Seoul recently detained two South Korean residents, a 38-year-old cryptocurrency exchange operator (hence referred to as Lee) and a 29-year-old army captain, on espionage-related accusations relating to the sale of military secrets to Pyongyang. According to reports, a North Korean operative met Lee in 2016 via an unnamed online bitcoin site and promised him cryptocurrency in exchange for his aid with continuing clandestine activities.
According to South Korean media, the two spoke over the private messaging software Telegram. While such capabilities are not necessarily evil, criminals have routinely used end-to-end message encryption and other privacy measures unique to applications like Telegram to coordinate, spread, and monetize illicit activities.
According to the Korean National Policy Agency, the North Korean operative paid Lee approximately $600,000 and the army captain approximately $38,800 in bitcoin for their participation. Lee has been in communication with the operative since 2016, raising major worries about his involvement in other instances of attempted or successful espionage against Seoul.
Although Pyongyang has a documented history of coercing and seducing South Korean residents into espionage, this is the first known public case of North Korea paying foreign agents in cryptocurrencies to commit espionage and an active-duty military captain engaging with a North Korean hacker.
Surprisingly, one of the activities assigned to Lee was the recruitment of an active-duty South Korean military captain. When he was hired, the captain gave Pyongyang access to the Korean Joint Command and Control System (KJCCS), which the South Korean Joint Chiefs of Staff use to assess C4I (command, control, communications, computing, and intelligence) capabilities during military manoeuvres, training, and operations.
The North Korean operative also directed Lee to supply spycam equipment to the captain in order to photograph items and information of interest to Pyongyang via Telegram. The kit included a wristwatch with a hidden camera and USBs loaded with “poison tabs,” a hacking tool that lets one infiltrate a computer via its USB connection for a variety of objectives, including collecting information and gaining illegal control of the device, among others.
North Korea’s crypto exploitations
North Korea has continued to expand its exploitation of cryptocurrency and financial technologies in 2022, employing social engineering tactics, laundering stolen virtual assets, and even hacking play-to-earn (P2E) crypto video games, as seen in the Axie Infinity hack, which resulted in over $600 million in stolen assets.
In response to these threats, the United States has increased its efforts to combat the spread of North Korean cybercrime, as evidenced by the recent designation of Blender.io, a virtual currency mixer that “indiscriminately facilitates illicit transactions [of Bitcoin] by obfuscating their origin, destination, and counterparties.” According to the US Treasury, the mixer processed over $20.5 million in cryptocurrencies laundered in connection with North Korea’s hack of Axie Infinity.
While offering money to foreign nationals in exchange for government secrets is not new, the case of Lee and the active-duty army captain is unique in that the North Korean operative communicated with them via an encrypted messaging app and decided to make payments in cryptocurrency rather than traditional currencies.
What does this mean?
North Korea’s payment of international agents in cryptocurrency demonstrates that Pyongyang sees bitcoin not just as a financial instrument to steal and launder, but also as a profitable tool to fund global espionage and recruit foreign agents to further its national goals.