After Sony, one thing became abundantly clear.
not by Seth Rogan, not from a half a world away. But inside North Korea, his vendetta
βis aren't just destructive, they're deadly. Kim has purged long-time allies, executed officials,β
and family members. Nick Carlson tracked these episodes from his former post at the FBI. Kim Jong-un actually had an alias, he had a Brazilian passport and he traveled the world in the 90s, under that identity. And the man who esported him, that was named Pakem Mu, and he posed as Kim Jong-un's father. So this is another man who was executed by Kim Jong-un, somebody who he spent his childhood with. But I kind of wonder about what kind of a person would kill
the man who posed as his father for a slight or unbezzlement or something. It's really cool.
South Korea's biate, and she says it has information that North Korea executed its defense chief,
who are sleeping during a meeting and talking back to young leader Kim Jong-un.
βChang-sung Tech was at the North Korean leaders' right hand at the very heart of this regime.β
He was Kim Jong-un's uncle and mentor. He was executed by machine gun. These then data is extend from politically motivated to purely petty. Kim Jong-un is a big windbreaker, imports a lot of wine for himself in Genoa, Korea. Got upset at a wine distributor, based in China. Related to some wine distribution deal and in August, he decided to just wipe out their network. That's Eric Chen who leads a team of reverse engineers at Broadcom. He spent years dissecting the
code behind North Korea's biggest hacks. But in terms of its cyber vendetta's, North Korea learned something fundamental after Sony, destructive cyber attacks make headlines by natural cyber attacks make money. Here's a very red bird who heads up global policy at TRM labs, and before that
βled financial and terrorism investigations at Treasury. In the Sony Pictures context was, hey,β
we could create disruption or maybe we could steal user names and passwords on the internet to all of a sudden, wow, we can actually steal money that we can linger and use. And that same trade craft used to wipe a company off the map, you can use that to rob a bank. I'm Nicole Prollarath, and this is to catch a thief. Sony began with something simple, a spear-fishing email. But when North Korea perfected and that attack was far more dangerous,
the ability to quietly learn and at work, map it from the inside, find the crown jewels, then weaponize them from maximum impact. And while we were still reeling from Sony, North Korea's hackers turned that same playbook on banks, and one bank in particular, the bank of Bangladesh. Here's Eric Chan again. Way back in January of 2015, in North Korea and attackers were trading personas, trading email accounts,
and conducting online research about email addresses and Bangladesh bank employees. They started sending friendly job inquiries to the banks employees, along with the link to a resume and cover letter. They pretended they were a guy named Rosal Ola, and they said, "I'm Rosal Ola, and I'm extremely excited about the idea of becoming part of your company. Here's my resume and cover letter." But it wasn't just a resume. That document actually was
an executable, instead of just displaying his resume on your screen, would actually begin running code on your system. And just like that, North Korea's hackers were inside the bank.
But they didn't steal many right away. They waited. And this is critical.
Especially when you think about the North Korean IT workers working in our systems today, they spent nearly a year mapping the banks network, studying how the systems worked together, hunting for the banks connection to something called "swift." Swift is the mechanism in which banks all over the world transfer money, but Swift itself doesn't transfer the money. Swift is really a communications protocol,
like a chat messaging system that allows banks to send messages to each other to say, "Hey, I want to transfer 2 million from this account to this account." The banks then do that, debiting and crediting. Swift doesn't do that. And so that Swift's system is really based on trust. So if I'm logged in to my Swift account
I send you a message and say, "Please, debit 2 million, you trust that what I...
accurate and the truth." And I have vetted, for example, the company who's deciding to debit
those amounts. Most banks would have a separate room that would have their Swift terminal. So it's just a computer that had the Swift software on it, that messaging software. They would just have a simple credential and they would be into that terminal. You could imagine attacks where individuals would break in, get physical access that terminal, and potentially they could send rogue Swift messages. But equally as well, you could imagine hackers
hacking into those computers, getting access to that Swift software and sending messages that were rogue as well.
βOkay, so once you get access to Swift, what do you actually get access to?β
At that point, you're in the vault. You have everything. Once you're on that Swift terminal, you can begin to send messages to say, "All this money that belongs to me, I want you bank to move it somewhere else," and instantly out it goes. It's even easier than a bank heist. In a bank heist, not only you got to get into the vault, but you got to get that money out of the vault. You got to load it into a van and you got to drive
away somewhere, you've physically got to move that money. When we're talking about Swift, it's just a digital zero as once. It's a simple chat message, single message, will instantly cause that money to move to some offshore account that you no longer have any access to. And that's precisely what North Korea's hackers did. They studied Swift like a master-seafcracker
βstudies the tumblers of a vault, and they reverse engineered the bank's connection to Swift,β
until they found a vulnerability. One that allowed them to disable Swift's authentication checks, and then they logged in. Just like any other legitimate bank employee. And it took the months to understand that sort of vulnerability or this weakness in the software before they could conduct their attack. Starting in January 2015, North Korea's hackers quietly broken a bank surround the world, manipulating Swift, and seeing what they could get away with.
