North Korea's Crypto Crimes: Special Episode from Click Here
23:36 Share

ButcherBox, you guys have heard me talk about it before. It is a service that I used even before they were an advertiser because I like getting high-quality meat and seafood that I can trust online.

right to my door, 100% grass-fed beef, free-range organic chicken, pork-raised crate-free, and wild-caught seafood. We are only like a month and a half away from chili season. You're going to want to stock your freezer with a lot of meat that's not going to cost you that much at all. It's an incredible value. There's free shipping. You can curate it to customize your box plans, and it gets delivered right to your doorstep.

No more annoying trips to the grocery store or the butcher. It's going to save you time and save you money. Sign up for ButcherBox today by going to butcherbox.com slash underworlds and use code underworld at checkout to get $30 off your first box. Again, that's butcherbox.com slash underworlds and use code underworlds. This episode is brought to you by Shopify.

Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges your selling wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com slash tech, all lowercase. That's shopify.com slash tech.

Welcome back. Welcome back to the Underworld Podcast, the radio program where two journalists take you deep into the world of organized crime all around the globe. I am one of your hosts, Danny Gold. Usually I'm joined by the fantastic Sean Williams, but this week we have a special episode. First, as always, we're going to be talking about the Underworld Podcast.

patreon.com slash the underworld podcast, or you can do it on iTunes too for bonus episodes, working on some interviews about what's been going on with the gangs in El Salvador with some folks who spent a lot of time on the ground there, and also an update on the streets of Trinidad, which I know was a big episode last

Sean has some crazy stuff in his reporting trip to India. There is a lot going on. We've also got a bunch of other episodes in the bag involving the Zetas in Mexico, Vancouver gang wars. You know, I had one on Wagner and Russian mobsters fighting in Ukraine, but that's,

We'll see what happens with all that. And there's something I'm working on with Romanian mobsters that I'm actually looking for some help in researching. If anyone out there speaks Romanian, hit us up at the underworld podcast at gmail.com. But yeah, you know, we're still trying to get some episodes out. We're still kind of working out that contract stuff, but yeah,

We'll be back sooner rather than later. This week, we are bringing you an episode from the good folks at Click Here about North Korea's obsession with stealing crypto, which is great. Yet another way to lose money on crypto. I thought I had discovered them all by losing all my money. Anyway, Click Here is a weekly podcast about all things cyber and intelligence. It's hosted by former NPR investigations correspondent Dina Temple Raston.

Click here, tell us true stories about the people who make and break our digital world. They helped us out, so we're going to help them out and run this episode. But as always, Spotify, iTunes, all that, underworldpod.com. We still have merch up there. And anything else, hit us up. We are always here. We're doing the YouTube channel. We're doing the Instagram. There's all sorts of weird stuff up on all those that people help us out with. So definitely check

definitely pay attention. We actually have our friend Lily who might be starting up a TikTok for us. That's right. Sean and I on TikTok or Lily doing it for us on TikTok, but maybe we'll make an appearance. Anyway, enjoy the episode. Let us know what you think and enjoy your summer. Have a great time.

So give me an idea, like, how did it start? Can you sort of take us back to that? Yeah, so this happened in April. I got an inbound actually directly to my calendar from our ATS, what's called an applicant tracking system. And that's just automated human resources software. That's John Wu. He's the head of growth at a cryptocurrency company called Aztec Protocol.

It provides a kind of VPN for crypto transactions to make them more private. And this past spring, he gets a job application from a guy named Bobby Sierra, who says he's from Canada. So I take a swing through the resume. It doesn't look that crazy. It's pretty solid. The resume looks workmanlike, some experience in crypto mining, a little gaming. And there's a cover letter. It feels like a relic of a different age. But this applicant happened to have a cover letter.

I think what was really strange about the cover letter was the sign off, you know, a bunch of platitudes. And then the sentence, the world will see a great result from my hands. Instead of looking forward to talking or I can't wait for the interview, this guy writes, the world will see a great result from my hands. And that's like the type of thing someone with a laser cannon arm and, you know, a microchip for an eyeball would say, you know, like really deep.

Bond villain. I live inside a volcano. So it's safe to say that John Woo is feeling a little uneasy. Then, when the interview rolls around, Bobby Sierra apologizes and says, sorry, he can't use his camera. It doesn't seem to be working. But this person was purporting to be a capital R real person.

And so to interview someone like that and not have the camera on is a huge red flag. According to Bobby's resume, he's from Canada, but his accent sounded really heavy and John couldn't quite place it. I asked him where he was based. He said Hong Kong. So red flag number two. And then I asked him where he worked. He couldn't answer that question at all. In fact, when pushed on where he last worked, he actually muted himself.

For two minutes. Like he was muting the phone so he could ask someone for advice on what the correct answer was supposed to be. So when he finally came back on the line, John couldn't help but notice that it sounded like Bobby Sierra was sitting in a really busy office. There were all these other voices who also sounded like they were either in a call center or interviewing people or something that sounded like he was one of many.

