The FBI and private investigators have seized about $30 million worth of cryptocurrency stolen by North Korean government-linked hackers from a video game company in March, according to Chainalysis, a US firm that said it worked with the FBI to claw back the stolen money.
It’s the latest example of a concerted effort from US law enforcement to recover some of the hundreds of millions of dollars that Pyongyang’s hackers have allegedly plundered from cryptocurrency firms in recent months — money that US officials worry is used to fund North Korean’s nuclear weapons programs.
The $30 million recovered is just a fraction of the equivalent of more than $600 million that the FBI said the North Korean hackers originally stole from Sky Mavis, a company with an office in Vietnam that makes a popular video game that allows users to earn digital money. But the seizure is still a breakthrough for law enforcement, and investigators are actively trying to recover some of the remaining loot, according to Erin Plante, Chainalysis’ senior director of investigations.
The FBI and the Justice Department did not immediately respond to CNN’s request for comment.
“The money has been frozen by [law enforcement],” Sky Mavis co-founder Aleksander Leonard Larsen told CNN. “No funds returned as of yet and we expect it to take time until the community gets the funds back. Note also that all user funds have been reimbursed.”
The Wall Street Journal first reported the seizure.
North Korean government-backed hackers have stolen the equivalent of billions of dollars in recent years by raiding cryptocurrency exchanges, according to the United Nations.
In separate but related activity, a recent CNN investigation found that North Korean operatives posing as other nationalities had tried to land jobs at cryptocurrency firms in the US and abroad. The activity, US officials have publicly warned, is part of an effort to earn “a critical stream of revenue” that helps bankroll the North Korean regime’s “highest economic and security priorities,” including its weapons programs.
North Korean hackers also used ransomware — malicious software that locks computers in an extortion scheme — to target medical providers in Kansas and Colorado last year, according to the US Justice Department. The department recovered half a million dollars that the North Koreans extorted in those cases, Deputy Attorney General Lisa Monaco said in July.
The Treasury Department has tried to crack down on the North Korean hackers’ targeting of cryptocurrency by sanctioning some accounts that they use to move money, and a “mixer,” or service that the hackers have allegedly used to launder stolen cryptocurrency.
Those actions have made it harder for the North Korean hackers to cash out the stolen funds, Plante said.
“That’s a lot of dirty money right there, so it becomes increasingly difficult to move these funds to a service to cash them out,” Plante told CNN.
But there are still many mixing services that haven’t been sanctioned, Plante said, adding that she expected the North Korean hackers to change services to try to evade US law enforcement.
For investigators, the time immediately after a hack is critical in trying to recover money that the attackers attempt to launder through cryptocurrency accounts. The FBI has continued to appeal to victims to share information on those accounts soon after a hack is discovered to increase the chances of recovering stolen funds.
Justice Department officials in June 2021 seized roughly half of the estimated $4.4 million ransom payment that Colonial Pipeline, which provides roughly 45% of the fuel consumed on the East Coast, paid to Russian-speaking hackers.
But the seizures still only account for a sliver of the billions of dollars made through cybercrime annually. Cybercriminals received more than $1.2 billion in ransom payments in 2020 and 2021 combined, according to Chainalysis.
North Korean computer operatives, like those of other foreign powers, are also tasked with collecting valuable intelligence for the regime, according to US officials and cybersecurity experts. Between February and July, suspected North Korean hackers were involved in a spying campaign to gather information on energy firms in the US, Japan and Canada, Talos, Cisco’s threat intelligence unit, said Thursday.