Loading summary
Nicole Prolorath
After Sony, one thing became abundantly clear. Kim Jong Un would not be mocked, not by Hollywood, not by Seth Rogen, not from a half a world away, but inside North Korea. His vendettas aren't just destructive, they're deadly. Kim has purged longtime allies, executed officials, even family members. Nick Carlson tracked these episodes from his former post at the FBI.
Nick Carlson
Kim Jong Un actually had an alias. He had a Brazilian passport, and he traveled the world in the 90s under that identity. And the man who escorted him was named Park Kyung Moo, and he posed as Kim Jong Un's father. So this is another man who was executed by Kim Jong Un, somebody who he spent his childhood with. But I kind of wonder about the what kind of a person would kill the man who posed as his father for some slight or embezzlement or something. It's really brutal.
Narrator / Reporter
South Korea's spy agency says it has
Nicole Prolorath
information that North Korea executed its defense
Narrator / Reporter
chief for sleeping during a meeting and talking back to young leader Kim Jong Un.
Eric Chen
Jang Song Thaek was at the North Korean leader's right hand, at the very heart of this regime. He was Kim Jong Un's uncle and mentor. He was executed by machine gun.
Nicole Prolorath
These vendettas extend from politically motivated to purely petty.
Eric Chen
Kim Jong Un is a big wine drinker, imports a lot of wine for himself into North Korea, got upset at a wine distributor based in China related to some wine distribution deal, and in August decided to just wipe out their network.
Nicole Prolorath
That's Eric Chen, who leads a team of reverse engineers at Broadcom. And he spent years dissecting the code behind North Korea's biggest hacks. But in terms of its cyber vendettas, North Korea learned something fundamental after Sony. Destructive cyber attacks make headlines. Financial cyber attacks make money. Here's Ari Redbird, who heads up global policy at TRM Labs and before that, led financial and terrorism investigations at Treasury.
Ari Redbird
You know, in the Sony Pictures context was, hey, we could create disruption, or maybe we could steal usernames and passwords on the Internet to all of a sudden, wow, we can actually steal money that we can launder and use.
Nicole Prolorath
And that same tradecraft you use to wipe a company off the map, you can use it to rob a bank. I'm Nicole Prolorath, and this is to catch a Thief. Sony began something simple. A spear phishing email. But when North Korea perfected and that attack was far more dangerous, the ability to quietly learn a network, map it from the inside, find the crown jewels, then weaponize them for maximum impact. And while we were still reeling from Sony, North Korea's hackers turned that same playbook on banks, and one bank in particular, the bank of Bangladesh. Here's Eric Chen again.
Eric Chen
Way back In January of 2015, North Korean attackers were creating Personas, creating email accounts, and conducting online research about email addresses and Bangladesh bank employees.
Nicole Prolorath
They started sending friendly job inquiries to the bank's employees, along with a link to a resume and cover letter.
Eric Chen
They pretended they were a guy named Rahul Alam, and they said, I'm Rahul Alam, and I'm extremely excited about the idea of becoming part of your company. Here's my resume and cover letter. But it wasn't just a resume. That document actually was an executable. Instead of just displaying his resume on your screen, would actually begin running code on your system.
Nicole Prolorath
And just like that, North Korea's hackers were inside the bank. But they didn't steal money right away. They waited. And this is critical, especially when you think about the North Korean IT workers lurking in our systems today. They spent nearly a year mapping the bank's network, studying how the systems work together, hunting for the bank's connection to something called Swift.
Eric Chen
Swift is the mechanism in which banks all over the world transfer money. But Swift itself doesn't transfer the money. Swift is really a communications protocol, like a chat messaging system that allows banks to send messages to each other to say, hey, I want to transfer 2 million from this account to this account. The banks then do that, debiting and crediting. Swift doesn't do that. And so that Swift system is really based on trust. So if I'm logged into my Swift account and I send you a message and say, please debit 2 million, you trust that what I am doing is accurate and the truth. And I have vetted, for example, the company who's deciding to debit those amounts. Most banks would have a separate room that would have their Swift terminal. So it's just a computer that had the Swift software on it, that messaging software. They would just have a simple credential, and they would be into that terminal. You could imagine attacks where individuals would break in, get physical access to that terminal, and potentially they could send rogue Swift messages. But equally as well, you could imagine hackers hacking into those computers, getting access to that Swift software, and sending messages that were rogue as well.
Nicole Prolorath
Okay, so once you get access to Swift, what do you actually get access to?
Eric Chen
At that point, you're in the vault. You have everything. Once you're on that Swift terminal, you can begin to send messages to, say, all this money that Belongs to me. I want you bank to move it somewhere else. And instantly, out it goes. It's even easier than a bank heist. In a bank heist, not only you got to get into the vault, but you got to get that money out of the vault. You got to load it into a van, and you got to drive away somewhere. You physically got to move that money. When we're talking about Swift, it's just a digital 01. It's a simple chat message. A single message will instantly cause that money to move to some offshore account that you no longer have any access to.
Nicole Prolorath
And that's precisely what North Korea's hackers did. They studied Swift like a master safecracker studies the tumblers of a vault. And they reverse engineered the bank's connection to Swift until they found a vulnerability, one that allowed them to disable Swift's authentication checks. And then they logged in just like any other legitimate bank employee.
Eric Chen
And so it took them months to understand that sort of vulnerability or this weakness in the software before they could conduct their attack.
Nicole Prolorath
Starting in January 2015, North Korea's hackers quietly broke into banks around the world, manipulating Swift and seeing what they could get away with. In Ecuador, they broke into the Banco del Austro and started sending Swift messages to Wells Fargo. In San Francisco, they tricked the bank into transferring more than $12 million to accounts they'd set up in Hong Kong. The banks wouldn't connect the dots until much later, but that was just their dry run. What they pulled off next at Bangladesh bank required Ocean's 11 level coordination. Bank holidays mapped to the hour fake accounts opened overseas. Money launderers lined up in advance. And by the time the operation began, North Korea wasn't just hacking a bank. They were running a global financial heist.