And then something made his heart skip a beat. He recognized the language in the background. I heard a mix of both English and Korean. I kind of freaked out a little bit and I logged off and I kind of shut my computer down and I turned to my team and I said, I think I interviewed a North Korean hacker. I'm Dina Tumpelrasten and this is Click Here, a podcast about all things cyber and intelligence. Today, the wild and woolly world of North Korea's hacking program.

Turns out that weird interview was likely part of something much bigger. The North Korean government is not just trying to plant operatives in foreign crypto companies. It has set up a network of hacker hotels in other countries and launched a slew of high-profile crypto heists, all done in a bid to fund the Little Hermit Kingdom's number one priority, its nuclear arsenal. Stay with us.

When John Woo got that resume and crazy cover letter back in April, it was in response to a Help Wanted ad. His company, Aztec Protocol, was looking for a full-stack engineer. Essentially, full-stack means familiarity with both front-end technologies and back-end technologies, so websites and databases. So he was meant to be someone who could kind of do it all.

Someone who, depending on their seniority, could make a couple hundred thousand dollars a year and would probably have access to all kinds of Web3 systems that would be helping people trade crypto. And though it seemed ridiculous, John Woo couldn't shake the feeling that it might have been a North Korean in that interview.

It wasn't just the other voices he thought he heard speaking Korean in the background. There were other weirdly fishy things, like the guy's name. Bobby Sierra. It's also a name that's so generic as to be comical. It's as if someone put American Name Generator

into the internet and it just kind of popped out with Bobby Sierra. And then John noticed just an hour or two after talking to Bobby that someone started tinkering with his online resume, like they were trying to improve it. Some of the links that he had provided to his prior work were changing. He was already changing the pointer. He was, maybe his overlord at the office was saying,

Hey, that wasn't very effective. You know, maybe we need to polish up your fake resume a little bit. You know, he was getting career coaching advice, you know, from the North Korean government. And John Woo admits that if you step back, all of this sounds a little far-fetched. And of course, everyone was incredulous because, I mean, how could you know that

Also, I mean, what a ridiculous story. But then he heard this news. Now, Washington says Pyongyang is dispatching thousands of skilled IT workers overseas to seek employment while opposing. Back in May, just weeks after that weird interview, the FBI State Department and Treasury issued an advisory warning tech companies about a new scam. It said that North Koreans were disguising themselves as ordinary tech workers.

The release even listed what to watch for, things that sounded uncomfortably familiar to John, like job applicants who wouldn't turn on their webcams or unexplained inconsistencies in their histories and odd work locations. It looked like John wasn't so crazy after all. And how did you end the interview? Thank you very much. We'll be in touch. No, I actually didn't give him that courtesy. I think when he came back and didn't address any of the other questions...

I kind of freaked out a little bit and I logged off and my mind started racing. I was like, has he already injected a vulnerability? Did I accidentally screen share him? Did I get a pull request? What emails has he sent my team? John never confirmed that Bobby Sierra was actually a North Korean, but the interview did sound an awful lot like what the U.S. advisory told people to look out for. U.S. officials say they believe North Koreans have started applying for I.T. jobs for two reasons.

The jobs allow them to repatriate money and avoid sanctions. And if it's a crypto company they're applying to, they have the added bonus of potentially allowing them to plant an insider who could help them launch something later, like a huge crypto heist. And while John Woo may have seen through Bobby Sierra's masterful disguise, he suspects Bobby probably had luck elsewhere, just because it's hard to find people to do this kind of work right now. It's especially hard to hire for software engineers.

The problem is once you hire a contractor, they can use a subcontractor. You know, the contractor says, I've got this contract. I need to deliver a piece of code. Well, I don't have the guys either. I'm going to subcontract that out. And that subcontractor got a subcontractor. And that subcontractor, without realizing it, unknowingly hires a North Korean hacker. When we come back, why Pyongyang is banking on crypto. Back in the 1980s, I lived in northeast China, not far from North Korea.

There were just a handful of Westerners living in that part of China at the time, and we'd meet up at the local hotels to drink on Friday nights. There was the Phoenix Hotel, the Metropole, the Chilbosan. This was back when China's hotels looked very Soviet. It was hard to get a foreign beer, and the hotel maids actually mopped the rugs instead of vacuuming them.

Even back then, the Chilbasan was filled with North Koreans. And when Pyongyang got into the hacking business, the Chilbasan, with its great internet connections, became an outpost for North Korean hackers. And they were pretty obvious about it. The dining, you know, is all Korean food, the way the staff is. It's like a little, let's

let's call it resort haven inside of China, but actually fully North Korean. Eric Chen is a security researcher at Symantec, and he's one of the world's go-to guys on North Korean hacking. And they call it the hacker hotel because, again, hackers are there, essentially in hotel rooms.

hacking away day and night and living there at the same time. Have you been there? I have not been there. I've not been there. I don't, I'm not sure. I'm not sure I would be, I would be welcome. I think you'd have to go in disguise maybe. Potentially. We'll work on that.

