The two men have just set a trap: a digital wallet storing bitcoin has been moved to a seemingly unsecured device. The pair, perched in front of four computers and five laptops, watch as lines of computer code and Korean text stream down the array of screens, bracing for North Korean hackers to swoop.
"We call this the honeypot," said Kwon Seok-chul, chief executive of cyber security group Cuvepia in Seoul. "They can't see us, but we can see them."
Methods like this enable cyber experts to identify and track hackers from North Korea to help protect companies and governments against their attacks. These tactics are becoming more important amid signs that Kim Jong Un’s regime, under immense economic pressure from sanctions, increasingly depends on cash from cyber-based theft.
Pyongyang controls an army of thousands of hackers who bring in hundreds of millions of dollars annually, according to experts’ estimates. With North Korea cut off from most trade with the outside world, the cash generated from illicit cyber-based activities is thought to have become a core revenue stream for Pyongyang and has now probably surpassed the value of sales of weapons and military services.
"All the channels of trade, regardless of the legality, have largely shrunk. The weapons trade is limited. Cyber activities is one of the remaining ways for North Korea to earn foreign currency now," said Yoo Dong-ryul, director of the Korea Institute of Liberal Democracy, a think-tank in Seoul.
There was an impression that these [banking hacking operations] were opportunistic targets. We can see they are decidedly not," said Priscilla Moriuchi, former US National Security Agency analyst.
The rise of North Korea’s hacking, online theft and fraud also marks the latest example of the Kim regime’s decades-long struggle to bring in cash to the country via unorthodox and illicit means, and follows reported cases of global insurance fraud and the production of counterfeit money and drugs.
Pyongyang's cyber warfare operations gained notoriety with US authorities blaming groups linked to the government for hacking Sony Pictures in 2014 and for the WannaCry global malware attack in 2017, as well as multimillion dollar heists from banks in India, Chile and Bangladesh.
“There was an impression that these [banking hacking operations] were opportunistic targets. We can see they are decidedly not,” said Ms Moriuchi, who is now director of strategic threat development at cyber security group Recorded Future.
Guesstimates
Estimates vary as to exactly how much money North Korea now makes from any of its illicit activities - researchers urge caution over any figures, with one US government analyst describing assessments as “guesstimates upon guesstimates”.
A sense of the scale of the crimes can be gained from a UN report published in March, which included analysis detailing five attacks on cryptocurrency exchanges between January 2017 and September 2018 resulting in a loss of $571 million. The US has put the value of attempted cyber heists from 2015 to 2018 by just one North Korean hacker, Park Jin Hyok, and his co-conspirators at over $1bn. By comparison, North Korean weapons sales to countries including Syria, Libya and Iran were estimated at around $500 million annually in the mid-2000s.
South Korean officials have become wary about criticising North Korea directly about any provocations and threats - including a series of weapons tests in May - over fears of derailing efforts to get Kim Jong Un to end his nuclear and weapons programme. However, the frequency and sophistication of North Korea's cyber-based activities has continued to advance, analysts warned.
Luke McNamara, an analyst at cyber security consultancy FireEye, said there had not been “any abatement” in hackers’ targeting of banks and cryptocurrency exchanges in recent months.
Priscilla Moriuchi, a former US National Security Agency analyst, said the North Korean operatives had proved themselves “persistent, patient and skilled”, belying perceptions of the world’s most isolated country as a technological backwater.
“There was an impression that these [banking hacking operations] were opportunistic targets. We can see they are decidedly not,” said Ms Moriuchi, who is now director of strategic threat development at cyber security group Recorded Future.
While analysts expected to see further attacks on banks and financial institutions, Pyongyang’s cyber army has also shifted focus: the lax regulation, light security and anonymity common across the cryptocurrency ecosystem is a perfect match.
“It is easy for a North Korean scam to blend into all the other scams,” said Ms Moriuchi. As part of a broadening system of lower value but higher volume thefts, Pyongyang’s hackers are also gleaning cash from the small electronic stores of cash in “in-game purchases” and “points” used by online gamers.
“Our sense is this low-level financial crime takes up the most time [for North Korea],” Ms Moriuchi said.
Virtually untraceable
Analysts stressed it was difficult to pinpoint what happens to the stolen cash, cryptocurrencies or gaming credits. But, one expert said, there were signs stolen cryptocurrencies were quickly laundered through several different exchanges, making them “virtually untraceable”.
A Seoul-based cyber analyst said cryptocurrency exchanges and holders did not always report heists. But North Korean hackers have been suspected of successful attacks on at least three exchanges in Asia in March and April this year, with South Korea being the primary target.
Mr McNamara of FireEye noted that North Korea has long trialled its “new techniques” in South Korea, just as Russian hacking groups use Ukraine and Iranian groups use the Gulf region.
“A lot of what we see with early North Korean operations - new tools being utilised, new activity taking place - a lot of it begins in South Korea,” he said. “But then we do see it migrated abroad.”
- The Financial Times Limited