In Ecuador, they broke into the Bungo del Austro, and started sending Swift messages to Wills Fargo
in San Francisco. They tricked the bank into transferring more than $12 million to accounts they'd set up
in Hong Kong. The banks wouldn't connect the dots until much later. But that was just their dry run. But they pulled off next at Bangladesh Bank required oceans of 11 level coordination. Bank holiday is mapped to the hour. Fake accounts opened overseas. Many launders lined up in advance. And by the time the operation began, North Korea wasn't just hacking a bank, they were running a global financial heist.
The attack happens on February 4th 2016. And this is not a random date. This date was chosen very meticulously, because February 4th 2016 was a Thursday in Bangladesh. And they started on this Thursday night, because in Bangladesh, their weekend is Friday and Saturday in the Western world. And so the employees were all gone. They chose these dates like you know, a seal team six would go in and attack some place on a moonless night. They were choosing
a very specific time. And when they were in there at 836 pm, they logged into the Swift system, using their bypass. And they sent 36 orders to the New York Fed. The Bank of Bangladesh held the bulk of its U.S. currency at the New York Fed,
so the hackers start sending Fed orders over Swift, totaling $951 million.
Almost the entire contents of the Bank's New York Fed account. The requests were to transfer that money to accounts that had set up in Sri Lanka and the Philippines. Those countries were chosen for their lacks reds. But the Philippines in particular had something else going for it. Casinos, the DPRK's preferred money laundering machine. So late that Thursday, February 4th, Bank employees are kicking off their weekend in Bangladesh.
And meanwhile, the hackers start sending their orders to the New York Fed over Swift. This is 10 a.m. to 11.30 a.m. in the morning in New York. Begin to receive all of these orders. What's wild is the hackers hit a snag. They're banking and fellows in complete. So the New York Fed replies via Swift to Bangladesh Bank, asking them to clean up their
βbank details. Remember, it's now the weekend in Bangladesh. But because the hackers are inside theβ
system, they were actually able to correct these mistakes. They actually missed one. They forgot
One as they were doing their work.
began to post, all to Philippines all to four different accounts for a total of $81 million.
βMeanwhile, hackers are waiting for the rest of their $1 million to move. But then two things happened.β
First, a typo. North Korea's hackers had actually missed spelled the name of the account holder that their accomplice had set up at one of their accounts in Sri Lanka. Instead of writing the Shalika Foundation, they wrote the Shalika Foundation, F-A-N, rather than F-O-U-N. And second, the address for the bank in the Philippines was listed as Jupiter Street. Now, there are hundreds of banks in Manila that North Korea's hackers could have chosen.
But by some bizarre twist of fate, they chose a bank with a branch on Jupiter Street. And Jupiter, that text was on the US's Treasury sanctions list, because it matched in Iranian, oil transport cargo shipping company, just by chance. And so between the miss spelling and the sanctioned name, the New York Fed began to look at all the transactions more deeply and say, wait a second. This is weird.
The North Korea's hackers have been waiting at all night to see if they'd get the money. But at 4am, they called it quits. But they should have held out a little longer, because just an hour later, at 5am being at Ash time, the New York Fed asked for a small clarification.
βHey, look, you correct these. Why is there a typo? You have to give us some more informationβ
that basically says this is not the Jupiter of, you know, Iranian oil shipping company. But unfortunately for North Korea, the hackers had locked out. Had they waited, they could have made
those corrections. And ultimately, those transactions equated to almost $1 billion.
And they would have walked away with $1 billion instead of $81 billion. Now, North Korea's hackers have gone to great links to clean up after themselves, going as far as to hack the bank printer responsible for printing out every swift transfer. They'd zeroed out every record of their transactions. It was only when they came back to work on Sunday and realized their books weren't balancing that they saw this malfunctioning printer
wasn't a glitch at all. It was the clue. They'd been robbed. They tried to reach out to the Fed, but it's the weekend there at the Fed, right? And so the Fed wasn't responding. And the bank of Bangladesh was stuck. And it wasn't until Monday that they began to communicate with the Fed. And the Fed was like, "Look, we transferred out 81 million dollars, but we keep repeating you have errors on these other 30 for close to a billion."
βAnd the bank of Bangladesh doesn't have some plays. They're like, "What are you talking about?β
We never transferred any of this money." By the time anyone realized their money had been
stipend off to the Philippines and employees start feverishly calling their contacts in Manila, no one picks up. Monday the Philippines was lunar new year. It was a holiday for the Philippines. And so they weren't there. They couldn't get in touch with the bank in the Philippines. And so you can see now this choice of starting on February 4th Thursday evening through the weekend. And then into that Monday was not just some random date that they had chosen
because they were ready. They waited for the state. Because they knew the bank of Bangladesh would be out. Then the New York Fed would be out. And then in the Philippines they would be out even on that Monday. And not until Tuesday did they get in touch with the bank. And it was all too late. 81 million dollars had vanished. 50 million was funneled into chips at two Manila casinos, gamble the cross-backer at tables, and quietly converted back into cash.
The blame game is underway in Bangladesh after computer hackers stole the equivalent of 73 million euros from this institution, the central bank. The $81 million money laundering scandal is now considered one of the biggest bank highest in Asia. This was the largest cyber-highest of its time. It exposed glaring vulnerabilities in the global financial system. And it proved once again that we underestimate North Korea's digital ingenuity at our own cost.