Eric Chen
The attack happens on February 4, 2016. And this is not a random date, okay? This date was chosen very meticulously because February 4, 2016, was a Thursday in Bangladesh. All right? And they started on this Thursday night because in Bangladesh, their weekend is Friday and Saturday in the Western world. And so the employees were all gone. They chose these dates like, you know, a Seal Team 6 would go in and attack someplace on a moonless night. They were choosing a very specific time. And when they were in there at 8:36pm they logged into the Swift system using their bypass, and they sent 36 orders to the New York Fed.
Nicole Prolorath
The bank of Bangladesh held the bulk of its US Currency at the New York Fed. So the hackers start sending Fed orders over Swift totaling $951 million, almost the entire contents of the bank's New York Fed account. The requests were to transfer that money to accounts they'd set up in Sri Lanka, in the Philippines, those countries were chosen for their lax regs. But the Philippines in particular had something else going for it. Casinos, the DPRK's preferred money laundering machine. So late that Thursday, February 4th, bank employees are kicking off their weekend in Bangladesh. And meanwhile, the hackers start sending their orders to the New York Fed over swift.
Eric Chen
This is 10am to 11:30am in the morning in New York, began to receive all of these orders.
Nicole Prolorath
What's wild is the hackers hit a snag. Their banking info is incomplete. So the New York Fed replies via Swift to Bangladesh bank, asking them to clean up their bank details. Remember, it's now the weekend in Bangladesh, but because the hackers are inside the system, they were actually able to correct these mistakes.
Eric Chen
They actually missed one. They forgot one as they were doing their work and then resent them back across again. And four transactions began to post all to Philippines, all to four different accounts for a total of $81 million.
Nicole Prolorath
Meanwhile, hackers are waiting for the rest of their $1 billion to move.
Eric Chen
But then two things happened.
Nicole Prolorath
First, a typo. North Korea's hackers had actually misspelled the name of the account holder that their accomplice had set up at one of their accounts in Sri Lanka.
Eric Chen
Instead of writing the Shalika foundation, they wrote the Shalika fan dation F a n rather than F O u N.
Nicole Prolorath
And second, the address for the bank in the Philippines was listed as Jupiter Street. Now, there are hundreds of banks in Manila that North Korea's hackers could have chosen. But by some bizarre twist of fate, they chose a bank with a branch on Jupiter Street.
Eric Chen
And Jupiter, that text was on the US's treasury sanctions list because it matched an Iranian oil transport cargo shipping company just by chance. And so between the misspelling and the sanctioned name, the New York Fed began to look at all the transactions more deeply and say, wait a second, this is weird.
Nicole Prolorath
North Korea's hackers had been waiting up all night to see if they'd get the money. But at 4am they called it quits. But they should have held out a little longer because just an hour later they At 5am Bangladesh time, the New York Fed asked for a small clarification.
Eric Chen
Hey, look, can you correct these? Why is there a typo? You have to give us some more information that basically says this is not the Jupiter of, you know, Iranian oil shipping company. But unfortunately For North Korea, the hackers had locked down. Had they waited, they could have made those corrections. And ultimately those transactions equated to almost $1 billion. And they would have walked away with $1 billion instead of 81 million.
Nicole Prolorath
Now, North Korea's hackers had gone to great lengths to clean up after themselves, going as far as to hack the bank printer responsible for printing out every swift transfer. They'd zeroed out every record of their transactions. It was only when they came back to work on Sunday and and realized their books weren't bouncing that they saw this malfunctioning printer wasn't a glitch at all. It was the clue they'd been robbed.
Eric Chen
They tried to reach out to the Fed, but it's the weekend there at the Fed, right? And so the Fed wasn't responding, and the bank of Bangladesh was stuck. And it wasn't until Monday that they began to communicate with the Fed. And the Fed was like, look, we transferred out $81 million, but we keep repeating. You have errors on these other 30 for close to a billion. And the bank of Benchmass employees are like, what are you talking about? We never transferred any of this money.
Nicole Prolorath
By the time anyone realized their money had been siphoned off to the Philippines and employees start feverishly calling their contacts in Manila, no one picks up.
Eric Chen
Monday in the Philippines was Lunar New Year. It was a holiday for the Philippines. And so they weren't there. They couldn't get in touch with the bank in the Philippines. And so you can see now this choice of starting on February 4th, Thursday evening, through the weekend and then into that Monday was not just some random date that they had chose because they were ready. They waited for this date because they knew the Bangladesh would be out, then the New York Fed would be out, and then in the Philippines, they would be out even on that Monday. And not until Tuesday did they get in touch with the bank. And it was all too late.
Nicole Prolorath
$81 million had vanished. 50 million was funneled into chips at two Manila casinos, gambled across Baccarat tables, then quietly converted back into cash. The blame game is underway in Bangladesh after computer hackers stole the equivalent of 73 million euros from this institution, the central bank. The $81 million money laundering scandal is
Eric Chen
now considered one of the biggest bank heists in Asia.
Nicole Prolorath
This was the largest cyber heist of its time. It exposed glaring vulnerabilities in the global financial system. And it proved once again that we underestimate North Korea's digital ingenuity at our own cost.
Eric Chen
When People look at North Korea and go, oh, North Korea. Wiping machines displaying skulls and crossbones. How sophisticated this attack was. Not only understanding the Swift system, finding a weakness in it, choosing the right dates to conduct this attack, having physical people on the ground to open up bank accounts, to receive the money, to then launder it through casinos to get it on airplanes and flown out of there. This is not an attack where you had two hackers just hacking in to the Banglade Bangladesh. In the Swift system, you have dozens of individuals all working in coordination to get this money. And they literally almost walked away with a billion dollars if not for a typo. It was like in a movie where you have a bank vault heist, except for there's no mask, there's no hacking into the camera, there's no getaway cars, there's just guys at keyboards. And it's just amazing for a nation state to do this. We had never, up until this moment, and actually really never since with any other nation state, seen a nation state steal cold hard cash from another country. This was unheard of.
Nicole Prolorath
Bangladesh showed North Korean hackers the art of the possible, but it also exposed the limits of robbing the global banking system. Here's Nick Carlson, who was following all this from the FBI.
Nick Carlson
They experienced this potentially enormous windfall. They don't get it all. And that was really difficult to do.
