In 2022 alone, North Korea, or the Democratic People’s Republic of Korea (DPRK), has reportedly stolen over $1 billion in cryptocurrency from organizations in the cryptocurrency sector via one of its primary hacking outfits—Lazarus Group. This is up from $400 million in 2021, and these heists account for a third of all losses from cyber intrusions in the cryptocurrency sector this year.
Further upheaval in the cryptocurrency sector has already caused financial authorities to increase calls for regulation. Bankruptcy and scandals involving multiple companies are tanking the industry and the value of cryptocurrencies. Many of these companies are based in the United States, making U.S. regulation especially consequential. The country’s central role in both the cryptocurrency sector and efforts to regulate it—along with the sector’s current descent into chaos—make this the opportune moment to focus U.S. government policy initiatives on cryptocurrency companies and products.
Given the changes in the threat landscape and financial system, the United States should alter its policy focus accordingly. Lazarus' cryptocurrency theft dates back to at least 2017, and by the end of 2018, the group was responsible for over half of total losses from thefts of cryptocurrency exchanges. As early as 2019, the UN Security Council recognized that the DPRK's cybercrime operations against cryptocurrency exchanges were fast becoming a significant additional source of revenue for the regime. However, the cryptocurrency sector only surpassed Lazarus' interest in traditional banks (such as Bangladesh Bank) in 2020, likely due to mobility constraints brought on by the pandemic. COVID-19 and the subsequent global lockdowns prevented the group from cashing out and moving the funds through money mules, a favorite tactic of Lazarus, resulting in a shift towards the cryptocurrency sector.
Coupled with the unregulated and vulnerable nature of decentralized finance (DeFi) protocols and organizations, the cryptocurrency sector is a high-value target. The widespread vulnerabilities in smart contracts governing DeFi assets are increasingly being exploited, and recent collapses of cryptocurrency exchanges such as FTX have reaffirmed the instability of the sector.
Existing policies have been largely insufficient and have not addressed the broader spectrum of pre- and post-compromise considerations. Financial regulations have prioritized targeting money laundering over thefts, and existing tools such as indictments and Financial Action Task Force regulations have proved ineffective against intrusions and theft, as well as against money laundering.
U.S. sanctions levied against cryptocurrency mixers (platforms used to obfuscate the origins of cryptocurrency), such as Blender and Tornado Cash, in 2022 have been relatively successful compared to other punitive measures, but intrusions and cybercrime remain rampant. This has left the cryptocurrency sector as a lucrative opportunity for Lazarus to exploit.
So what should U.S. policy look like instead?
Of the existing policies, sanctions have shown promise against the laundering side of the ecosystem. In May, U.S. sanctions were applied to the centralized cryptocurrency mixer Blender, due to its use by North Korean threat actors. In August, Tornado Cash was sanctioned for the same reasons, but Tornado Cash, due to its decentralized nature, has continued to operate and cannot be isolated from the financial system like a traditional organization.
Sanctioning services like Tornado Cash theoretically makes it harder for threat actors to transfer or launder money from victims, or to use funds originating from the mixer, creating more opportunities for those funds to be recovered. The effectiveness of sanctions depends on whether they can be enforced, and threat actors are adept at finding ways around them. However, a sanctioned organization will suffer a reputational impact, which can affect its usage. After the sanctioning of Tornado Cash, the mixer saw a significant drop in the volume of transactions. Despite this positive initial data, there is an asymmetry between the threat and the response. New mixers will arise in its place, and begin the sanctions cycle over again, so sanctions directed at mixers must also encompass the individuals responsible for creating these companies.
Post-compromise solutions must also focus on remediation for victims as the stolen funds are moved and laundered across the blockchain. A public and transparent central registry of compromises would allow organizations to access information on the latest heists, similar to the crowdfunded tracking of victim payments to ransomware groups. When an organization loses funds, the wallets involved in the transactions would be flagged in real time, and able to be tracked by both others in the sector and investigators. This would increase the opportunity and likelihood of seizing and recovering funds.
Preventative measures are even more important considering the repeated use of the same exploits as initial infection vectors. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) should issue guidance on how to develop secure smart contracts, as they have previously for secure software development. Beyond secure coding, a product in the traditional finance sector often undergoes 'red teaming' activity for every release before it is made public. Audits in the cryptocurrency sector can be seen as an equivalent for smart contracts to ensure greater due diligence in releasing applications. Auditing could be used to identify vulnerabilities and provide assurance to users, ultimately strengthening smart contracts against well-known compromise methods.
While audits are gaining traction in the sector, they are not standardized, regularly conducted, or mandatory. Not only should the National Institute of Standards and Technology (NIST) issue a framework for how to conduct a certified audit, CISA and the Department of the Treasury should require mandatory periodical audits for organizations in the cryptocurrency sector. They should also certify auditors to ensure organizations offering the service are reputable, similar to other schemes that verify vendors.
Assuming cryptocurrency is here for the long haul (though even that remains to be seen), U.S. regulators will need to double down on sanctions against mixers, proactively track thefts, and institutionalize audits to address the problems the cryptocurrency sector faces from cyber threat actors, and especially Lazarus.
Saher Naumaan is a Principal Threat Intelligence Analyst at BAE Systems Digital Intelligence, where she researches state-sponsored cyber operations with a focus on tracking threat groups from the Middle East and North Korea, and a fellow with the European Cyber Conflict Research Initiative.
The views expressed here are personal and do not reflect the policy or position of any entity or organization.