In the cryptocurrency ecosystem, coins have a story, tracked in the unchangeable blockchains underpinning their economy. The only exception, in some sense, is cryptocurrency that’s been freshly generated by its owner’s computational power. So it figures that North Korean hackers have begun adopting a new trick to launder the coins they steal from victims around the world: pay their dirty, stolen coins into services that allow them to mine innocent new ones.
Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it’s now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea’s Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers’ own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
That mining trick allows APT43 to take advantage of the fact that cryptocurrency is relatively easy to steal while avoiding the forensic trail of evidence that it leaves on blockchains, which can make it difficult for thieves to cash out. “It breaks the chain,” says Joe Dobson, a Mandiant threat intelligence analyst. “This is like a bank robber stealing silver from a bank vault and then going to a gold miner and paying the miner in stolen silver. Everyone’s looking for the silver while the bank robber’s walking around with fresh, newly mined gold.”
Mandiant says it first began seeing signs of APT43’s mining-based laundry technique in August of 2022. It’s since seen tens of thousands of dollars worth of crypto flow into hashing services—services like NiceHash and Hashing24, which allow anyone to buy and sell computing power to calculate the mathematical strings known as “hashes” that are necessary to mine most cryptocurrencies—from what it believes are APT43 crypto wallets. Mandiant says it has also seen similar amounts flow to APT43 wallets from mining “pools,” services that allow miners to contribute their hashing resources to a group that pays out a share of any cryptocurrency the group collectively mines. (Mandiant declined to name either the hashing services or the mining pools that APT43 participated in.)
In theory, the payouts from those pools should be clean, with no ties to APT43’s hackers—that seems, after all, to be the point of the group’s laundering exercise. But in some cases of operational sloppiness, Mandiant says it found that the funds were nonetheless commingled with crypto in wallets it had previously identified from its years-long tracking of APT43 hacking campaigns.