Nicole Prolorath
The money was there, but the system still had too many choke points. North Korea needed something faster, harder to trace, harder to freeze. And right then, the world handed them cryptocurrency.
Narrator / Reporter
Now that you can see it's growing in popularity. It's even been called the future of money. The Bitcoin is not controlled by a government or a central bank. It is a completely virtual currency traded on the net.
Nick Carlson
It's almost like intervention by God, right? That this opportunity arises to pivot from traditional banks into crypto.
Nicole Prolorath
And here's Adam Myers, the head of counter adversary operations at CrowdStrike.
Adam Myers
There was another thing that happened in that timeframe, which is important to note, was the maximum pressure strategy.
Narrator / Reporter
Today, the Treasury Department is announcing the largest set of sanctions ever imposed in connection with North Korea. Our actions are part of the ongoing maximum economic pressure campaign to cut off sources of revenue that this regime derives from from UN and US Prohibitive trade to fund its nuclear and ballistic missile programs. We are also issuing.
Adam Myers
So that's when we really started trying to completely isolate North Korea. And the tighter we squeezed, the more it kind of pushed them to this other avenue to steal crypto.
Nicole Prolorath
North Korea didn't need to break into vaults or move bags of cash through casinos. Crypto optimists trumpeted that the blockchain was immutable. What is mutable though, is the ecosystem. The industry was building around the blockchain. And with the frenzy of new blockchains and coins, all of it was being built at startup speed, with startup levels of security. The old move fast and break things approach. And that created an opening. North Korea's hackers realized the playbook they'd used at Sony and Bangladesh bank. The phishing, fake Personas, malware laden documents, social engineering, well, it could be applied to crypto too. And so they set to work understanding the crypto ecosystem. And North Korea moved faster than almost everyone else, including the FBI.
Nick Carlson
I really resisted getting involved in the crypto stuff. I mean, I specifically remember, actually, I think 2016 talking with a colleague. He was very interested in crypto and bitcoin. He was trying to convince me and saying, well, the North Koreans are definitely going to use this. And I just remember saying, this is so stupid. You can keep your funny money to yourself. I have no interest in this. That was my attitude. I was very resistant. And even today I do this because they do this, this. I'm not in crypto because I love crypto. I'm in crypto because North Koreans love crypto.
Nicole Prolorath
North Korea's first major foray into crypto was more armed robbery than heist. Wannacry.
Narrator / Reporter
Russia, the United States and many points
Eric Chen
in between have been hit by what's now a common form of cybercrime.
Nicole Prolorath
In May 2017, screens across the UK were seized with ransomware. But this didn't just hurt personal computers. IT paralyzed London hospitals.
Glenn Fishman
Patients were turned away, their operations cancelled as malicious software Paralyzed 16 hospital computer systems across England.
Nicole Prolorath
We're having significant issues with our IT systems. We can't access any patient records, results, prescription requests. So we're here, the surgery is open, but we've got very limited services that we can provide for people. 40 British hospitals would come under assault that day. And it didn't stop there.
Glenn Fishman
The ransomware cyber attack that ravaged Europe rolled into Asia as workers booted up their computers. This morning in Japan, at least 2,000 machines in 600 locations were reportedly hit. Turkey and the Philippines were also affected.
Nicole Prolorath
I remember tracking WannaCry that day as it moved across Europe, through Asia, it hit Russian railroads and banks, French automaker Renault, Indian airlines, universities across China, Spain's telecom giant Telefonica in Japan. It hit Hitachi, Nissan, the Japanese police, a hospital in Taiwan, South Korean Movie theaters, gas stations across China, FedEx. One by one, these screens went red with a ransom note. Across the world, people started ripping their computers out of the wall. But in the uk, a little known researcher did the opposite.
Marcus Hutchins
My name is Marcus Hutchins. I'm a principal threat analyst at Expel.
Nicole Prolorath
When the attack hit, Marcus had been tracking different malware strains. Whatever this was, it was bigger than anything he'd tracked his entire career.
Marcus Hutchins
You're seeing entire NHS units being knocked offline, entire companies going down. This is phenomenally huge. Like it might be one of the biggest ransomware attacks in history.
Nicole Prolorath
Very quickly, the attack was dubbed WannaCry, after a tiny snippet researchers uncovered in the encrypted file names. But this virus replicated like nothing the world had ever seen. Whatever this was, whoever this was, they weren't infecting machines manually. This was a self replicating worm. And as analysts started teasing the code apart, they discovered why. These hackers had built their ransomware on top of a stolen Microsoft Windows exploit that had been leaked online one month earlier. And this wasn't just any exploit. This exploit belonged to the NSA, the U.S. national Security Agency. It was codenamed EternalBlue. And someone, we still have no idea who, calling themselves the Shadow Brokers, had dumped it online a month earlier. EternalBlue was essentially a rocket. And North Korea used that rocket to spread its ransomware to 150 countries around the globe. After careful investigation, the United States is publicly attributing the massive WannaCry cyber attack to North Korea.
Aaron Lloyd
We do not make this allegation lightly. We do so with evidence, and we
Nicole Prolorath
do so with partners. But like their typo before this, the attackers made careless mistakes. They'd recycled their tools, including from the Sony hack. They'd also failed to give their victims a decryption key. So even if their victims paid their $300 ransom, they'd have almost no hope of actually retrieving their data. But Marcus spotted another mistake, one that would bring the entire operation crashing to a halt.
Marcus Hutchins
So I was looking into the code, and it had this unregistered web address. And we see, like a lot of unregistered web addresses in our work. So we were pretty used to seeing these malware families reaching out to unregistered web addresses, and then we would go and register them, causing the malware to connect to our server. So seeing that unregistered domain, I didn't even think twice about registering it. I was like, great, as soon as I register this domain, we're going to see every single wannacry infection connecting to our system.
Nicole Prolorath
What he'd actually found was a kill switch. The minute Marcus registered the domain, WannaCry just stopped. It netted less than 200,000 in payouts that day, but it wrought an estimated $8 billion in damages. North Korea learned a few lessons from WannaCry. One, dot your I's and cross your t's. Two, desperate victims will pay. And a spate of North Korean ransomware attacks descended on the United States. Man believed to be a North Korean government hacker is accused of ransomware attacks at US Hospitals, including one in Kansas.
