Amid Increased International
Sanctions, North Korea Turns to Bitcoin for Cash
September 26, 2017
North Koreaís cash-strapped regime has long sought workarounds to the
increasingly harsh international sanctions aimed at tightening the
financial noose around its nuclear and missile programs.
Now, according to Recorded Future, an intelligence research firm backed
by Google Venture, Pyongyang is making a foray into cyberspace,
launching a bitcoin ďminingĒ operation, which saw a dramatic spike in
its activity in mid-May.
Although the bitcoin activity amounts to only a token amount of funds at
this point, there is significant potential for it to become a major
source of income for the regime, the company said.
Is North Koreaís pursuit of bitcoin, the best-known cryptocurrency used
for purchasing goods and services online, something the United States as
well as the international community should worry about?
Priscilla Moriuchi, a Recorded Future
director. Formerly with the National Security Agency (NSA) as threat
intelligence manager and senior expert on East Asia and Pacific regional
and cyber issues, she discussed in detail her findings on North Koreaís
cyberactivities. Her answers have been edited for clarity and length.
Could you describe how Recorded Future first detected the North Korean
activity in bitcoin?
Priscilla Moriuchi: The bitcoin mining [from North Korea] started on May
17 and continued through the end of our data set, which was July 3. This
was a critical moment in terms of bitcoin [mining activities] because
before then, I havenít seen any activity that we had insight into
indicating that [the North Koreans] were interested in bitcoin.
Is there any substantive evidence for the North Korean bitcoin mining
Moriuchi: [Mining] bitcoin is very computationally intensive. It
requires a lot of energy and high capacity computers. It also requires a
lot of internet bandwidth because it constantly communicates with other
bitcoin nodes (a peer-to-peer network consisting of computers, which
allows for transactions to be broadcast to other users worldwide) to
validate the blockchain (the digital ledger technology that records all
virtual money transactions) that they are putting together. So mining
activity is pretty distinct in terms of volume, and the [internet] ports
and protocols (IP address) that are used are also pretty distinct. It
can give you a decent signature.
Who is running the North Korean bitcoin mining operations, and why do
you think the country has finally begun mining bitcoin?
Moriuchi: The first [hypothesis] is that it could have been an activity
conducted by the state, whether it be the military or the intelligence
services, for the purposes of raising funds for the regime. The second
hypothesis is that it was an individual user Ö but because of the
bandwidth and energy that were required, it would have to be known or
permitted by the state and the leadership.
Over the past few years, weíve seen increasingly tough sanctions levied
upon North Korea by the United States, other international partners and
by the United Nations. Those sanctions have increasingly cut off North
Koreaís access to the traditional financial system and [its] ability to
generate funds for state operations. We believe that bitcoin and
cryptocurrency mining or activity involving cryptocurrency is a way for
North Korea to generate funds and get around some of the sanctions.
Do you think North Korea has come to a conclusion that using
cryptocurrency to generate funds for the regime is safer than other
illicit ways ó for instance, smuggling drugs or counterfeiting money?
Moriuchi: [Mining bitcoin or any other cryptocurrency] is not illegal.
Thereís nothing about [using cryptocurrency] that puts North Korea in a
worse spot in terms of sanctions or legal violations. So thatís one.
Two, you can buy many things. You can exchange cryptocurrency for actual
currency, but you can also buy physical goods with cryptocurrency. So
itís another way for them to purchase things they might need without
using the financial system.
There were reports that North Korea might have launched cyberattacks
against South Korean virtual currency exchanges. Do the North Koreans
have such a capacity?
Moriuchi: Yes, definitely. When it comes to North Korean hacking
activities, we broadly underestimate their capabilities because many
people believe [it is] such an isolated country where most people donít
have access to the internet and ask how they can possibly have
indigenous experts, how they can possibly train people well enough to be
able to conduct some of these very sophisticated hacks.
But what we have come to know over time is that they are sophisticated
actors. They do have in-depth understanding of internet networks and
Do you believe North Korea meddled in the Sony hack in 2014?
Moriuchi: Yes, both the federal government like the FBI (Federal Bureau
of Investigation) and NSA have both come out and said that North Korea
was behind the Sony attack. I think most people who follow North Korea
agree with the government assessments.
It seems that reasons differ for North Koreaís cyberattacks against
South Korean virtual currency exchanges and for the Sony attack. Why is
Moriuchi: North Korean cyberactivities really started about 2008 and
2009. [They were] mainly toward South Korean government, corporations
and media, as well as some U.S. government entities, and they were
intended to [cause] chaos and to disrupt South Korea and undermine
systems there. After the Sony attack, [there seemed to be a] transition
in most of the North Korean attacks that we in the private sector have
been able to follow toward financial services, toward generating money
and raising funds. I think we are in this new period in terms of North
How much profit does North Korea make from mining bitcoin?
Moriuchi: At current rates, letís say [North Korea] earned about
$100,000. So in terms of the amount of money that North Korea may need
for their missile program, $100,000 is probably not very much. If you
put that next to what experts estimate North Korea pulls in just through
its other kinds of criminal operations, such as the drug trade, drug
smuggling and counterfeiting of U.S. dollar bills, around $500 million
to $1 billion a year, $100,000 is a drop in the bucket.
Given the token amount of money North Korea makes through the bitcoin
mining activity, is it far-fetched to say the North is tapping this
digital currency exchange in order to evade sanctions and earn income
for the regime?
Moriuchi: Cryptocurrency, specifically bitcoin mining, is one other
method for them to circumvent sanctions and to generate funds. Itís not
the primary means of earning funds for the regime right now, but itís
certainly something that they could expand and that would be much more
difficult for the international community to be able to track and limit.
Why is it so hard to track the bitcoin activity?
Moriuchi: Bitcoin was designed to be anonymous, and it doesnít keep
track of identifiers, such as IPs and usernames, while mining, buying or
Additionally in the WannaCry attack, in early August three bitcoin
wallets associated with WannaCry were emptied. What we saw were many
steps taken by presumably the North Koreans to further obfuscate where
the funding was going. So first off, they went through a bitcoin mixer,
which is a service that essentially throws all the bitcoin into one pot
and then out comes the amount you threw in but itís not the same bitcoin
that you put in. So it anonymizes your identity. After going through
that, they then convert it to another cryptocurrency. So they went to
great lengths to avoid even the slim chance that they could be
attributed through their bitcoin transactions.
What do you think about the claim that the U.S. could take out North
Koreaís missiles before launch through jamming or other cyber methods?
Moriuchi: There are two internets [in North Korea]. One, the global
internet, and then the domestic intranet, the one that regular North
Koreans, though a small number, actually have access. And then you have
various other networks within the country ó the governmentís and the
militaryís. The connections between the global internet and anything
inside North Korea are very few, based on the research that I did. So
[even] if it was possible for the United States or whoever to attack a
North Korean missile site or a launch using a cyberattack, it would be
did you become interested in analyzing North Korean internet activities?
Moriuchi: We have this very unique set of data ... and we felt like we
can give much more context to the whole debate about North Korea,
especially about their cyberactivity. We did a big analysis over the
past few months, and we came away with a number of conclusions based on
North Korean leadership internet activity. The biggest one for us was
that, based on the activity that we saw, the North Korean ruling elite
and their leadership are much more active and engaged in the world,
popular culture, international news, and with contemporary services,
than most outsiders would have believed. They go to Facebook, they go to
Instagram every day, they stream video and a lot of other things that
many of us do. The 0.1 percent of [the North Korean population] who has
access to the world internet does those same things.