When people look at North Korea and go out North Korea, wiping machines, displaying schools and cross-bones, how sophisticated this attack was. Not only understanding the swift system, finding a weakness in it, choosing the right dates to conduct this attack,
Having physical people on the ground to open up bank accounts to receive the ...
laundering through casinos to get it on airplanes and flown out of there. This is not an attack
βwhere you had two hackers just hacking into the bank of Bangladesh and the swift system.β
You have dozens of individuals all working in coordination to get this money. And they literally almost walked away with a billion dollars. It's not for a type of. It was like in a movie where you have a bank fault-hice except for there's no mass, there's no hacking into the camera, there's no getaway cars, there's just guys at keyboards and it's just amazing for a nation-state
to do this. We had never up into this moment and actually really never since with any other nation-state
seen a nation-state feel cold-hard cash from another country. This was unheard of. Bangladesh showed North Korean hackers the art of the possible, but it also exposed limits of robbing the global banking system. Here's Nick Carlson, who is following all this from the FBI. They experienced this. Potentially enormous windfall. They don't get it all. And that was really difficult to do. The money was there, but the system still had too many choke
points. North Korea needed something faster, harder to trace, harder to freeze. And right then, the world handed them cryptocurrency. Now that you can't see it's growing in popular countries,
you've been called the future of money. The Bitcoin is not controlled by a government or a central
bank. It is a completely virtual car. So you've tried it all in the net. It's almost like intervention by God, right, that this opportunity arises to pivot from traditional banks into crypto. And here's that of Myers, the head of Counter-Adversary Operations at CrowdStrike.
βThere was another thing that happened in that time frame, which is important to note,β
was the maximum pressure strategy. Today, the Treasury Department is announcing the largest set of sanctions ever imposed in connection with North Korea. Our actions are part of the ongoing maximum economic pressure campaign to cut off sources of revenue that this regime derives from UN and US prohibitive trade to fund its nuclear and ballistic missile programs. We are also issuing. So that's when we really started trying to completely isolate North Korea
in the tighter we squeeze, the more it kind of pushed them to this other avenue. To steal crypto, North Korea didn't need to break in the vaults or move bags of cash through casino's. Crypto Optimus trumpeted that the blockchain was immutable. What is mutable, though, is the ecosystem that industry was building around the blockchain. And with the frenzy of new blockchains and coins, all of it was being built at startup speed, was startup levels of security,
the old and move-fast and break things approach, and that created an opening. North Korea's hackers realized the playbook they'd used at Sony and Bangladesh Bank, the fishing, the personas, malware, late endocuments, social engineering. Well, it could be applied to crypto too, and so these set to work understanding the crypto ecosystem. And North Korea moved faster than almost everyone else, including the FBI.
Hi, really resisted. I'm getting involved in the crypto stuff. I mean, I specifically
βremember actually, I think 2016 talking with a colleague, she was very interested in crypto andβ
Bitcoin. He was trying to convince me and say, well, the North Koreans are definitely going to use this, and I remember saying, this is so stupid. You know, you can keep your funny money to yourself. Like, I had no interest in this. That was my attitude. I was very resistant. And even today, I do this because they do this. I'm not in crypto because I love crypto. I'm in crypto because North Koreans love crypto.
North Korea's first major foreign crypto was more armed robbery than highest.
One, a cry. Russia, the United States and many points in between have been hit by what's now a common form of cybercrime. In May 2017, screens across the UK were seized with ransomware. The distance just hurt personal computers. It paralyzed London hospitals. Patients were turned away. Their operations cancelled. As malicious software paralyzed, 16 hospital computer systems across England. We're having significant issues with our IT systems.
We can't access any patient records, results, prescription requests. So we're here. The surgery is open, but we've got very limited services that we can provide for people.
40 British hospitals would come under assault that day, and it didn't stop th...
The ransomware cyber attacked that ravaged Europe rolled into Asia as workers booted up
their computers this morning. In Japan, at least 2000 machines in 600 locations were reportedly hit.
βTurkey and the Philippines were also affected. I remember tracking one a cry that day as it movedβ
across Europe through Asia. It hit Russian railroads and banks, French automaker Rino, Indian Airlines. Universities across China, Spain's Telecom Giant Telephoneica. In Japan, it hit Hitachi, Nissan, the Japanese police, a hospital in Taiwan, South Korean movie theaters, gas stations across China, FedEx, one by one. These screens went red with a ransom note. Across the world, people started ripping their computers out of the wall,
but in the UK, a little note researcher did the opposite. My name is Marcus Hutchins. I'm a principal threat analyst at Expo. When the attack hit, Marcus had been tracking different malware strains. Whatever this was, it was bigger than anything he tracked his entire career.
βYou're seeing entire NHS units being knocked off line, entire companies going down. This isβ
phenomenally huge. Like it might be one of the biggest ransomware attacks in history. Very quickly, the attack was dubbed "Wanna Cry," after a tiny snippet researchers uncovered in the encrypted file names. But this virus replicated like nothing the world had ever seen. Whatever this was, whoever this was, they weren't infecting machines manually. This was a self-replicating form. And as analysts started teasing the code apart, they discovered why.