Heidi Wilder
Officials say the treatment of patients was disrupted by the hack on American hospitals and other health care providers. The Justice Department says it's recovered ransom paid by the medical center in Kansas and Colorado.
Nicole Prolorath
But as North Korea's hackers familiarize themselves with crypto and the blockchain, they realized something profound. Crypto wasn't just useful for ransom payouts. It offered access to liquid cash. And not just that. For the first time in history, you could peer directly into the financial system and see exactly where staggering pools of money were sitting. Whales. As Heidi Wilder, a Coinbase security researcher,
Heidi Wilder
put it, the beauty of the public aspect of the blockchain. It's quite obvious how much is sitting in exchanges. So, you know, okay, at minimum, I could make this amount of money. Hmm, might be worth adding a couple of people to look into this.
Nicole Prolorath
And that's exactly what North Korea did. Because in Heidi's words, the DPRK is
Heidi Wilder
a well run industrial complex.
Nicole Prolorath
If you've followed reporting on North Korean hacking, you've probably heard the term Lazarus Group.
Aaron Lloyd
Lazarus Group.
Nicole Prolorath
Lazarus Group.
Rob Joyce
Lazarus Group.
Narrator / Reporter
Lazarus Group. Lazarus Group.
Nicole Prolorath
It's the industry's catch all for North Korea's hackers. But you won't hear me use it here because it obscures something important. North Korea's hackers are not a monolith. They've evolved into a sprawling, highly organized military operation. Specialized units with distinct missions, distinct targets, and increasingly sophisticated expertise.
Nick Carlson
These guys, they literally wear uniforms. They have ranks, you know, they have military rank. So it's not even like the Chinese where they're subcontracting stuff out to some talented hacker. These are actually like the state doing this. So it's a degree of organization nobody else has.
Nicole Prolorath
Here's TRM Labs. Ari Redbird.
Ari Redbird
Again, I blanch now when people use the term state sponsored or even Lazarus to describe what's happening in North Korea, because to me, that sort of has a state sponsored feel to it. It's not state sponsored. It is the state.
Nicole Prolorath
And it's not just government types that don't like the term Lazarus. The industry hates it too. Here's adam Myers from CrowdStrike.
Adam Myers
Again, hate Lazarus. It's the worst. And that's was that company novella. Novetta came up with that thing way back when and they just lumped. At the time, I think it was because they just didn't have analytic maturity. They just lumped everything together into one thing. And I made a huge mess.
Nicole Prolorath
The reality is that the blanket term Lazarus hardly does justice to what we're actually up against here. North Korea has built an entire ecosystem of specialized hackers, crypto thieves, espionage teams, social engineers that all ultimately report up to the rgb, North Korea's primary intelligence service. Sanctions, monitors, and firms like CrowdStrike now describe an operation that looks less like one rogue hacker gang and more like a mature global intelligence apparatus. In the beginning, North Korea's hackers were mostly focused on intel collection. But as revenue generation became more of a priority, they tapped the best of the best to crypto. What North Korean cyber operations all have in common is social engineering, the manipulation of people. The difference is that North Korea's elite operators layer technical expertise on top of that mastery.
Adam Myers
They do a pretty interesting approach there, and I think they tend to use a lot of job and employment related themes there. So if they found somebody that was engaged in the financial industry and say Latin America, they would have somebody interview that candidate in Spanish and then have them download some tool or something and say, this is, you know, the technical part of your interview. And when they downloaded it, it actually came with malware. And that's how they got in.
Nicole Prolorath
This is still happening today. It's almost become a fact of life at the big crypto exchanges.
Matt Mueller
The first time the DPRK came across my desk was actually sometime in 2018. And I just remember sitting in the office and somebody was analyzing like a phishing email or something that had come in and a different person like, oh, so the North Koreans again. And I sort of took it as a joke, but then the person who was working said, nope, yeah, that kind of looks like them.
Nicole Prolorath
That was Matt Mueller, former head of security operations at Coinbase, a major cryptocurrency exchange and a frequent DPRK target.
Matt Mueller
And so that was the first moment where I realized, oh, I work in something where, you know, a nation state actor actually has a degree of interest in the company that I'm protecting. At the time, I would have described them as noisy. They weren't Particularly trying to hide what they were doing. A lot of their attack techniques were pretty easily detectable. And so there's sort of this low level noise happening in the background. It's almost like there's a mosquito in your ear of like. Right. I know they're there. I know they're really trying. We keep swatting them away and they keep coming back.
Nicole Prolorath
A lot of that low level noise Matt's referring to came in the form of spray and pray attacks. Nonstop phishing against those who worked in crypto or held large amounts of coin. Here's Anto Joseph, a security researcher from Eigen Labs.
Anto Joseph
So they really exploit the humans. That is much easier than sometimes exploiting the systems behind these crypto. So most of the attacks aren't very technical. It's the human in the loop factor.
Nicole Prolorath
And in the early days those phishing attacks were aimed at something called a private key. Essentially crypto's equivalent of a bank password.
Anto Joseph
If you get that you can immediately access the funds. Imagine you have like a Chase account. If I have your username and password I could like log in and like send the money elsewhere. So that is the kind of crimes they would start with. I wouldn't call it hacking. It's more like scamming people into like, yeah, giving them their credentials.
Glenn Fishman
Like 65 million Americans. Glenn Fishman of Denver owns cryptocurrency. Or at least he did until last November. The Coinbase caller sent him an email that looked legit with logos.
Narrator / Reporter
He needed to get some login information, account number, password, because all that was required to unlock the account.
Glenn Fishman
Eventually a friend told Glenn, hey, you may be getting scammed. Check your account now.
Narrator / Reporter
So I open my Coinbase account and I look at it and everything's gone. 000.
Nicole Prolorath
This was basically digital street mugging. They would leverage the public nature of the blockchain to figure out which crypto wallet held a worthwhile amount of funds. Then figure out who owned the wallet. A feat in itself. And then do whatever they could to socially engineer their way onto that person's machine. And with access to their device, they would get the private key, drain that person's wallet and move on to the next. These phishing attacks are pretty simple, but no less effective. Here's Matt Muller again.
