The number of North Korean-linked hacks of cryptocurrency platforms rose to a record high in 2023, though the actual amount of funds stolen dropped around 40%, a report Jan 24 from blockchain analysis firm Chainalysis Inc showed.

In a series of 20 hacks throughout the year, cybercriminals linked to the Democratic People’s Republic of Korea siphoned slightly more than US$1bil (RM4.73bil) worth of cryptocurrency, compared to US$1.7bil (RM8.03bil) in 2022. North Korean hackers often target cryptocurrency to raise money as a way around international sanctions, according to US officials.

The drop in funds stolen by North Korean hackers mirrors a larger trend in the cryptocurrency security landscape: an overall decline in hacks of the once-lucrative decentralised finance, or DeFi, protocols. In 2023, the total amount stolen from DeFi protocols was US$1.1bil (RM5.20bil), a 64% decrease from the US$3.1bil (RM14.65bil) pilfered in 2022, according to Chainalysis.

“There have been some positive aspects that have started to slow their success in making off with hundreds of millions of dollars in one attack,” said Erin Plante, vice president of investigations at Chainalysis. “But the threat’s not going away by any means.”

Over the past few years, DeFi protocols have been increasingly targeted by hackers because their source code is freely available online, allowing criminals to more easily find bugs to exploit.

Better security practices, coupled with an overall decrease in DeFi activity, were most likely behind the decline in funds stolen in 2023, Chainalysis said. More DeFi applications are improving their code auditing and receiving guidance from companies like Microsoft Corp and Alphabet Inc’s Google on how to strengthen their networks, according to Plante.

As cryptocurrency platforms fortify their networks, North Korean hackers are racing to keep up by employing more diverse and sophisticated tactics, Plante said. More criminals are waiting patiently for an opportunity to strike by accessing networks undetected and sometimes gathering intelligence for months.

“They look at what’s changing, what’s evolving, and how they can use that malicious intent,” said Joe Dobson, principal analyst at the cybersecurity firm Mandiant. “Whatever the advancement is, they’re going to find a way to take advantage of it.”

In one stealthy hack this past June, TraderTraitor, a group with ties to North Korea, swiped around US$129mil (RM610.04mil) from thousands of users on cryptocurrency wallet service Atomic Wallet, according to Chainalysis.

The group worked by chain-hopping, moving between different cryptocurrencies quickly to avoid being traced. They went on to hit two other crypto payment platforms, Alphapo and CoinsPaid, later that month, according to the report. Atomic Wallet said in a statement at the time that less than 0.1% of app users had been affected.

Investor behaviour in the volatile cryptocurrency markets could be another underlying reason North Korean-linked hackers are stealing less. Fueled by the collapse of FTX Trading Ltd and the vulnerability of these companies to large hacks, investors may be diversifying their currency among many platforms to avoid risk, according to Allan Liska, senior intelligence analyst at cybersecurity firm Recorded Future Inc. This means cryptocurrency exchanges may have a smaller pool of funds for hackers to steal.

“There’s less trust in many of the traditional big exchanges than there used to be,” Liska said. – Bloomberg