:: 관련 글 ::
2020/02/02 - [가상화폐/자금세탁방지법] - 북한이 가상화폐를 통해 자금을 북한으로 옮긴 것으로 추정
북한은 국제사회에서 다양한 제재를 받고 있다. UN도 북한을 제재대상국으로 지정하고 금융제재 등의 조취를 취하고 있고, 주기적으로 북한 제재 현황 보고서를 발표하고 있다. 동 보고서에는 다양한 내용이 포함되는데 최근 가장 관심을 끄는 내용은 북한의 가상화폐를 통한 금융제재 회피와 가상통화 관련 사이버 공격 등의 내용이다.
이는 언론에서도 일부 보도가 되었고, 일부 국회의원이 국정감사 과정에서 정부에 질의하기도 하였던 내용이다. 그렇지만 대중들에게 크게 인식되지 못하고 오히려 가십거리 정도로 여겨지는 내용이다. 그도 그럴것이 북한의 소행이라고 근거없이 떠들어대는 말들이 너무나도 많기 때문이다. 그런데 놀랍게도 UN보고서로 북한의 소행이라고 분석한 과거의 사건들이 기록되어 있다. 예를 들어, 우리나라 가상화폐 거래소 중 하나인 빗썸의 비트코인을 해킹한 사건이 북한의 소행이라는 사실은 매우 놀라운 사실이다.
이뿐만 아니라 북학은 다양하게 가상화폐를 활용하고 있다. 가장 중요한 이유이자 목적은 금융제재를 회피하기 위한 수단이다. 이유는 가상화폐는 거래의 편의가 있음에도 아직까지 제도화 되지 않고 규제의 사각지대에 있기 때문에 달러를 기반으로 운영되는 제도권 금융시스템을 최소한으로 활용하여 UN 및 미국의 감시속에서 원하는 거래를 이행할 수 있기 때문으로 보인다.
아래는 UN 보고서 내용 중 북한의 가상화폐 및 사이버 공격과 관련된 내용을 발췌한 내용이다.
원문은 아래 링크를 참조하기 바란다.
Evasion of financial sanctions through cyber means
57. The Panel continued its investigations into the evasion by the Democratic People’s Republic of Korea of financial sanctions through cyber means to illegally force the transfer of funds from financial institutions and cryptocurrency exchanges, launder stolen proceeds and generate income, whether in fiat or cryptocurrency. Based on information provided by Member States and open source reports, the Panel is undertaking investigations of at least 35 reported instances of Democratic People ’s Republic of Korea actors attacking financial institutions, cryptocurrency exchanges and mining activity designed to earn foreign currency, including in the following Member States: Bangladesh (2 cases), Chile (2), Costa Rica (1), the Gambia (1), Guatemala (1), India (3), Kuwait (1), Liberia (1), Malaysia (1), Malta (1), Nigeria (1), Poland (1), the Republic of Korea (10), Slovenia (1), South Africa (1), Tunisia (1) and Viet Nam (1) (see annex 21). The Panel is investigating such attacks as attempted sanctions violations by Democratic People’s Republic of Korea cyber actors of paragraph 8 (d) of resolution 1718 (2006), paragraphs 8 and 11 of resolution 2094 (2013) and paragraph 32 of resolution 2270 (2016). The Panel’s investigations show a marked increase in the scope and sophistication of cyberactivities, including attacks in violation of financial sanctions. Some estimates placed the amount illegally acquired by the Democratic People’s Republic of Korea at as much as $2 billion.
58. The main cyberactivities carried out by Democratic People’s Republic of Korea actors have included the following: attacks through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network (with bank employee computers and infrastructure accessed to send fraudulent messages and destroy evidence), the theft of cryptocurrency (through attacks on both exchanges and users) and the mining of cryptocurrency as a source of funds for a professional branch of the military.
In one notable example, Democratic People’s Republic of Korea cyber actors gained access to the infrastructure managing entire automatic teller machine networks of a Member State for the purposes of installing malware modifying transaction processing in order to force 10,000 cash distributions to individuals working for or on behalf of the Democratic People’s Republic of Korea across more than 20 countries in five hours. That operation required large numbers of people on the ground, which suggests extensive coordination with Democratic People ’s Republic of Korea nationals working abroad and possible cooperation with organized crime
59. With regard to the foreign currency earned through cyberattacks, a ccording to one Member State, “These activities contribute to the DPRK’s WMD programme”. Implementing such attacks is low risk and high yield, 30 often requiring minimal resources (e.g., a laptop and Internet access). That Member State indicated that the increasing sophistication of the attacks, combined with advances in global technology and digitization, results in growing attack surfaces and an expanding selection of targets for those actors, leading to an increase in vulnerable countries and sectors, given that cyberdefence is never absolute.
60. The Panel had previously established the role of the Reconnaissance General Bureau in cyberattacks by the Democratic People’s Republic of Korea (S/2019/171, paras. 109–118), further confirmed by a Member State that stated that many Democratic People’s Republic of Korea cyber actors are subordinate to the Bureau. That Member State added that the Democratic People’s Republic of Korea has an elaborate selection process for its cyber units, with recruits being selected at a very young age and given specialized training, mostly by the military and secret services. The Panel notes that different Member States and companies employ their own naming conventions for Democratic People’s Republic of Korea-linked advanced persistent threats.