Matt Mueller
It's important in my mind to distinguish between unsophisticated TTPs versus unsophisticated threat actors.
Nicole Prolorath
TTPs stand for tactics, techniques and procedures. It's basically the how of these operations
Matt Mueller
because I think the conflation of those two things has caused People to historically underestimate North Korea, or at least underestimate their persistence. There's sort of a tendency in cybersecurity to conflate like, is this technique new and fancy? With like, is the threat actor who's using this technique capable these low level and relatively unsophisticated techniques, when applied by a threat actor that has no incentive to stop trying them, they're just going to be successful over time and at scale.
Nicole Prolorath
To be clear, North Korea's hackers never stopped phishing for private keys, especially in the lower level hacking units. That's been happening on a low flame for years. It's just that more elite groups have pivoted to something far more lucrative.
Matt Mueller
So they haven't stopped doing the unsophisticated things, they've just added more.
Nicole Prolorath
On top of that, North Korea's operators began targeting centralized exchanges, the coinbases and binances of the world. Think of these exchanges as an E trade or stock brokerage for cryptocurrency, places where people can buy, sell and store digital assets.
Matt Mueller
Coinbase is a cryptocurrency exchange platform. The idea being interacting with a blockchain can be a little bit challenging and complex for individuals who are not very well versed in that ecosystem. So Coinbase made it easy to sort of send and receive funds, convert traditional fiat currency like US Dollars into things like Bitcoin, as well as interact with sort of other blockchains and not have to deal with the underlying complexity of doing things like figuring out how to safely store Bitcoin.
Nicole Prolorath
Ergo, a crypto exchange's wallet is the whale of all whales. Now, exchanges are a little bit more complicated to exploit than one person's crypto wallet. As an added security feature, larger exchanges tend to use something called a multi signature wallet or multisig in industry slang. It basically means there's a set number of authorized keys to approve a transaction before. Before it can go through. An asserted number of those keys must authorize any transaction. That is 4 of 7 signer keys must sign off or 7 of 10. So the DPRK starts going after anyone they think might have privileged access in an exchange, hoping to find people with specialized access to these keys. And they do this the same way they've done everything else. Social engineering. They pose as security auditors, VCs looking to make an investment. Headhunters. So many headhunters. That particular approach got a name. It's now known as the Contagious Interview Campaign. Here's Heidi Wilder again.
Heidi Wilder
And they might say, hey, you know, I'm a security auditor, would really love for you to take a look at this audit. I found. I found a critical book, right? And whoopsies, you've opened a PDF, and what do you know, malware's installed on your laptop. You might also have an issue where someone reaches out like, and says, hey, we're a venture capital company. Really interested partnering with you and investing in you. Oh, yeah, sure, let's have a meet. Jump on a meet. What do you know? It's a contagious interview. So there are lots of different techniques they try.
Nicole Prolorath
Workers at these crypto exchanges start getting hit en masse with these fake job offers, often for ridiculous sums. Here's Aaron Lloyd, a cyber security expert who specializes in blockchain technology.
Aaron Lloyd
So as soon as we would see one of these accounts, we would suspect malicious activity. We would post that in the company Slack. And it was getting to the point where it was almost becoming a running joke.
Nicole Prolorath
How much are these North Korean job recruiters offering?
Aaron Lloyd
Well, the interesting thing was it wasn't always the same per person, which created some bragging rights in the company with who would be offered the most, but it was usually per hour, and it would usually usually be a thousand dollars per hour. Almost too good to be true. But some people possibly believe it and follow it up.
Nicole Prolorath
Once they'd gotten access to one worker's machine, they'd move laterally through the company until they compromised the requisite number of signer keys, and then, game on, they transfer huge sums to themselves and get out. But even that was just an evolution of earlier tactics. They were still stealing private keys. The wallets had just gotten bigger. What really alarmed investigators, though, was when the DPRK began targeting the underlying infrastructure of cryptocurrency itself. Okay, so you're fending off these phishing attacks left and right, but at what point do you really start to worry?
Aaron Lloyd
What really started to concern me was when Lazarus Group, they'd started to attack bridges, which are essentially links between one blockchain to another.
Nicole Prolorath
So think of bridges as sort of currency converter for crypto. It's not a neat analogy, but essentially it's infrastructure that lets users move digital assets from one blockchain to another without going through an exchange. So say you want to move Bitcoin into the Ethereum, etc. Ecosystem, or transfer a token from ETH onto another blockchain where it can be traded or used differently. You use a bridge.
Nick Carlson
It's just this way of getting money from one blockchain to another. And so it's obviously like a choke point.
Nicole Prolorath
Basically, that was Nick Carlson, and here's Aaron Lloyd again.
Aaron Lloyd
They were advancing quite quickly. They'd moved from what were quite traditional cyber attacks that just happened to be in the blockchain space to targeting their attacks at cryptocurrency and blockchain infrastructure and technologies. And that started in around 2022.
Nicole Prolorath
By 2022, it was clear that DPRK had done its homework. They weren't just targeting people. They understood the infrastructure around blockchains, the bridges, wallets, exchanges, smart contracts, and how the whole crypto ecosystem fit together. They knew where the money moved, and they knew where it was weakest. The bridges. Here's Coinbase's Heidi Wilder again.
Heidi Wilder
That was very different. That was a lot more novel. They were suddenly getting more and more closer to the crypto space, actually, like, to the core of what crypto is. It's operations.
Nicole Prolorath
That became glaringly obvious when the DPRK attacked the Ronin Bridge, the infrastructure connecting the Ronin blockchain to the broader crypto ecosystem.
Heidi Wilder
I mean, Ronin Bridge. That was when I really realized how much damage they could cause.
Rob Joyce
It was 2022, the Ronin Bridge attack that got more than a half a million, I think 600 or $650 million. It's one of the largest crypto crypto thefts ever.
Nicole Prolorath
That last voice was Rob Joyce, who previously ran the Cybersecurity Directorate, and before that, all the hacking divisions at nsa. And when Rob Joyce tells you that North Korea's crypto heists are some of the most sophisticated he's seen in his entire career, that's really saying something.
