According to a report from Recorded Future, it seems the ruling elite in North Korea are now using the Internet more and more to take advantage of money-making opportunities and avoid various economic sanctions. Not only is the Kim regime utilizing interbank transfer systems, online gaming, and even cryptocurrencies, they’re exploiting them for money.
The report reveals that some Singapore-based North Korea-enablers are running what’s called Marine Chain.io, which appears to be a cryptocurrency scam. In addition to this, there could also be links between the DPRK and Interstellar cryptocurrency (also known as HUZU, or HOLD).
As to Marine Chain.io, their website says it is an asset-backed cryptocurrency with the main goal of tokenization of ships. Some Redditors, however, were quick to notice similarities between the scammers’ websites and another one in the niche.
How does the scam work?
Initially, the website promises a stable cryptocurrency that’s backed by the real-world assets. Unfortunately, they simply aren’t providing the service as promised and, once they’re happy with the number of investors, they close the website and run off with the money.
See: How Bad is the North Korean Cyber Threat?
Once Recorded Future researchers were able to identify Marine Chain as a scam, their focus switched to finding its owner. With some simple research, they quickly found the domain was hosted using the same IP address as another company which was earlier found to be scamming users of thousands of dollars.
People behind the scenes
The next step in the investigation was to use open-source intelligence to find more information; this included fake company advisors and other important names. Over time, the investigation gained in momentum and the team quickly found out more about the history of Marine Chain’s CEO. Above all else, there was a connection between this CEO and some other companies that aided the country in avoiding international sanctions dating back to 2013 (and potentially even further); they did this through illicit activity on DPRK’s behalf.
The report stated that Capt. Foong, a member of Marine Chain, belonged to a wider group of enablers help North Korea in their attempts to escape international sanctions. This time they used cryptocurrencies to get funds for the regime, and also to launder funds.
Sadly, cryptocurrency-based scams are becoming more common for North Koreans. However, this is kind of low-level cybercrime Kim regime is using in addition to other more serious activities like ransomware.
According to GroupIB, a cybersecurity company, about 14 cryptocurrency exchanges lost nearly $900 million in cyber-attacks between 2017 and 2018. Their report suggested that North Korean hackers from the well know Lazarus group are responsible for at least five of these attacks.
Internet in DPRK
It’s a well-known fact that North Korea has severe restrictions as to the Internet. It is simply forbidden there. Only some of the ordinary people can access Kwangmyong, which is a local intranet. But it is lesser-known that the ruling elite and few privileged geeks are allowed to use the Internet in full.
See: Lazarus Group is back, targeting Banks & Bitcoin users with phishing scams
When Recorded Future started to monitor activities of North Korea scammers, they noticed specific traffic spikes on weekends with a particular focus on content streaming and online gaming. In 2018, behavior started to change and online activity increased during the week; suggesting those privileged began accessing the global network at work.
Starting in the second quarter of 2018, the researchers saw a substantial increase in the use of anonymization technologies like the Onion Router (Tor) and the Transport Security Layer (TSL) protocol. Other traffic obfuscation tools were also being used and this included. For example, recently the DPRK tech gurus have started to hunt for VPS and VPN deals.
In total, three IP addresses were used for outbound connections. One of them belongs to the North Korea IP range. Other two addresses belong to Russia and China.