These hackers had built their ransomware on top of a stolen Microsoft Windows exploit that had been leaked online one month earlier. And this wasn't just any exploit. This exploit belonged to the NSA, the US National Security Agency. It was codenamed Eternal Blue. And someone, we still have no idea who, calling themselves the shadow brokers, had dumped it online a month earlier. Eternal Blue was essentially a rocket. And North Korea used that rocket to
spread its ransomware to 150 countries around the globe. After careful investigation the United States is publicly attributing the massive "Wanna Cry" cyber attacks in North Korea. We do not make this allegation lightly. We do so with evidence and we do so with partners. But like their table before this, the attackers made careless mistakes. They recycled their tools, including from the Sony hack. They also failed to give
βtheir victims a decryption key. So even if their victims paid their $300 ransom, they'd haveβ
almost no hope of actually retrieving their data. But Marcus spotted another mistake. One that would bring the entire operation crashing to a hole. So I was lucky into the code and it had this unregistered web address. And we see like a lot of unregistered web addresses in our work. So we were pretty used as seeing like these malware families reaching out to unregistered web addresses. And then we would go and register them causing the malware to connect
to our server. So seeing that unregistered domain, I didn't even think twice about registering it as like great. As soon as I register this domain, we're going to see every single "Wanna Cry" infection connecting to our system. What he'd actually found was a kill switch. The minute Marcus registered the domain, "Wanna Cry"
just stopped. It netted less than 200,000 in payouts that day, but it wrought an estimated $8 billion
in damages. North Korea learned a few lessons from Wanna Cry. One. Your eyes and cross your cheese. Two desperate victims will pay. And a speed of North Korean ransomware attacks descended on the United States. Man believed to be a North Korean government hacker is accused of ransomware attacks at U.S. hospitals, including one in Kansas. Officials say the treatment of patients was disrupted by the hack on American hospitals and other health care providers. The Justice Department says
it's recovered ransom paid by the medical center in Kansas and Colorado. But as North Korea's hackers familiarize themselves with crypto and the blockchain, they realized something profound. Crypto wasn't as useful for ransom payouts. It offered
access to liquid cash. And not just that. For the first time in history, you could peer directly
into the financial system and see exactly or staggering pools of money we're sitting.
Whales.
The beauty of the public aspect of the blockchain is quite obvious how much is sitting in an
exchanges. So you know, okay, admittable, I can bake this amount of money. Hmm, might be worth adding a couple of people to look into this. And that's exactly what North Korea did because in Heidi's words, the DPRK is a well-run industrial complex. If you followed reporting on North Korean hacking, you've probably heard the term Lazarus Group. Lazarus Group Lazarus Group. Lazarus Group. Lazarus Group.
It's the industry's catch-all for North Korea's hackers, but you won't hear me use it here
βbecause it obscures something important. North Korea's hackers are not a monolith.β
They've evolved into a sprawling, highly organized military operation. Specialized units with distinct missions, distinct targets, and increasingly sophisticated expertise. These guys, they literally were uniforms, they have ranks, they have military rank. So it's not even like the Chinese, where there's some contracting stuff out to some talented hacker. These are actually like the state doing this. So it's a degree of
organization, nobody else has. Here's T.R.M. Lops, Erie Redberg again. I'd blanch now when people use the term state sponsored or even Lazarus to describe what's happening in North Korea. Because to me, that sort of has a state sponsored feel to it. It's not state sponsored. It is the state. And it's not just government types that don't like the term Lazarus, the industry hates it too.
Here's Adam Myers from CrowdStrike again. Hate Lazarus is the fucking worst, and that was a company in Novela, in Novela.
βCame up with that thing way back when, and they just lumped at the time, I think it was becauseβ
they just didn't have analytic maturity. They just lumped everything together into one thing,
and it made a huge mess. The reality is that the blanket term Lazarus
hardly does justice to what we're actually up against here. North Korea has built an entire ecosystem of specialized hackers, crypto thieves, espionage teams, social engineers, that all ultimately report up to the RGB. North Korea's primary intelligence service. Sanctions monitors and firms like CrowdStrike now describe an operation that looks less like one rogue hacker game and more like a mature global intelligence apparatus. In the beginning North
Korea's hackers were mostly focused on intel collection, but as revenue generation became more of a priority, they tapped the best of the best to crypto. North Korean cyber operations all have in common is social engineering, the manipulation of people. The difference is that North Korea's elite operators layer technical expertise on top of that mastery. They do a pretty interesting approach there, and I think they tend to use a lot of
job and employment-related themes there. So if they found somebody that was engaged in the financial industry and say Latin America, they would have somebody interview that candidate in Spanish and then have them download some tool or something and say this is the technical part of your
βinterview and when they downloaded it, it actually came with malware and that's how they got in.β
This is still happening today. It's almost become a fact of life at the big crypto exchanges.
The first time the DPRK came across my desk was actually sometime in 2018 and I just remember
sitting in the office and somebody was analyzing like a fishing email or something that had come in and a different person like, "Oh, did the North Koreans again?" and I sort of took it as a joke, but then the person who was working and said, "No, yeah, that kind of looks like them." That was not Mueller. Former head of security operations at Coinbase, a major cryptocurrency exchange and a frequent DPRK target. And so that was the first moment when I realized, "Oh, I work
in something where a nation-state actor actually has a degree of interest in the company that I'm protecting." At the time, I would have described them as noisy. They weren't particularly trying to hide what they were doing. A lot of their attack techniques were pretty easily detectable and so there's sort of this low-level noise happening in the background. It's almost like there's a mosquito in your ear of like, "Right, I know they're there. I know they're really trying. We
keep swatting them away and they keep coming back." A lot of that low-level noise mats referring to came in the form of spray and prey attacks, non-stop fishing against those who worked in crypto or held large amounts of coin. Here's Anto-Joseph, a security researcher from Eigen Labs.