Rob Joyce
The North Koreans think about cyber operations from end to end. They look at the objective, and they don't put any constraints on how they get to the objective. They'll use social engineering, they will use direct hacking tools, they will use supply chain operations, and they'll also analyze the ecosystem to figure out where the vulnerabilities are that maybe others are not aware of. And they package all of that together to ensure success.
Nicole Prolorath
Okay, quick aside here. The Ronin Blockchain was developed specifically for the game axie infinity in 2021, which is wild when you think about the fact that this hack happened just 13 months later. The game is a bit like Pokemon. Players battle cute little creatures and earn tokens accordingly. Wins translated into in game crypto. But if players wanted to cash out to trade those assets more broadly or convert them into real money, they had to move them onto the Ethereum blockchain. And that's what the Ronin Bridge did. It moved value from the Ronin blockchain to Ethereum. So enormous amounts of cryptocurrency were constantly sitting inside the Ronin Bridge. And it wasn't just a choke point for North Korean hackers. That made this bridge a massive honey pot.
Rob Joyce
Those bridges are often less secure than the blockchains they connect. And North Korea realized this before most of the security community.
Nicole Prolorath
North Korea exposed just how vulnerable these bridges were. But they're not without security. The Ronin Bridge required our old friend multisig validation. A quorum of approvals from designated signers. But in this case, the quorum was pretty small, just five signatures out of nine. That meant that if hackers could compromise only five validators, they could drain the bridge. And that's exactly what happened.
Nick Carlson
They had to have a quorum to approve this. But a majority of those were actually just controlled directly by Axie. So if you were able to penetrate Axie's machine, you got access to, like, five or six of these signatures.
Rob Joyce
And how did they get there? They went after the developer. They used social engineering and our human weaknesses. It wasn't technical brilliance. It was social engineering mastery. They did it by posing as a recruiter on LinkedIn. They targeted the senior engineer at a developer that works in this crypto ecosystem. And then after multiple fake interview rounds with that developer, they sent him a PDF job offer that was laced with malware. So they worked to build their bonafides with this guy and convince him that he was getting a job opportunity.
Nicole Prolorath
They were able to access four keys by infiltrating just one engineer. As for the fifth, well, the hackers got lucky. That fifth key had been sitting with an entirely different entity. But that other entity had actually lent their multisig back to Axi for faster approvals and never gotten it back. And that is how North Korea, through luck and skill, was able to access the five approvals they needed to transfer control of more than $600 million from Ronin back to their own wallets, and in the process, rewrite what was possible. Here's Julia Hardy, a crypto investigator at Zero Shadow who was part of the team that was called into the Ronin Bridge attack. She worked with the Axie game developer, Sky Mavis, to unravel the flow of stolen funds after the hack.
Julia Hardy
So there's this big pot of money within the bridge of all these locked assets from all these people who are moving one direction or the other. Once, DPRK transferred ownership to themselves, now they could move all these tokens however they wanted so that they could basically drain all of those funds to them
Nicole Prolorath
themselves, which they did on March 23, 2022. All of this was an absolute coup for the North Koreans. Most incredibly, no one even realized this had happened for six days.
Julia Hardy
It ended up being a community member who pointed to the team and said, I think something weird happened here and you should take a look. Because blockchain transactions are all publicly on the ledger. You could see any outflows from the bridge if you wanted to look. Any person could. And so seeing $600 million leave at once, well, that's very suspicious.
Matt Mueller
At the time, it was fairly clear to us that this represented a sea change. This wasn't going to be a one off type of event. That this was going to be how, you know, the industry was going to see these types of attacks from now on.
Nicole Prolorath
That was Matt Mueller again. Now, the Ronin Bridge completely shifted the crypto security community's perspective of the dprk. These weren't just low level spear phishers anymore. These were the most professional hackers the industry had ever seen. So the company, Sky Mavis, they said that they'll reimburse the lost money by using money from Invest Investors and also its own balance sheet funds. Ultimately, investigators recovered only a small fraction of the stolen funds. But what really unsettled people like Julia Hardy was the realization that the North Koreans weren't just laundering the crypto. They were watching the investigators, watching them.
Julia Hardy
We could tell that the North Koreans were paying attention to the work that we were doing and trying to change their tactics because of it.
Nicole Prolorath
Julia and the other investigators presented their findings at a conference. The talk was live streamed on Twitch. And then the laundering patterns they described started disappearing.
Julia Hardy
Within days of that being published, the tactics started to shift. And so we see this chain is being used, then that chain's not being used anymore.
Nicole Prolorath
It was as if the hackers were sitting in the audience taking notes in real time. It wasn't just the cyber folks. Ronan woke up D.C. here's Ari Redbird again.
Ari Redbird
That, to me, was an absolute watershed. I'll never forget walking down the street and I got a call actually from the White House. And that was really the first time that I felt like the questions were national security questions.
Nicole Prolorath
Okay, what's crazy about this is that this was a $600 million heist, and most people have never even heard of it. And the people who did hear about this, frankly, didn't really seem to care. And that's the thing with these crypto heist. They are happening all the time, but rarely do they Break through
Matt Mueller
like a bank robbery of a million dollars in cash is still headline news. Crypto robbery of a million dollars worth of some token that you've never heard of. That's a Tuesday.
Nicole Prolorath
This is something I put to Rob Joyce. Why do you think these crypto heists haven't risen to the level of public attention given the dollar amounts we're talking about?
Rob Joyce
Well, the victims are diffuse. There's very few victims, even though they're high dollar values. Right. And so it's not hitting our mom and dad, our neighbors, like some of the other scams that are happening. There's also, it's virtual money. So a lot of us have a hard time just connecting to it. But I also think there's this segment of if you play stupid games, win stupid prizes, you're in the crypto business. It's high risk. It's a common reaction.
Nicole Prolorath
So would you say there's even like some schadenfreude here?
Rob Joyce
I don't think the general public feel for the crypto Bros when they lose millions or even hundreds of millions of dollars.
Nicole Prolorath
If Ronin was the moment we realized North Korea had entered a new league, what came next revealed total mastery. Ben Zhou, CEO of Bybit, broke the news himself.