61. A Member State highlighted that attacks by Democratic People’s Republic of Korea actors also demonstrate increasing sophistication in social engineering. In an attack against Redbanc, an interbank network in Chile, Democratic People’s Republic of Korea hackers approached a target employee through LinkedIn with a job opportunity followed by an entire interview over Skype in Spanish to build trust before asking the target to download malware. For information on patterns and methods of attacks, see annex 22.
62. Democratic People’s Republic of Korea cyber actors steal cryptocurrency, use it to launder proceeds in evasion of financial sanctions and mine it through cryptojacking attacks for the purposes of revenue generation. According to a Member State, cryptocurrency attacks allow the Democratic People’s Republic of Korea to more readily use the proceeds of their attacks abroad. In order to obfuscate their activities, attackers use a digital version of layering in which they create thousands of transactions in real time through one-time use cryptocurrency wallets. According to that Member State, stolen funds following one attack in 2018 were transferred through at least 5,000 separate transactions and further routed to multiple countries before eventual conversion to fiat currency, making it highly difficult to track the funds.
63. Another Member State informed the Panel that the “DPRK mostly attacks ROK crypto currency exchanges from within the DPRK”. While Democratic People’s Republic of Korea cyberattacks on Republic of Korea targets have been increasing in number, sophistication and scope since 2008, 33 including a clear shift in 2016 to attacks focused on generating financial revenue. In 2019, Democratic People’s Republic of Korea cyber actors shifted focus to targeting cryptocurrency exchanges. Some cryptocurrency exchanges have been attacked multiple times.
Bithumb was reportedly attacked by Democratic People’s Republic of Korea cyber actors at least four times. The first two attacks, in February and July 2017, resulted in losses of approximately $7 million each, with subsequent attacks in June 2018 and March 2019 resulting in the loss of $31 million and $20 million, respectively, showing the increased capacity and determination of Democratic People’s Republic of Korea cyber actors. Similarly, Youbit (formerly Yapizon) suffered multiple attacks involving a $4.8 million loss in April 2017 and then 17 per cent of its overall assets in Dec ember 2017, forcing the exchange to close. Those attacks, along with an attack on UpBit on 28 May 2019, used similar tools, codes and attack vectors (including spear phishing and watering holes) to those used in previous cyberattacks on security and defence targets attributed to the Democratic People’s Republic of Korea.34 In addition to the Republic of Korea, the Panel investigated Democratic People’s Republic of Korea attacks on cryptocurrency exchanges in five other countries (see annex 21 B).
64. With regard to laundering the proceeds of attacks through cryptocurrency, the worldwide WannaCry ransomware attacks in May 2017, which affected more than 200,000 computers in 150 countries, demanded ransom payments in the Bitcoin cryptocurrency. A Member State investigation found that the cryptocurrency obtained through WannaCry malware had been laundered through multiple virtual currencies and multiple jurisdictions to obfuscate transactions.
65. Bitcoin ransom payments made by victims of WannaCry were transferred from a Bitcoin wallet through cryptocurrency exchanges and ultimately converted to Monero, another cryptocurrency, using a Swiss-based cryptocurrency exchange called ShapeShift. Monero is an anonymity-enhanced virtual currency and therefore more difficult to trace than standard cryptocurrencies such as Bitcoin, Litecoin or Ethereum, which prolongs attribution. The proceeds of the third attack on Bithumb in June 2018 were transferred through YoBit. 36 By August 2018, less than two months after the attack, the funds were sent to YoBit in a complex series of hundreds of transactions with the aim of converting and cashing out the entirety of the stolen cryptocurrency (as opposed to spending the acquired cryptocurrency directly on goods and services). The above-mentioned cases show a clear evolution from the earlier Democratic People’s Republic of Korea cyberattack on the customers of a Republic of Korea online shopping mall, Interpark, which was designed to generate foreign currency.
66. The Panel notes that, in addition to Democratic People’s Republic of Korea cyberattacks on cryptocurrency exchanges and individual users, Democratic People ’s Republic of Korea cyber actors have also engaged in the mining of cryptocurrency. A Member State informed the Panel that a professional branch of the Democratic People’s Republic of Korea military is engaging in such mining. One open source report noted a significant increase in Bitcoin and Monero mining activity within the Democratic People’s Republic of Korea, which it attributed to elites and others with Internet access within the country.37 Given the increased anonymity of cryptocurrencies, newly mined cryptocurrency can be used to facilitate sanctions-evasion activity.
67. The panel also investigated alleged instances of cryptojacking, in which malware is used to infect a computer for the purposes of illicitly using its resources to generate cryptocurrency. In one report, a piece of malware designed to mine Monero and send any mined currency to servers located at Kim Il Sung University in Pyongyang was analysed.38 Separately, according to another report, the Republic of Korea Financial Security Institute specifically attributed a similar cryptojacking attack on an Republic of Korea company’s computer to Democratic People’s Republic of Korea hackers.39 According to the report, the malware is believed to have generated approximately $25,000 worth of Monero for the hackers who deployed the malware. Given the increased anonymity of Monero, it is difficult to determine the total amount of revenue that the Democratic People’s Republic of Korea may be generating from such attacks. Nevertheless, this cryptojacking incident suggests the increasingly sophisticated use of cryptojacking by the Democratic Republic of Korea and its willingness to use malware to generate cryptocurrency through mining for the benefit of the regime.
68. The Panel takes positive note of information provided by Member States on action that they have taken to counter losses due to attacks by Democratic People’s Republic of Korea cyber actors (see annex 23).