They really exploit the humans.
this crypto. So most of the attacks aren't very technical. It's the human in the loop factor.
βAnd in the early days, this fishing attacks were aimed at something called a private key.β
Essentially, crypto is equivalent of a bank password. If you get that, you can immediately access the funds. Imagine you have like a chase account. If I have your username and password, I could like log in and like send the money elsewhere. So that is the kind of crimes they would start with. I wouldn't call it hacking. It's more like scamming people into like,
yeah, giving them their credentials. Like 65 million Americans,
Glen Fishman of Denver owns cryptocurrency or at least he did until last November. The Coinbase caller sent him an email that looked legit with logos. He needed to get some login information account number password, because all that was required to unlock the account. Eventually a friend told Glen, hey, you may be getting scammed to check your account now. So of my Coinbase account, and I look at it and everything's gone, zero, zero, zero.
This was basically digital street my game. They would leverage the public nature of the blockchain to figure out which crypto wallet held a worthwhile amount of funds, then figure out
who owned the wallet, a fee, and itself. And then do whatever they could to socially engineer
their way onto that person's machine. And with access to their device, they would get the private key, dream that person's wallet, and move on to the next. These fishing attacks are pretty simple, but no less effective. Here's Matt Muller again. It's important in my mind to distinguish between unsophisticated TTPs versus unsophisticated threat actors. TTPs stand for tactics, techniques,
βand procedures. It's basically the how of these operations. Because I think theβ
conflation of those two things has caused people to historically underestimate North Korea, or at least underestimate their persistence. There's sort of a tendency and cybersecurity to conflate like, is this technique new and fancy with like, is the threat actor who's using this technique capable? These low-level and relatively unsophisticated techniques, when applied by a threat actor that has no incentive to stop trying them, they're just going to be successful
over time and at scale. To be clear, North Korea's hackers have ever stopped fishing for private cues, especially in the lower level hacking unit. That's been happening on a low flame for years. It's just that more elite groups have pivoted to something far more lucrative. So they haven't stopped doing the unsophisticated things. They just added more on top of them.
βNorth Korea's operators began targeting centralized exchanges. The coin bases and finances of theβ
world think of these exchanges as an e-trade or stock brokerage for cryptocurrency. Places where people can buy, sell, and store digital assets. Coinbase is a cryptocurrency exchange platform. The idea being interacting with a blockchain can be a little bit challenging and complex for individuals who are not very well-versed in that ecosystem. So Coinbase made it easy to sort of send and receive funds, convert traditional fiat currency like US dollars into things like Bitcoin,
as well as interact with sort of other blockchains and not have to deal with the underlying complexity of doing things like figuring out how to safely store Bitcoin. Irgo, a crypto exchange as wallet, is the will of all wills. Now exchanges are a little bit more complicated to exploit than one person's crypto wallet. As an added security feature of larger exchanges tend to use something
called a multi-signature wallet or multi-sig and industry slang. It basically means there's a set
number of authorized keys to approve a transaction before it can go through. In a certain number of those keys must authorize any transaction, i.e. four of seven sign or keys must sign off or seven of ten. So the deeper case starts going after anyone they think might have privileged access in an exchange, hoping to find people with specialized access to these keys. And they do this the same way they've done everything else, social engineering. They possess security auditors, vc is looking
to make an investment, headhunters, so many headhunters, that particular approach got a name. It's now known as the contagious interview campaign. Here's Heidi Wilder again. And they might say, "Hey, you know, I'm a security auditor. Would really love for you to take a look at this audit I found I found a curve a book." Right? And what sees you've opened a PDF and when you know malware's installed on your laptop, you might also have an issue where someone reaches out, like and says,
"Hey, we're a venture capital company.
"Oh yeah, sure. Let's have a meet. Jump on a meet. What do you know? It's contagious interview." So there are lots of different techniques they try. Workers that these crypto exchanges start getting hit and mass with these fake job offers, often for ridiculous sums. Here's Aaron Lloyd, a cybersecurity expert who specializes in blockchain technology. So as soon as we would see one of these accounts, we would suspect malicious activity,
we would post that in a company slack. And it was getting to the point where it was almost
βbecoming a run in joke. How much are these North Korean chopper cruders that offer it?β
Well, the interest in thing was, it wasn't always the same pair person, which created some
bragging rights in the company with who would be offered the most. But it was usually pair hour, and it would usually be $1,000 per hour, almost too good to be true, but some people will possibly believe it and follow it up. Once they've got an access to one worker's machine, they'd move laterally through the company until they compromised the requisite number of signar keys. And then,
game on. They transfer huge sums to themselves and get out. But even that was just an evolution of earlier tactics. They were still stealing private keys, the wallets had just gotten bigger. What really alarmed investigators, though, was when the DPRK began targeting the underlying
βinfrastructure of cryptocurrency itself. Okay, so you're fending off these fishing attacks left andβ
right, but at what point do you really start to worry? What really started to concern me was when Lazar's group, they'd started to attack bridges, which are essentially links between one blockchain to another. So think of bridges as sort of currency converter for crypto. It's not in need analogy, but essentially it's infrastructure that lets users move digital assets from one blockchain to another without going through an exchange. So say you want to move Bitcoin into the Ethereum ecosystem,
or transfer a token from eith, onto another blockchain where it can be traded or used differently. You use a bridge. It's just this way of getting money from one blockchain to another.
