The North Korean cybercrime operator APT43 is using cloud computing to launder cryptocurrency, a report from cybersecurity service Mandiant has found. According to the researchers, the North Korean group uses “stolen crypto to mine for clean crypto.”
Mandiant, a Google subsidiary, has been tracking the North Korean Advanced Persistent Threat (APT) group since 2018 but has only now “graduated” the group to an independent identity. Mandiant characterized the group as a “major player” that often cooperated with other groups.
Although its main activity was spying on South Korea, Mandiant found that APT43 was likely engaged in raising funds for the North Korean regime and funding itself through its illicit operations. Apparently the group has been successful in those pursuits:
“APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner aligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the central government.”
The researchers detected the North Korean group’s “likely use of hash rental and cloud mining services to launder stolen cryptocurrency into clean cryptocurrency.”
— Dan Perez (@MrDanPerez) March 28, 2023
Hash rental and cloud mining are similar practices that involve renting crypto mining capacity. According to Mandiant, they make it possible to mine crypto “to a wallet selected by the buyer without any blockchain-basedassociation to the buyer’s original payments.”
Mandiant identified payment methods, aliases, and addresses used for purchases by the group. PayPal, American Express cards and “Bitcoin likely derived from previous operations” were the payment methods the group used.
In addition, APT43 was implicated in the use of Android malware to harvest credentials of people in China looking for cryptocurrency loans. The group also operates several spoof sites for the targeted credential harvesting.
North Korea has been implicated in numerous crypto heists, including the recent Euler exploit of over $195 million. According to the United Nations, North Korean hackers had a record haul of between $630 million and more than $1 billion in 2022. Chainalysis put that figure at a minimum of $1.7 billion.