Narrator / Reporter
About two hours ago, Bybit experienced a hack.
Nicole Prolorath
As far as we know, this could
Narrator / Reporter
be the largest hack in the history of our industry.
Heidi Wilder
The largest crypto hack in history just
Nicole Prolorath
hit Dubai based exchange BYBIT. $1.5 billion stolen.
Ari Redbird
What was that?
Michael Barnhart
One and a half billion dollars?
Adam Myers
The Bybit hack.
Rob Joyce
Yeah,
Nicole Prolorath
Bybit, one of the world's largest cryptocurrency exchanges. But the terrifying brilliance of the operation is that North Korea never hacked Bybit directly. Here's Rob Joyce again.
Rob Joyce
They went after a wallet, a third party provider that managed the signing protocols. And what I would say is they hacked the user experience of the people working inside this space.
Nicole Prolorath
The attack happened on February 21, 2025. North Korea target the process Bybit used to move funds out of its cold wallet. Think of a cold wallet as the Fort Knox of crypto, or at least that's the idea. It keeps private keys that control crypto offline, away from the Internet and out of the reach of hackers. A hot wallet, by contrast, is connected to the Internet and used for day to day transactions. So every now and then, Bybit had to replenish its hot wallet from its cold one. Basically, it's like moving money from a savings account into a checking account. That transfer relied on smart contracts, though code on the blockchain that executes an action once certain conditions are met. In this case, Bybit wants to move funds. Enough authorized signers approve, the transaction goes through. But smart contracts are still code. And most people don't interact with raw code. They use interfaces, dashboards, buttons, popups. The difference between using Instagram and reading Instagram's source code. Bybit's executives were no different. They used Safe Wallet's interface to approve transfers from the cold wallet to the hot wallet. No need to stare directly at the blockchain. And that's where the genius of this hack came in. Here's Anto Joseph.
Anto Joseph
The smart contracts can be completely safe if you directly interact with just the smart contracts. But most people don't directly interact with the smart contracts. They'll go through, like, a UI layer that makes it easy for them to use these smart contracts.
Nicole Prolorath
The brilliance of the Bybit hack wasn't brute force. It was David Copperfield level misdirection. They didn't attack Bybit's cold wallet directly. They tweaked parts of Safe Wallet's UI so that when Bybit's authorized signers were prompted to review a routine cold wallet transfer transfer, everything appeared normal. The wallet addresses look correct, the amounts looked correct, nothing seemed out of place. But underneath the surface, the transaction had already been altered. And an entirely different set of instructions were being sent to the blockchain. Bybit's CEO personally authorized what appeared to be a standard transaction. But in reality, he was handing North Korea's hackers the keys to one of the largest vaults in crypto. Here's Nick Carlson again.
Nick Carlson
Bybit, unusually, did huge transactions using this software, which nobody else really did. And so for a period of weeks, the North Koreans had access. They could have hacked anybody using the software, but they didn't. They waited and they waited and waited until the moment that by that basically turned green.
Nicole Prolorath
And what do you mean by turned green?
Nick Carlson
I mean, like you look at your instant messenger and you see somebody turn green, they're available. So this wallet was inaccessible to them until the CEO of Bybit actually logged in to authorize a transaction. That's when they did it. And then they took it all.
Nicole Prolorath
One and a half billion dollars in ether was suddenly routed into North Korea controlled wallets.
Rob Joyce
There are thousands of automated micro transactions to obscure the stolen funds. So they break up the stolen money into tiny, tiny little elements that are super hard to track. They were early adopters of these things called mixers, where you put in crypto from one theft and you put in crypto from another. Place and they get all mixed around and you can't follow the money the way we can with traditional bank transfers.
Nicole Prolorath
It's like they learned from the subprime mortgage pools.
Rob Joyce
Yes, yes, exactly. The scheme I really came to admire was they got this crypto that's stolen and you can track on the blockchain that it stole in crypto. And they went to crypto mining services where you can buy GPU compute time to mine for cryptocurrency, and you can pay for those servers with cryptocurrency. So they rented compute power with these stolen coins and they mined freshly minted, clean cryptocurrency, and then they could take that away because it's brand new and has no illegitimate past. So that was really innovative. To me.
Nick Carlson
To me, BYBIT is the moment where this becomes a real issue for ordinary people. A billion and a half over a single instant. That's orders of magnitude greater than anything that had happened before in any other context.
Nicole Prolorath
BYBIT wasn't just the biggest crypto heist in history, it was the largest heist in history, period. The only thing that has ever come close was Saddam Hussein's 2003 raid on the Iraqi central bank leading up to the Iraq war, when roughly a billion dollars in cash was removed on his orders. But North Korea didn't need soldiers or trucks. They just needed laptops and a manipulated screen. A world record heist, and the world hardly blinked. But inside the cybersecurity community and crypto, this fundamentally changed our understanding of what hackers can do with a keyboard. Here's Ari Redbird and Nick Carlson.
Ari Redbird
Again, that is extraordinary.
Nick Carlson
The people who do the Bybit Nudu Ronin, that's a specific team, and that team is the descendants of the guys who did Sony and Bank of Bangladesh. Like, those are the tip of the spear, the very best in the North Korean org chart. These guys completely dominate this business. They're the Google of crypto theft. Right? They completely control this. They're almost a monopoly. That's how big this is. Like there are North Korean thefts that we have not attributed. So the real number here, North Korea is, you know, 70, 80% of probably crypto thefts every year.
Nicole Prolorath
What's the current ballpark figure for how much the DPRK has stolen in cryptocurrency?
Nick Carlson
So kind of our conservative lower bound estimate is what, around 5 billion? And upper ground is around 6, maybe even more than that. And even in the best years, in the mid 2010s when we were working these sanctions cases, they would Maybe make two, two and a half billion a year in exports. And those were gross revenues. Right. That's not the net profit. So the idea that, you know, in a handful of years, they have far outstripped that with just a tiny team of people, it's a real, really big deal. To the North Koreans, this is a huge source of revenue. There's a degree of innovation. Right. And an understanding, I think, on their part that there's really not much that the world can do about it, that they have been so successfully isolated that there's not a lot of cost that can be imposed through any kind of traditional sanctions anymore. So it takes a kind of degree of canny wiliness. Right, to realize that that frees your hands in some ways that you can do things other countries can't afford to do.
