North Korea’s cash-strapped regime has long sought workarounds to the increasingly harsh international sanctions aimed at tightening the financial noose around its nuclear and missile programs.
Now, according to Recorded Future, an intelligence research firm backed by Google Venture, Pyongyang is making a foray into cyberspace, launching a bitcoin “mining” operation, which saw a dramatic spike in its activity in mid-May.
Although the bitcoin activity amounts to only a token amount of funds at this point, there is significant potential for it to become a major source of income for the regime, the company said.
Is North Korea’s pursuit of bitcoin, the best-known cryptocurrency used for purchasing goods and services online, something the United States as well as the international community should worry about?
WATCH: What is bitcoin?
VOA Korean spoke with Priscilla Moriuchi, a Recorded Future director. Formerly with the National Security Agency (NSA) as threat intelligence manager and senior expert on East Asia and Pacific regional and cyber issues, she discussed in detail her findings on North Korea’s cyberactivities. Her answers have been edited for clarity and length.
Could you describe how Recorded Future first detected the North Korean activity in bitcoin?
Priscilla Moriuchi: The bitcoin mining [from North Korea] started on May 17 and continued through the end of our data set, which was July 3. This was a critical moment in terms of bitcoin [mining activities] because before then, I haven’t seen any activity that we had insight into indicating that [the North Koreans] were interested in bitcoin.
Is there any substantive evidence for the North Korean bitcoin mining operation?
Moriuchi: [Mining] bitcoin is very computationally intensive. It requires a lot of energy and high capacity computers. It also requires a lot of internet bandwidth because it constantly communicates with other bitcoin nodes (a peer-to-peer network consisting of computers, which allows for transactions to be broadcast to other users worldwide) to validate the blockchain (the digital ledger technology that records all virtual money transactions) that they are putting together. So mining activity is pretty distinct in terms of volume, and the [internet] ports and protocols (IP address) that are used are also pretty distinct. It can give you a decent signature.
Who is running the North Korean bitcoin mining operations, and why do you think the country has finally begun mining bitcoin?
Moriuchi: The first [hypothesis] is that it could have been an activity conducted by the state, whether it be the military or the intelligence services, for the purposes of raising funds for the regime. The second hypothesis is that it was an individual user … but because of the bandwidth and energy that were required, it would have to be known or permitted by the state and the leadership.
Over the past few years, we’ve seen increasingly tough sanctions levied upon North Korea by the United States, other international partners and by the United Nations. Those sanctions have increasingly cut off North Korea’s access to the traditional financial system and [its] ability to generate funds for state operations. We believe that bitcoin and cryptocurrency mining or activity involving cryptocurrency is a way for North Korea to generate funds and get around some of the sanctions.
Do you think North Korea has come to a conclusion that using cryptocurrency to generate funds for the regime is safer than other illicit ways — for instance, smuggling drugs or counterfeiting money?
Moriuchi: [Mining bitcoin or any other cryptocurrency] is not illegal. There’s nothing about [using cryptocurrency] that puts North Korea in a worse spot in terms of sanctions or legal violations. So that’s one. Two, you can buy many things. You can exchange cryptocurrency for actual currency, but you can also buy physical goods with cryptocurrency. So it’s another way for them to purchase things they might need without using the financial system.
There were reports that North Korea might have launched cyberattacks against South Korean virtual currency exchanges. Do the North Koreans have such a capacity?
Moriuchi: Yes, definitely. When it comes to North Korean hacking activities, we broadly underestimate their capabilities because many people believe [it is] such an isolated country where most people don’t have access to the internet and ask how they can possibly have indigenous experts, how they can possibly train people well enough to be able to conduct some of these very sophisticated hacks.
But what we have come to know over time is that they are sophisticated actors. They do have in-depth understanding of internet networks and communications.
Do you believe North Korea meddled in the Sony hack in 2014?
Moriuchi: Yes, both the federal government like the FBI (Federal Bureau of Investigation) and NSA have both come out and said that North Korea was behind the Sony attack. I think most people who follow North Korea agree with the government assessments.
It seems that reasons differ for North Korea’s cyberattacks against South Korean virtual currency exchanges and for the Sony attack. Why is that so?
Moriuchi: North Korean cyberactivities really started about 2008 and 2009. [They were] mainly toward South Korean government, corporations and media, as well as some U.S. government entities, and they were intended to [cause] chaos and to disrupt South Korea and undermine systems there. After the Sony attack, [there seemed to be a] transition in most of the North Korean attacks that we in the private sector have been able to follow toward financial services, toward generating money and raising funds. I think we are in this new period in terms of North Korean cyberactivity.
How much profit does North Korea make from mining bitcoin?
Moriuchi: At current rates, let’s say [North Korea] earned about $100,000. So in terms of the amount of money that North Korea may need for their missile program, $100,000 is probably not very much. If you put that next to what experts estimate North Korea pulls in just through its other kinds of criminal operations, such as the drug trade, drug smuggling and counterfeiting of U.S. dollar bills, around $500 million to $1 billion a year, $100,000 is a drop in the bucket.
Given the token amount of money North Korea makes through the bitcoin mining activity, is it far-fetched to say the North is tapping this digital currency exchange in order to evade sanctions and earn income for the regime?
Moriuchi: Cryptocurrency, specifically bitcoin mining, is one other method for them to circumvent sanctions and to generate funds. It’s not the primary means of earning funds for the regime right now, but it’s certainly something that they could expand and that would be much more difficult for the international community to be able to track and limit.
Why is it so hard to track the bitcoin activity?
Moriuchi: Bitcoin was designed to be anonymous, and it doesn’t keep track of identifiers, such as IPs and usernames, while mining, buying or spending bitcoin.
Additionally in the WannaCry attack, in early August three bitcoin wallets associated with WannaCry were emptied. What we saw were many steps taken by presumably the North Koreans to further obfuscate where the funding was going. So first off, they went through a bitcoin mixer, which is a service that essentially throws all the bitcoin into one pot and then out comes the amount you threw in but it’s not the same bitcoin that you put in. So it anonymizes your identity. After going through that, they then convert it to another cryptocurrency. So they went to great lengths to avoid even the slim chance that they could be attributed through their bitcoin transactions.
What do you think about the claim that the U.S. could take out North Korea’s missiles before launch through jamming or other cyber methods?
Moriuchi: There are two internets [in North Korea]. One, the global internet, and then the domestic intranet, the one that regular North Koreans, though a small number, actually have access. And then you have various other networks within the country — the government’s and the military’s. The connections between the global internet and anything inside North Korea are very few, based on the research that I did. So [even] if it was possible for the United States or whoever to attack a North Korean missile site or a launch using a cyberattack, it would be very difficult.
How did you become interested in analyzing North Korean internet activities?
Moriuchi: We have this very unique set of data … and we felt like we can give much more context to the whole debate about North Korea, especially about their cyberactivity. We did a big analysis over the past few months, and we came away with a number of conclusions based on North Korean leadership internet activity. The biggest one for us was that, based on the activity that we saw, the North Korean ruling elite and their leadership are much more active and engaged in the world, popular culture, international news, and with contemporary services, than most outsiders would have believed. They go to Facebook, they go to Instagram every day, they stream video and a lot of other things that many of us do. The 0.1 percent of [the North Korean population] who has access to the world internet does those same things.
Jenny Lee contributed to this report which originated on VOA Korean.