And so it's obviously like a choke point, basically. That was McCrΓ³lson and here's Aaron Lloyd again.
They were advancing quite quickly. They'd moved from what were quite traditional cyber attacks that just happened to be in the blockchain space to targeting their attacks at cryptocurrency of blockchain infrastructure and technologies. And that started in around 2022. By 2022, it was clear that the DPRK had done its homework. They weren't just targeting people. They understood the infrastructure around blockchain. The bridge is well, it's exchanges,
smart contracts and how the whole crypto ecosystem fit together. They knew where the money moved and they knew where it was we guessed. The bridges. Here's Coinbase's Heidi Wilder again. That was very different. That was a lot more novel. They were suddenly getting more and more closer to the crypto space, actually like to the core of what crypto is. It's operations. That became glaringly obvious when the DPRK attacked the Ronan bridge. The infrastructure
connecting the Ronan blockchain to the broader crypto ecosystem. Oof. I mean, Ronan bridge. That was when I really realized how much damage they could cause.
βIt was 2022 the Ronan bridge attack that got more than a half a million. I think six hundredβ
or six hundred and fifty million dollars. It's one of the largest crypto thefts ever.
That last voice was Rob Joyce, who previously ran the cybersecurity directorate and before that all the hacking divisions at NSA. And when Rob Joyce tells you that North Korea's crypto has or some of the most sophisticated he's seen in his entire career, that's really saying something. The North Koreans think about cyber operations from end to end. They look at the objective and they don't put any constraints on how they get to the objective. They'll use social engineering.
They will use direct hacking tools. They will use supply chain operations. And they'll also analyze the ecosystem to figure out where the vulnerabilities are that maybe others are not aware of. And they package all of that together to ensure success. Okay, quick aside here. The Ronan blockchain was developed specifically for the game, Axie Infinity in 2021, which is wild when you think about the fact that this hack happened just 13 months later.
The game is a bit like Pokemon, players, battle, cute little creatures and earn tokens accordingly.
Wins translated into in-game crypto.
broadly or convert them into real money, they had to move them onto the Ethereum blockchain.
βAnd that's what the Ronan bridge did. It moved value from the Ronan blockchain to Ethereum.β
So enormous amounts of cryptocurrency were constantly sitting inside the Ronan bridge. And it wasn't just a choke point for North Korean hackers. That made this bridge a massive honeypot. Those bridges are often less secure than the blockchain they connect. And North Korea realized this before most of the security community. North Korea exposes just how vulnerable these bridges were. But they're not without security. The Ronan bridge required our old friend,
multi-sig validation, a quorum of approvals from designated signers. But in this case, the quorum was pretty small. Just five signatures out of nine. That meant that if hackers could compromise only five validators, they could train the bridge. And that's exactly what happened. They had to have a quorum to approve this. But a majority of those were actually just controlled directly by Axi. So if you were able to penetrate Axi's machine, you got access to like five
or six of these signatures. And how did they get there? They went after the developer. They used social engineering and our human weaknesses. It wasn't technical brilliance. It was social engineering mastery. They did it by posing as a recruiter on LinkedIn. They targeted the senior engineer at a developer that works in this crypto ecosystem. And then after multiple fake interview rounds with that developer, they sent him a PDF job offer that was laced with malware. So they worked to build
their bona fides with this guy and convince him that he was getting a job opportunity. They were able to access four keys by infiltrating just one engineer. As for the fifth, well,
βthe hackers got lucky. That fifth key had been sitting with an entirely different entity. But thatβ
other entity had actually lent their multi-sig back to Axi for faster approvals and never got
in it back. And that is how North Korea through lack and skill was able to access the five approvals they needed to transfer control of more than $600 million from Ronin back to their own wallets. And in the process, rewrite what was possible. Here's Julia Hardy, a crypto investigator at zero shadow who was part of the team that was called into the Ronin Bridge attack. She worked with the Axi game developer Sky Davis to unravel the flow of stolen funds after the hack.
So there's this big pot of money within the bridge of all these locked assets from all these people who are moving one direction or the other. Once DPRK transferred ownership to themselves, now they could move all these tokens however they wanted so that they could basically drain all of those funds to themselves, which they did on March 23rd 2022. All of this was an absolute coup for the North Koreans. Most incredibly, no one even realized
this had happened for six days. The ended up being a community member who pointed to the team and
βsaid, I think something weird happened here and you should take a look because locked chainβ
transactions are all publicly on the ledger. You could see any outflows from the bridge if you
wanted to look any person could and so seeing $600 million leave at once. Well that's very suspicious.
