Cybercrimes & Criminals: The North Korean Link

Print Friendly

S. Mushfiq Murshed


Nations, Institutions, businesses, communities and individuals, alike, have benefitted from the digital age. An entities online presence is fast-shifting from an option to a necessity. This reliance has a flipside as well. Digital users are constantly under threat from the malicious online activities of cyber criminals. Anti virus and firewall options may not be as effective as presumed when the criminals work under the umbrella of a nation-state and possess superior expertise and network access.

Whereas numerous countries have used hacking as a form of espionage and surveillance, North Korea has made a name for itself   in this field of digital hacking in an altogether unique manner. It is considered as the first nation-state that has used cyber attacks for “stealing money.” 1

This is not surprising as cyber attacks provide an inflow of much needed resources for them. “North Korea’s economy has been ravaged by sanctions, food shortages and other deprivations. Pyongyang does not publish economic data, but estimates have put North  Korea’s  gross domestic product between $12 billion and $40 billion, tiny when compared with South Korea’s economic output of more than $1.4 trillion.” 2

This strategy to circumvent the effects of sanctions by increasing the flow of funds into the country through criminal activities was used by the North Korean regime much before the advent of the digital age: “from the late 1970s through the turn of the 21st century more than   20 diplomats and officials were implicated in drug trafficking schemes. Around 2001, the state began shifting from direct trafficking to producing drugs and supplying them to other criminal organizations.” 3

North Korea also successfully counterfeited the US $ 100 note. The counterfeit notes were flawless to the extent that the Federal Reserve had to introduce and circulate new and improved US $ 100 bills that were difficult to replicate.

As technology progressed, so did the North Korean strategy to bring money into the country. With the advent of the digital age, Kim Jong- Un established “Unit 180” in 2013. According to Kim Heung-kwang (a North Korean defector who is considered as an expert on North Korea’s cyberforces), “Unit 180’s primary job is to gain foreign currency to fund projects to develop ‘five major weapons’ — including nuclear bombs, long-range missiles and submarine-launched ballistic missiles.” 4

Since then, as indicated by a panel of experts reporting to the UN Security Council (2019), Pyongyang has amassed approximately $670 million in “foreign and virtual currency through cyberthefts, using blockchain technology to cover its tracks”. 5

“The 2015 attack on the Central Bank of Bangladesh that was one of the most sensational attacks linked to North Korean hackers, who made off with $81 million. In 2018 India›s Cosmos Bank was hacked to the tune of $13.5 million. Earlier this year those same hackers infiltrated the Bank of Chile›s ATM network and siphoned off $10 million.” 6

“North Korea’s hackers have successfully attacked numerous cryptocurrency exchanges, too. Cybersecurity experts at Group-IB estimated last year that they were responsible for around 65% of all crypto exchange hacks. Between January 2017 and September 2018 it›s believed that those attacks resulted in more than $570 million in losses.” 7 The North Korean linked hacking group named Lazarus is said to have hacked 14 crypto exchanges since 2017. 8

Lazarus first gained notoriety when it hacked Sony Pictures as they were producing a comedy, The Interview, based in North Korea. 9 Since then, Lazarus has also concentrated its efforts towards online virtual bank heists and other financially motivated cyber attacks.

Lazarus is also considered to be the mastermind behind the 2015 attack on the Central Bank of Bangladesh. They were able to steal $ 81 million whereas the original amount they had targeted was $ 1 billion. “According to the U.S. government alert, one incident in 2017 saw cash withdrawn simultaneously from ATMs in over 30 different countries. In another major incident in 2018, cash was taken from ATMs in 23 separate countries.” 10

Some experts consider Unit 180 and Lazarus to be the one-and-the- same entity.

Cyber attacks in Pakistan

The media has highlighted three major cyber attacks in Pakistan since 2017. One attack was on the car-hailing service app, Careem. Its data was compromised and hackers stole personal information of its clients.

The other two attacks were in the banking sector. The “technology driven banking system in Pakistan” has kept up with global online banking trends. They, however, still need to improve their digital security, as their increased presence online has also exposed them to the constant threat of cyber attacks.

As a result of this digital security shortcoming, the first major cyber attack on a bank was orchestrated in December 2017. The target was one of the largest banks of Pakistan, Habib Bank Limited (HBL). This attack affected nearly 600 customers but the amount lost did not exceed Rs.10 million. “Banks, including HBL responded by blocking users’ ATM cards as a precaution against further loss”. 11

The method used in the above mentioned incident is known as skimming. The skimming device used in undetectable and is usually “placed over the card swipe mechanism of an ATM.” The device is used “to steal credit card information in an otherwise legitimate credit or debit card transaction. When a credit or debit card is swiped through a skimmer, the device captures and stores all the details stored in the card’s magnetic stripe. The stripe contains the credit card number and expiration date and the credit card holder’s full name. Thieves use the stolen data to make fraudulent charges either online or with a counterfeit credit card.” 12

On 27 October 2017, the second major cyber attack in the banking sector of Pakistan began with a much smaller bank – BankIslami. The bank claims that it lost Rs. 2.6 million and claimed that it averted “a bigger financial loss which, international payment managers suggest, was to the tune of $ 6 million, following its exit from the international payment system”. 13

Experts have indicated that the 2018 cyberattacks were much more damaging than the one case of BankIslami:

  • “Pakistan’s Computer Emergency Response Team (PakCERT) investigated the cyber attack. According to their analysis “data from 19,864 cards belonging to customers of 22 Pakistani banks has been put on sale on the dark web”. 14
  • “According to a digital security website, data of over 8,000 account holders of about 10 Pakistani banks was sold in a market of hackers”. 15
  • “As concerns about a breach of credit and debit cards data spread in the banking circle, around 10 banks have blocked all international transaction on their cards”. 16
  • GEO news was informed by the Director of FIA Cyber-Crimes wing that, “Almost all (Pakistani) banks data has been According to the reports that we have, most of the banks have been affected.” 17
  • The State Bank of Pakistan (SBP) rejected the Director of FIA Cyber-Crime’s statement. The SBP spokesperson also said the following about the PakCERT report: “Quite likely this data itself is fake.”

Such conflicting statements do not provide the confidence that account holders in Pakistani banks are looking for. In addition, the customer has been further distressed by short-term solutions like blocking all international transactions on cards. This is no solution. The SBP has to develop a more proactive strategy to secure the funds of the citizens of Pakistan that have been deposited in the banking systems of this country.

Cyber attacks in Pakistan and the North Korean link

The director of FIA cyber-crime wing also stated that international players were involved in the attack mentioned above. In addition, the author of the PakCERT report also suggested that the people involved in the skimming process could either have come from abroad or there could have been locals who were assisting “a more advanced group from outside Pakistan”. 18 If one correlates global cyber attack trends  of a similar nature with these statements then one could logically single out North Korean hackers as the most plausible culprits.

Cyber crimes of this nature cannot be brushed under the carpet. There have been countless international warnings and incidents of cybercrimes by the North Koreans. If nothing else then the SBP should have taken notice of the 2017 cyber attack on HBL and initiated a drive towards improving online security of banks within the country.

Even after the 2018 attack, the SBP has issued limited instructions to the banks in Pakistan. It has asked the affected banks to restrict international card usage and to “take the requisite precautionary measures”. 19 It needs to do much more. The least that it can do is to provide detailed instructions on how to enhance cyber security within the banking sector. In addition, claiming, “transactions within Pakistan remain safe” 20 is clearly not enough to alleviate the fears of account holders in Pakistani banks. The SBP needs to “undertake a formal investigation into the security breach”. 21

The  Government  has  to  be  more  proactive  in  safeguarding the financial assets of its citizens. The necessary agencies and ministries also need to be more vigilant in their surveillance of foreigners (especially those associated with rogue states) and their online activities. A more stringent background check before issuing visas and work permits needs to be in place along with a more comprehensive registration process.

In addition, nationwide media awareness campaigns to highlight the threat from digital hackers to Pakistani citizens and financial institutions need to be initiated. It has been reported that North Korean hackers have infiltrated databases and networks of businesses, banks, government institutions, etc. by either gaining employment there or supplying corrupted equipment and software. The average Pakistani citizen cannot be expected to be diligent in their procurement and recruiting activities if they are not even aware that there is a threat.

The Pakistani Government is launching an amnesty scheme to document the economy and bring tax non-filers into the tax net. This scheme will hit unnecessary roadblocks if the citizens that are being targeted by this scheme do not have faith in the security of the Pakistani banking system.

Blocking international transactions on debit and credit cards is not a solution. The SBP has to develop a more sensible strategy to secure the funds of the citizens of Pakistan that have been deposited in the banking systems of this country. Information on attacks like the cyber attacks on the Banks cannot be hidden from the public under the false pretense of controlling panic. It is the hard-earned money of the citizens that is at risk. It is the right and need of the citizens to know: what happened, who was behind it and what is being done to fix this problem.


1- Nicole Perlroth and Michaell Corkery, “North Korea Linked to digital attacks on local banks”, The New York Times, May 26.

2- ibid

3- Lee Mathews, “North Korean Hackers Have Racked in $670 Million Via Cyberattacks”, Forbes, May 11, 2019,  

4- Jiro Yoshino, “North Korea’s cybertroops span the globe in quest for cash”, Nikkei Asian review, March 15, 2018,

5- Kaori Yoshida, “North Korea stole cryptocurrency via hacking: UN Pannel” Nikkea Asian Review, March 8, 2019. 

6- Lee Mathews, “North Korean Hackers Have Racked in $670 Million Via Cyberattacks”, Forbes, May 11, 2019,

7- ibid




11- Salman Siddiqui, “Beware – Hackers are going after ATMs in Pakistan”, The Express Tribune, December 3, 2017, beware-hackers-going-atms-pakistan/


13- Salman Siddiqui, “Pakistan’s Banking system witnesses another cyber attack”, The Express Tribune, October 29, 2018,

14- Farooq Baloch and Iftikhar Firdous, “Pakistani Banks hit by biggest cyber attack in country’s history”,, November 6, 2018,

15- Shahid Iqbal, “Around 10 banks block international payments on debit and credit cards”, Dawn, updated on November 4, 2018,

16- ibid

17- Ayaz Syed, “Data from almost all Pakistani banks stolen, says FIA cyber-crime chief”,, November 6, 2018,

18- Farooq Baloch and Iftikhar Firdous, “Pakistani Banks hit by biggest cyber attack in country’s history”,, November 6, 2018,


20- ibid

21- ibid