But at a time when North Korea has locked itself down for fear of the pandemic, hacking crypto exchanges has allowed it to generate income in ways that are both COVID-safe and harder to trace in an industry subject to limited government oversight.

As its hackers roam cyberspace launching devastating attacks, North Korea runs little risk of being targeted itself because most of the country is offline. “For North Korea, it’s a low-cost, low-risk but high-return criminal enterprise,” said Yoo Dong-ryul, a former chief anti-terrorism analyst at the South Korean national police agency.

“You are mistaken if you think they will have moral compunction for attacking somebody else’s network. To them, cyberspace is a battlefield and they are fighting enemies out there hurting their country.”

Jang Se-iul, a graduate of Mirim College who served as an officer in the North Korean military before defecting to South Korea in 2008

North Korea barely has enough electricity to run elevators in the capital city, Pyongyang, and most people do not have computers, much less access to the internet. Yet the country has long been home to many of the world’s savviest and most aggressive hackers.

North Korean students have rivalled their peers from the world’s top universities in international computer programming competitions. By 2013, Kim called his hackers “an all-purpose sword” parallel to his nuclear weapons and missiles in their “ruthless targeting capabilities,” according to South Korea’s National Intelligence Service.

“They are unique in that they are trained and deployed and operate under a government program,” Yoo said. By one South Korean estimate, North Korea runs an army of about 6,800 cyberwarriors — 1,700 hackers in seven different units and 5,100 technical support personnel.

Loading

Talented students are carefully screened and groomed from an early age. The best of them join the hacker training programs at the Moranbong University, run by the Reconnaissance General Bureau, North Korea’s main spy agency, or at the military-run Mirim College, according to South Korean officials. After graduation, most are assigned to the Reconnaissance General Bureau’s cyber warfare arm, Department 121.

In North Korea, only a small number of workers whose loyalty is vetted by the regime are allowed to work abroad. Hackers are among them, operating in China, Russia, Belarus and Southeastern Asian countries like Singapore, the Philippines and Malaysia, often posing as freelance computer engineers.

Like other North Korean workers abroad, the hackers operate under the watchful eyes of their political minders sent from Pyongyang.

“You are mistaken if you think they will have moral compunction for attacking somebody else’s network,” Jang Se-iul, a graduate of Mirim College who served as an officer in the North Korean military before defecting to South Korea in 2008, said in an interview. “To them, cyberspace is a battlefield and they are fighting enemies out there hurting their country.”

Jang said North Korea first began building its electronic warfare capability for defensive purposes but soon realised that it could be an effective offensive weapon against its digital enemies.

Around the time Jang arrived in Seoul, South Korea, websites in South Korea and the United States were under a wave of cyberattacks. Going by names like Lazarus, Kimsuky and BeagleBoyz, North Korean hackers used increasingly sophisticated tools to infiltrate military, government, corporate and defence industry networks around the world to conduct cyberespionage and steal sensitive data to aid its weapons development.

Usually, North Korean hackers breach foreign crypto wallets through phishing attacks, luring victims with fake LinkedIn recruiting pages or other bait, according to Chainalysis. Then the hackers use a complex set of financial instruments to transfer the stolen funds, moving the loot through cryptocurrency “mixers” that combine multiple streams of digital assets, making it harder to track the movement of one particular batch of cryptocurrency.

“They’re very methodical in how they launder them,” said Erin Plante, senior director of investigations for Chainalysis. “They’re very methodical in small amounts moving over long periods of time to ultimately try to evade investigators.”

The final step is turning the crypto into cash. Generally, North Korea uses offshore exchanges, converting the stolen cryptocurrency into renminbi. “They’ve cashed out a large percentage of the funds they’ve stolen,” Plante said. “It’s a really powerful tool for them in evading sanctions.”

Axie Infinity, the video game targeted in the cryptocurrency heist this spring, was created by Sky Mavis, a company founded in Vietnam in 2018. The game allows participants to accumulate cryptocurrency the more they play. By last year, it had more than 2.5 million daily users. The game’s popularity made the company a target: Employees at Sky Mavis were under constant advanced spear-phishing attacks on various social channels.

The company was hacked after an employee downloaded a Word document, said Aleksander Leonard Larsen, a founder of Sky Mavis. The employee no longer works at the company, he said.

“The entire industry is going to have to face the music here sooner or later,” Larsen said, adding that the attack on his company by North Korean hackers should serve as “a wake-up call” for the industry as it contends with mounting security threats.

Loading

Last week, Harmony, a popular crypto platform, announced that it had lost $US100 million in digital currency to a thief. Chainalysis tracked the flow of funds, which were channelled into a cryptocurrency mixer. The transfers followed a familiar playbook, Chainalysis said Monday. The apparent culprit: North Korea.

This article originally appeared in The New York Times.

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.