North Korean hackers stole over $659 million worth of crypto in 2024, pose IT workers as spies

A joint statement by Japan, South Korea, and the United States has claimed that North Korean-backed hackers have stolen about $659 million through multiple cryptocurrency heists in 2024. It also accused the country of deploying information technology workers as spies in several blockchain companies. 

“The United States, Japan, and the Republic of Korea join together to provide a new warning to the blockchain technology industry regarding the ongoing targeting and compromise of a range of entities across the globe by the Democratic People’s Republic of Korea (DPRK) cyber actors,” the statement reads.

The announcement also claimed that North Korea was behind the July 2024 $235 million hack of WazirX, known as India’s largest cryptocurrency exchange. The breach later on forced WazirX to suspend trading and later restructure the firm.

The joint release listed other major attacks including a $308 million theft from Japan’s DMM Bitcoin, $50 million each from Upbit and Radiant Capital, and $16.13 million from Rain Management.

“In 2024 alone, our governments have individually and jointly attributed multiple thefts, denominated in virtual asset value in U.S. dollars, to the DPRK: DMM Bitcoin for $308 million, Upbit for $50 million, and Rain Management for $16.13 million. The United States and the Republic of Korea additionally attribute to the DPRK, based on detailed industry analysis, thefts last year against WazirX for $235 million and Radiant Capital for $50 million,” the statement explained.

The governments also noted that the Lazarus Group, a dangerous group of North Korean hackers, conducted social engineering attacks and deployed cryptocurrency-stealing malware like TraderTraitor to breach several exchanges. It also accused the Asian country of infiltrating companies by having North Korean IT workers pose as job candidates.

“The United States, Japan, and the Republic of Korea advise private sector entities, particularly in blockchain and freelance work industries, to thoroughly review these advisories and announcements to better inform cyber threat mitigation measures and mitigate the risk of inadvertently hiring DPRK IT workers,” the governments said.

The trio reinstated their commitment to fighting off several cyber attacks posed by the DPRK stressing that combined coordination is needed to combat the issue. “The United States, Japan, and the Republic of Korea will continue to work together to counter the DPRK’s malicious cyber activities and illicit revenue generation, including by imposing sanctions on DPRK cyber actors and collaborating to improve cybersecurity capacity across the Indo-Pacific region,” the statement concludes.  

North Korea continued notoriety for cyber-threats

In November 2024, a United Nations report estimated that North Korea stole $3 billion in cryptocurrency between 2017 and 2023 to fund its sanctioned nuclear weapons programs. In the same year, the US Department of Justice arrested 14 North Korean nationals who posed as remote IT employees for US companies. They were accused of stealing proprietary information and extorting employers, resulting in $88 million in illicit earnings.

Another data from Chainalysis reported by Technext showed North Korean hackers were responsible for 61% of all cryptocurrencies stolen in 2024, totalling $1.34 billion.

The report also explained that despite the YoY drop in the total number of incidents across all scales, the statistics of North Korea’s cryptocurrency attacks continue to grow. Mostly in 2024, there was a noticeable dominance in large-scale attacks involving $50 to $100 million and amounts exceeding $100 million.

It added that North Korea (DPRK) is becoming more efficient in orchestrating high-value breaches. This signals a notable change from the past two years when their attacks predominantly generated less than $50 million per incident.

“Notably, attacks between $50 and $100m, and those above $100m, occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits. This is in stark contrast to the previous two years, during which its exploits more often yielded profits below $50m,” the report revealed.

The Chainalysis reports added that North Korean industrial training workers have increasingly infiltrated crypto and Web3 companies, compromising their systems and integrity through several advanced tactics.

“Some of these events appear to be linked to North Korean IT workers, who have been increasingly infiltrating crypto and Web3 companies, and compromising their networks, operations, and integrity. These workers often use sophisticated tactics, techniques, and procedures (TTPs), such as false identities, third-party hiring intermediaries, and manipulating remote work opportunities to gain access,” the report added.

At Cyberwarcon (an annual conference in Washington, D.C) held in November, security researchers offered their most up-to-date assessment of the threat from North Korea. 

According to the researchers, there have been a series of attempts by the country’s hackers to pose as prospective employees seeking work at multinational corporations. The aim is to earn money for the North Korean regime and steal corporate secrets that benefit its weapons program.

Another blog post by Microsoft explained that another group of North Korean hackers, “Sapphire Sleet,” masqueraded as recruiters and as a venture capitalist in campaigns aimed at stealing cryptocurrency from individuals and companies.

Also Read: Cybercriminals stole $2.2bn worth of crypto in 2024 as North Korean hackers stole $1.3bn – report.