Mandiant, a cybersecurity service under Google, has released a report detailing how North Korean cybercrime operator APT43 uses cloud computing to launder cryptocurrency. The group steals crypto and launders it to buy infrastructure aligned with North Korea’s ideology of self-reliance, and in doing so, reduces the strain on the central government. Mandiant has been tracking APT43 since 2018 and has recently “graduated” the group to an independent identity. Payment methods, aliases, and addresses used by the group for purchases have been identified in the report. The group utilized PayPal, American Express cards, and “Bitcoin likely derived from previous operations” as their payment methods.
The researchers found that APT43 is likely using hash rental and cloud mining services to launder stolen cryptocurrency into clean cryptocurrency, a process that involves renting crypto mining capacity. This enables them to mine crypto to a wallet selected by the buyer without any blockchain-based association to the buyer’s original payments.
North Korea has been linked to several crypto thefts, such as the recent Euler attack that stole over $195 million. As per the United Nations, North Korean hackers reportedly had a massive loot of between $630 million to over $1 billion in 2022. However, according to Chainalysis, this figure could be at least $1.7 billion. The APT43 group is believed to have raised funds for the North Korean regime and funded its illicit operations, in addition to spying on South Korea.