At the time I was fairly clear to us that this represented a sea change. This wasn't going to be a one off type of event that this was going to be how the industry was going to see these types of attacks from now on. That was Matt Muller again. Now the Ronan bridge completely shifted the crypto security community's perspective of the DPRK. These weren't just the low-level spearfishers anymore. These were the most professional hackers the industry had ever seen. So the company, skymavis,
they said that they all reimbursed the lost money by using money from investors and also
its own balance sheet funds. Ultimately investigators recovered only a small fraction of the stolen
funds. But what really unsettled people like Julia Hardy was the realization that the North Koreans weren't just laundering the crypto. They were watching the investigators watching them. We could tell that the North Koreans were paying attention to the work that we were doing
Trying to change their tactics because of it.
their findings at a conference. The talk was livestreamed on Twitch and then the laundering patterns they described started disappearing. Within days of that being published the tactics started to shift. And so we see this chain is being used and that chain is not being used anymore. It was as if the hackers were sitting in the audience taking notes in real time. It wasn't just the cyber folks. Ronan woke up DC. Here's a very red bird again.
βThat to me was an absolute watershed. I never forget walking down the street and I got a callβ
actually from the White House and that was really the first time that I felt like the questions were national security questions. Okay it was crazy about this. Is that this was a $600
million heist and most people have never even heard of it. And the people who did hear about this
frankly didn't really seem to care. And that's the thing with this crypto heist. They are happening all the time. But rarely do they break through. Like a bank robbery of a million dollars in cash is still headline news. Crypto robbery of a million dollars worth of some token that you've never heard of. That's a Tuesday. This is something I put to rob choice. Why do you think these crypto heists haven't risen to the level of public attention given the dollar amounts we're talking
βabout? Well the victims are diffuse. There's very few victims even though they're high dollarβ
values. And so it's not hitting our mom and dad or neighbors like some of the other scams that are happening. There's also its virtual money. So a lot of us have a hard time just connecting to it. But I also think there's this segment of if you place stupid games wins, stupid prizes. You're in the crypto business. It's high risk. It's a common reaction. So do you see there's even like some shot in Florida here? I don't think the general public feel for the crypto
bros when they lose millions or even hundreds of millions of dollars. If Roonin was the moment we realized North Korea entered a newly egg. What came next reveal total mastery. Benzo CEO of Bibet broke the news himself. About two hours ago, Bibet experienced a hack as far as we know this
βcould be the largest hack in the history of our industry. And the largest crypto hack in historyβ
just hit to buy based exchange Bibet $1.5 billion stolen. What was it? One and a half billion dollars a Bibet half. Yeah. Bibet one of the world's largest crypto currency exchanges. But the terrifying
brilliance of the operation is that North Korea never hacked Bibet directly. Here's Rob Joyce again.
They went after a wallet, a third-party provider that managed the signing protocols. And what I would say is they hacked the user experience of the people working inside this space. The attack happened on February 21st, 2025. North Korea targeted the process by that used to move funds out of its cold wallet. Think of a cold wallet as the Fort Knox of crypto or at least that's the idea. It keeps private keys the control crypto offline away from the internet and out of the
reach of hackers. A hot wallet by contrast is connected to the internet and used for data-day transactions. So every now and then Bibet had to replenish its hot wallet from its cold one.
Basically, it's like moving money from a savings account into a check-a account.
That transfer relied on smart contracts, though. Code on the blockchain that executes an action once certain conditions are met. In this case, Bibet wants to move funds. Enough authorized, signers approve that transaction goes through. But smart contracts are still code and most people don't interact with raw code. They use interfaces, dashboards, buttons, pop-ups, the difference between using Instagram and
reading Instagram's source code. Bibet's executives were no different. They use safe wallet interface to improve transfers from the cold wallet to the hot wallet. No need to stare directly at the blockchain. And that's where the genius of this hack he made. Here's Anto Joseph. The smart contracts can be completely safe if you directly interact with just a smart contracts. But most people don't directly interact with the smart contracts. They'll
Go through like a UI layer that makes it easy for them to use these smart con...
The brilliant the Bibet hack wasn't brute force. It was David Copperfield level misdirection. They didn't attack Bibet's cold wallet directly. They tweaked parts of safe wallet's UI so that when Bibet's authorized signers were prompted to review a routine cold wallet transfer, everything appeared normal. The wallet addresses looked correct, the amount looked correct, nothing seemed out of place. But underneath the surface, the transaction had already
been altered and an entirely different set of instructions were being sent to the blockchain. Bibet CEO personally authorized what appeared to be a standard transaction. But in reality, he was handing North Korea's hackers the keys to one of the largest vaults in crypto. Here's Nick Carlton again. Bibet unusually did huge transactions using the software, which nobody else really did. And so for a period of weeks, the North Koreans had access,
they could have had anybody using the software. But they didn't. They waited and they waited
βand waited until the moment that Bibet basically turned green. And what do you mean by turned green?β
I mean like to look at your instant messenger and you see somebody turned green, they're available. So this wallet was inaccessible to them until the CEO of Bibet actually walked into authorized transaction. That's when they did it. And then they took it all.
One and a half billion dollars in ether was suddenly routed into North Korea controlled wallets.
There are thousands of automated micro transactions to obscure the stolen funds so they break up the stolen money into tiny, tiny little elements that are super hard to track. They were early adopters of these things called mixers where you put in crypto from one theft and you put in crypto from another place and they get all mixed around and you can't follow the money the way we can with traditional bank transfers. It's like they learned from this prime mortgage pools.