Nicole Prolorath
The BYBIT heist rattled belief in the core promise of crypto itself, that the system could be trusted. Here's Matt Muller again.
Matt Mueller
If the demands of crypto as sort of like a mainstream financial instrument are such that it puts billions of dollars at risk in this way, in irreversible ways, is crypto actually suitable as a mainstream financial investment? Right. My personal take is I fundamentally don't believe that anybody can protect crypto in ways that are useful for the average person. I've absolutely loved my experience in trying to defend crypto, especially in the early days. There was just so much promise for a new sort of financial ecosystem. But I think actually, the North Koreans have pretty effectively proven that given enough time and effort here, the bad actors are absolutely going to win in this complex, hard to understand ecosystem.
Nicole Prolorath
Okay, so knowing what you know, do you think anyone should even get into crypto at this point?
Matt Mueller
Yeah. For somebody who's looking to, you know, invest in crypto today, I think the advice that I would have had in 2018 is the same advice I would give today, which is don't bet what you're not prepared to lose.
Nicole Prolorath
But this goes far beyond crypto investors losing money. Because until now, crypto existed mostly at the edge of our financial system. It was largely experimental, speculative, and pretty separate from most people's everyday lives. But that's changing. The Trump administration has made cryptocurrency a bellwether of its tech policy. It's implemented executive orders and summits to make the United States the, quote, crypto capital of the planet. And now institutions are increasingly willing to adopt the technology that North Korea has spent years mastering. And that's what security experts find the most alarming. Here's Michael Barnhart. From dtex, AKA Barney. You may remember him from episode one as the guy who tattooed IT workers onto his foot.
Michael Barnhart
For North Korea, specifically, they are bred on crypto. They understood it before you and I ever knew what a bitcoin was. They get it. So my fear here is kind of twofold. How good North Korea is at crypto and how they. Again, with placement access for IT workers. Whenever I'm talking to financial institutions and talking about this problem, this was one that's always kind of come up and it's that we haven't seen North Korea make this run on the banks that we saw in the 2000 and tens. Those things kind of went away, you know. Why did they go away? Well, a lot of it has to do with crypto. And they really changed gears after the Bangladesh heist. So we have this kind of misconception that we're running a race, really. And they've not touched banks, they've touched financial institutions. They're dealing the crypto things. That's great. I'm out here by myself. I'm out front. Okay, no one's around. Coast is clear. Okay, let's start implementing like Web3. Let's get with the times. Let's be innovative. Let's. Let's all get together and really do this the right way. We're so far out front that this isn't going to be an issue. But in reality, North Korea is so embedded to cryptocurrency as a whole, even from the early days of its development, they've been there for so long that it's not that we're out front. They're already at the end and they're waiting for us. They're saying, hey, yeah, we not made that run on banks yet. Go ahead and start implementing some of those technologies that we've perfected. I'm daring you to, and I think that's one of the things that I'm really worried about. It's not that they're beating us in the race. They made the race. You're going to have the most skilled actor in that space waiting for you. If it's not an IT worker already in the environment to begin with.
Nicole Prolorath
The board is set, the players are in position, and by all accounts, we're not ready. That's next on the season finale of To Catch a Thief. Follow To Catch a Thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show. To Catch a Thief is co produced by me, Nicole Prolorath and rubric in partnership with Pod People, with special thanks to Julia Lee.
Episode 5: The Heists
Release Date: July 7, 2026
Host: Nicole Perlroth
Episode 5 of "To Catch a Thief" pivots from Chinese cyber power to focus on North Korea’s unprecedented evolution into one of the world’s most audacious cybercriminal states. Host Nicole Perlroth investigates the inner workings, motives, and chilling effectiveness of North Korea’s heists—from the Sony hack to billion-dollar cryptocurrency thefts. The episode dissects major attacks, the blending of statecraft with cybercrime, revealing a model where the regime’s survival and power increasingly hinge on digital larceny.
The Ruthlessness of Kim Jong Un
“What kind of a person would kill the man who posed as his father for some slight or embezzlement or something. It's really brutal.”
— Nick Carlson (00:32)
Transition from Political to Financial Attacks
“Destructive cyberattacks make headlines. Financial cyberattacks make money.”
— Nicole Perlroth (01:43)
On the Heist's Precision
“They chose these dates like a Seal Team 6 would go in and attack someplace on a moonless night.”
— Eric Chen (08:01)
Biggest Theft Stopped by a Typo
“Had they waited, they could have made those corrections. And ultimately those transactions equated to almost $1 billion. And they would have walked away with $1 billion instead of 81 million.”
— Eric Chen (11:48)
Aftereffects of Hack Exposure
“It wasn’t technical brilliance. It was social engineering mastery. They did it by posing as a recruiter on LinkedIn.”
— Rob Joyce (41:48)
On Crypto Crime's Visibility
“A bank robbery of a million dollars in cash is still headline news. Crypto robbery of a million dollars worth of some token that you've never heard of. That's a Tuesday.”
— Matt Mueller (46:45)
North Korea’s Mastery of Social Engineering in Tech
“These guys...wear uniforms. They have military rank. It's a degree of organization nobody else has.”
— Nick Carlson (26:19)
Blunt Perspective on Cryptocurrency Security
“My personal take is I fundamentally don't believe that anybody can protect crypto in ways that are useful for the average person. The bad actors are absolutely going to win...”
— Matt Mueller (56:19)
On North Korea ‘Waiting for Us’
“They're already at the end and they're waiting for us…Go ahead and start implementing some of those technologies that we've perfected. I'm daring you to.”
— Michael Barnhart (58:18)
The episode maintains a journalistic, urgent, and at times incredulous tone, mirroring both the awe and alarm among investigators at the sheer boldness and tactical genius exhibited by North Korean cyberactors. The interviews blend technical insight with plainspoken metaphors, making complex attacks understandable and underscoring the real-world stakes for listeners.
For more, follow the series and prepare for the season finale, where the implications for critical infrastructure and American society are set to be unveiled.