The Chilbasan Hotel was a longtime base of operations for Pyongyang's premier hacking gang, the Lazarus Group. We've been tracking them since the very early days, probably 2009. They conducted a mass distributed denial of service attack on the U.S. and South Korea. Some of those artifacts that we had covered at that time date back probably to as early as 2007. Wow. Wow. How North Korea actually organizes its hackers is a bit complicated.

North Korea has a reconnaissance bureau. They are primarily underneath the People's Army in North Korea. And most of the cybercrime operations are done under what's called the Third Bureau. And then within the Third Bureau... There's another group that is called Lab 110. But basically, you know, they're embedded within the military operations of North Korea. The Lazarus Group is thought to be working for Lab 110.

And it wouldn't be an exaggeration to say that its work has become the stuff of legend.

are responsible for some of the most damaging and most well-known cyber intrusions in history, including the cyber attack targeting Sony Pictures. Multi-million dollar salaries of top Sony executives. The cyber heist of Bangladesh Bank. In this $81 million heist, we're learning... And creating the WannaCry ransomware. Ransomware on hundreds of thousands of computers around the world and nearly crippled the British healthcare system. So it's a significant impact...

So you have to wonder, given all this activity, why don't the authorities just march down to the Chilbasan Hotel and round up some of these people? And there was talk of doing that. Then, a few years ago, the Chilbasan unexpectedly announced it was closing. U.S. officials say North Korea has moved its operations elsewhere.

North Korea's motivations for all this hacking make it different from other countries. China tends to focus on intellectual property. Russia wants to sow chaos. Iran specializes in U.S. infrastructure hacks.

And North Korea is and always has been all about the money. So in the old days, I'm sorry to be so retro and talk about dollar bills. I thought North Korea made the greatest counterfeit American dollars. It's actually good that you talk about the old days because a lot of people don't realize something about North Korea. What they're doing today with cyber offensive actions in the financial world

is what they were doing in the past before computers existed. So North Korea has always been involved in organized crime, drug trade, counterfeiting, and that's how they were getting their money in the past. And now what we've seen is just a shift where they realize it's much easier to achieve those same objectives just by using cyber offensive operations. And cryptocurrency exchanges are a new tantalizing target. They're brimming with money and they're surprisingly vulnerable.

Most of these organizations that are hacking are small startups and to be frank, have not invested that much in security as much as something like a mainstream bank. Not only are mainstream banks harder to break into, but the sheer logistics of moving that cash into North Korea without being noticed is hard. If you wanted to steal, say, $81 million from Bangladesh Bank, how would you get it back to Pyongyang?

You have to set up fake accounts, bribe bank managers. You have to have people go to the banks, take money out in suitcases, and then launder it through gambling junkets. So if you think about all of that effort that's required to get that money, you have to pay all those middlemen as well. When we talk about cryptocurrency, they just transfer it one place to another and eventually cash it out. When we talk about cryptocurrency, once it's gone, it's pretty much gone.

And the granddaddy Ocean's Eleven crypto heist of all time? Well, it happened this past spring when Lazarus hackers broke into a crypto company called Ronin. It's based on what's called Ethereum, so just type of cryptocurrency. One of the problems with cryptocurrency that hasn't been worked out yet is that you can't just move digital coins from one blockchain to another automatically.

Unlike the banking system, cryptocurrency exchanges are siloed. So companies have built something called a cryptocurrency bridge, and it allows you to change Bitcoin into, say, Ethereum. They're like the electronic equivalent of those foreign currency exchange booths at the airport. The crypto bridge requires that every transaction have keys to verify the transfer, like showing your passport at the airport booth.

If you can steal enough of those keys... It's like getting sort of the skeleton key for that network. And this is what Lazarus did this past spring. They took over some keys at that crypto company, Ronin, and then just transferred a bunch of cryptocurrency into their wallets. The haul, at the time, was some $600 million, all bound for Pyongyang's pockets.

You essentially have one person, Kim Jong-un, who decides, I need, you know, a billion dollars raised this year to help fund the country. And so hack whoever and whatever you can to make that money. The big concern, at least for the U.S. and its allies, though, is where all that money is going. That's a North Korean propaganda video of a missile launch, a visual reminder of the great leader's top priority.

Earlier this year, a UN report tried to quantify just how much North Korean hackers were stealing to support Kim Jong-un's obsession.

The UN says it is conservatively in the hundreds of millions of dollars. And while hacking is helping with the bulk of that, sending out guys like Bobby Sierra to pose as IT specialists looking for work is adding to that bottom line too. And it may be happening more than we think. I actually talked to someone at a co-working space and he came up to me and he told me in confidence. John Woo again. You know, we had a North Korean on payroll. We had hired a guy and he had been working with us for six months.

And it wasn't until the FBI called us that we were like, oh, oh, golly, you know, we didn't do the correct security checks here. He says crypto heists are just objectively bad for everyone, because in the end, whether you're a digital asset or an old fashioned currency, money is all based on trust. Our number one goal in this industry is to keep users safe. And if users aren't safe, we aren't doing our job. So that's number one. Number two, and it sounds crazy to say this, this is a matter of national security.

It's like I talked to a guy who was trying to take money from me and like give it to the development of ballistic missiles. I mean, that's just crazy. This is Click Here.