions have focused on territorial North Korea and on traditional means of revenue generation or trade. So there’s prohibitions against trading coal or oil with North Korea focused on North Korean companies that are tied physically, right, to North Korea.
And I think what we in the research community have learned over the past several years is that much of the revenue that the Kim regime does generate is not tied to these sort of traditional means of generation, and that the internet is a much bigger tool for a number of ways. Cryptocurrency is one of them, than really governments realize and are equipped to deal with at this point.
So, one, either updating, right, the scope of sanctions or UN resolutions to allow countries or the UN or the financial system to bring these into the 21st century. Track cyber operations, understand the cryptocurrency system, and on the cryptocurrency side, there are attempts in a number of countries to instill some more regulation. Like know your customer laws, for example, and that’s something that would certainly help drive or maybe shine a light on North Korea and their use of cryptocurrency, but also sort of the criminal element in cryptocurrency broadly.
Laura Shin:
Yeah. I wonder what the section of the show is going to…what reaction this is going to elicit on Twitter because there’s definitely the Cyberpunk element where they’re going to be like, what, she suggested more KYC, more AML?
Priscilla Moriuchi:
Right. Right. Right. Yeah, I mean, this is my position as a researcher who studies North Korea and who really…you know, that’s just one perspective. They can hate it or love it, but sort of my interest is in outing North Korea and making sure the Kim regime doesn’t continue to bring in hundreds of millions of dollars every year to repress its people and fund a ballistic missile program.
Laura Shin:
Yeah. Yeah, and for sure, I mean, I interview a lot of people on both sides. There are obviously the companies that are working exactly in that area. Many of them are my sources, and I talk to them a lot, so there is that group in the crypto community, as well. So last question. Because of those types of people who I have listening to my show, you know, cryptocurrency investors and developers and builders of startups and other general enthusiasts, for people who are interested in using such skills to help the situation in North Korea, what would you suggest they do?
Priscilla Moriuchi:
That’s a great question. I think, for the most part, most of these blockchain technologies are not aware of North Korean interest or usage, right? Most of the people who run them or develop them or use them are not aware. So, certainly, there are some basic things that you can do if you’re interested in, like, at the technology perspective and just these really low-level things.
For example, if you have blockchain updates or if you run a blockchain company and there are connections to your resources from North Korean IP range, you can block those, because, as we said, for the most part, those will be the most elite, the most senior leaders in North Korea, not the people that we’re trying to help, but the people who are actually trying to circumvent financial controls and support the missile program. So there are some basic technological blocks that you can institute, and certainly, understanding who your user base is, to the extent that you can. I think those are sort of the only ways to get around it.
Laura Shin:
All right. Great. Well, where can people learn more about you and Recorded Future?
Priscilla Moriuchi:
Sure. So we publish most of our research at Blog.RecordedFuture.com. We’ve got another report coming out shortly on North Korea. So people can check it out there.
Laura Shin:
Great. Well, thanks so much for coming on Unchained.
Priscilla Moriuchi:
Thank you so much for having me. This was great.
Laura Shin:
Thanks so much for joining us today. To learn more about Priscilla and Recorded Future, check out the show notes inside your podcast player. If you’re looking for a fun holiday gift or if you just really love the show, check out our new merchandise shop at Shop.UnchainedPodcast.com. Unchained is produced by me Laura Shin with help from Fractal Recording, Anthony Yoon, Daniel Nuss, Josh Durham, and the team at CLK Transcription. Thanks for listening.