Yes, yes, exactly. The scheme I really came to admire was they got this crypto that's stolen and you can track on the blockchain that it's stolen crypto. And they went to crypto mining services where you can buy GPU compute time to mine for cryptocurrency and you can pay for those servers with cryptocurrency. So they rented compute power with these stolen coins and they mined freshly minted clean cryptocurrency and then they could take that away because it's brand new
and has no illegitimate past. So that was really innovative to me. To me, buy it as the moment where this becomes a real issue for ordinary people. Right, the billing and a half over a single instant, that's or is a magnitude greater than anything that happened before any other context. By that wasn't just the biggest crypto-hiced in history,
βit was the largest heist in history period. The only thing that has ever come close was theβ
Dom who seems 2003 raid on the Iraqi Central Bank leading up to the Iraq War when roughly a
billion dollars in cash was removed on his orders. But North Korea didn't need soldiers or trucks,
they just needed laptops and a manipulated screen. A world record heist and the world hardly linked. But inside the cyber security community and crypto, this fundamentally changed our understanding of what hackers can do with the keyboard. Here's area redbird in the Carlson again. That is extraordinary. The people who do the buy that and who do run in, that's a specific team. And that team is the descendants of the guys who did Sony and Bank of Bangladesh. Like those are the tip of the spear,
very best in the North Korean War chart. These guys completely dominate this business. They're the
βGoogle of crypto theft. Right? They completely control this. They're almost in an oddly. That's how bigβ
this is. Like there were North Korean thefts that we have not attributed. So the real number here,
North Korea is, you know, 70, 80 percent of probably crypto thefts every year. What's the current
ballpark figure for how much the DPRK has stolen in cryptocurrency? So kind of our conservative lower bound estimate is around five billion and upper bound is around six. Maybe even more than that. And even in the best years in the mid-2010s when we were working with sanctions cases, they would maybe make two, two and a half billion a year in exports. And those were gross revenues, right? That's not the net profit. So the idea that, you know, in a handful of years,
They have far outstripped that with just the tiny team of people.
Koreans. This is a huge source of revenue. It's a degree of innovation, right? And then understanding
βI think on that part that there's really not much that the world can do about it, that they haveβ
been so successfully isolated. That there's not a lot of cost that can be imposed through any constitutional sanctions anymore. So it takes a kind of degree of candy whiling this right to realize that that frees your hands this in ways that you can do things other countries can't afford to do. The Biden-Hice rattled belief in the core promise of crypto itself, that this system could be trusted. Here's Matt Muller again. If the demands of crypto as sort of like a mainstream financial
instrument are such that it puts billions of dollars at risk in this way in irreversible ways
is crypto actually suitable. That's a mainstream financial investment, right? My personal take is
I fundamentally don't believe that anybody can protect crypto in ways that are useful for the average person. I've absolutely loved my experience in trying to defend crypto, especially in the early days, there was just so much promise for a new sort of financial ecosystem. But I think actually the North Koreans have pretty effectively proven that given enough time and effort here, the bad actors are absolutely going to win in this complex heart to understand ecosystem. Okay, so knowing what you know,
do you think anyone should even get into crypto at this point? Yeah, for somebody who's looking to you know invest in crypto today, I think the advice that I would have had in 2018 is the same advice I would give today, which is don't bet what you're not prepared to lose. But this goes far beyond crypto investors losing money because until now, crypto existed mostly at the edge of our financial system. It was largely experimental, speculative, and pretty separate for
most people's everyday lives. But that's changing. The Trump administration has made cryptocurrency a bill whether of its tech policy. It's implemented executive orders and summits to make the United States the quote crypto capital of the planet. And now institutions are increasingly willing
βto adopt the technology that North Korea has spent years mastering. And that's what security expertsβ
find the most alarming. Here's Michael Barnhardt from Detox, aka Bernie. You may remember him from episode one is the guy who tattooed IT workers onto his foot. For North Korea specifically, they are bred on crypto. They understood it before you and I ever knew what a Bitcoin was. They get it. So my fear here is kind of too full of how good North Korea is at crypto and how they again with the placement of access to IT workers. Whenever I'm talking to financial institutions and talking
about this problem, this was one that's always kind of come up. And it's that we haven't seen North
Korea make this run on the banks that we saw in the 2010s. There's things kind of went away. You know, why did they go away? Well, a lot of us had to do with crypto and they really changed gears after the bank of the Dutch heist. So we have this kind of misconception that we're running a race really. And they've not touched banks. They've not touched financial institutions. They're dealing the crypto things. That's great. I'm not here by myself. I'm out front. Okay. No one's around.
Coast is clear. Okay. Let's start implementing web 3. Let's get with the times. Let's be innovative. Let's all get together and really do this the right way. We're so far out front that this isn't going to be an issue. But in reality, North Korea is so embedded to cryptocurrency as a whole, even from the early days of its development. They've been there for so long that it's not that we're out front. They're already at the end. And they're waiting for us. They're saying, hey, yeah,
we've not made that run on banks yet. You'll have to start implementing some of those technologies that we've perfected. I'm daring you too. And I think that's one of the things that I'm really worried about. It's not that they're beating us in the race. They made the race. You're going to have the most skilled actor in that space waiting for you. If it's done in IT work, we're already in the environment to begin with. The board is that the players are in position and by all accounts,
βwe're not ready. That's next. On the season finale, you have to catch a thief.β
[Music] Follow to catch a thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show. To catch a thief is co-produced by mean, a cool proleroth, and rubric, and partnership with pod people, with special thanks to Julia Lee.


