Rogue Nation's Group Launders Stolen Currency Via Crypto

Rogue Nation’s Group Launders Stolen Currency Via Crypto

Updated: 29 March 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

Threat intelligence firm Mandiant has released a report stating that the North Korean group APT43 has been using cryptocurrency services to launder stolen funds as part of its larger mission of cyber espionage against other countries. The group’s main targets include the US and South Korea.

Mandiant claims North Korea's APT43 likely uses cloud mining services to launder stolen cryptos

— AMBCrypto (@CryptoAmb) March 29, 2023

Unlike other North Korean groups that primarily bring in funds for the regime, APT43 appears to be using these operations to sustain its activities. The group is believed to have used stolen bitcoin to pay for the hash rental and cloud mining services, acquiring “clean bitcoin.”

Mandiant’s report further explained that hash rental and cloud mining services provide hash power to mine cryptocurrency to a wallet the buyer chooses for a fee. The resulting cryptocurrency is not associated with the buyer’s original payments on the blockchain. Cloud mining services offer a convenient option for individuals to mine bitcoin by paying a fee instead of having to set up and operate mining machines themselves. These machines are located in a shared remote location.

According to Mandiant, although they track a vast amount of activity throughout the year, they may not always have sufficient evidence to attribute it to a particular group. However, as they continue to observe more action over time and their knowledge of related threat clusters improves, they may graduate to a named threat actor. APT43 is an example of this, and the report results from extensive research and connecting the dots across several Mandiant groups. Additionally, the report shows collaboration with Google Cloud’s new colleagues.

North Korean Hacker Group APT43 Using Mining Trick to Launder Stolen Cryptocurrency

Mandiant, a cybersecurity firm, has reported that APT43, a North Korean hacker group, has been engaging in profit-focused cybercrime by stealing cryptocurrencies that can benefit the North Korean regime or fund the hackers’ operations. The group has reportedly adopted a new method of paying the stolen cryptocurrency into “hashing services,” which allow anyone to rent computing power to mine cryptocurrency and harvest newly mined coins with no apparent ties to criminal activity, cash out the stolen funds, and prevent them from being seized or frozen.

According to Joe Dobson, a threat intelligence analyst at Mandiant, APT43’s mining-based laundry technique allows the group to break the chain and avoid leaving a forensic trail of evidence on blockchains, making it difficult for thieves to cash out. Mandiant first observed signs of this technique in August 2022, with tens of thousands of dollars’ worth of crypto flowing into hashing services believed to be from APT43 crypto wallets.

The group’s wallets have also seen similar amounts flowing from mining “pools,” which allow miners to contribute their hashing resources to a group that pays out a share of any cryptocurrency they collectively mine. Mandiant declined to disclose the hashing services or mining pools involved.

While the payouts from the mining pools should have no connection to APT43’s hackers, that is the objective of the group’s money laundering exercise. However, Mandiant has found operational sloppiness where the funds were mixed with cryptocurrency in wallets previously identified from its years-long tracking of APT43 hacking campaigns. Despite this, the payouts from the mining pools should be clean, in theory, with no ties to APT43’s hackers, as that is the group’s goal for the laundering process.