North Korean hackers chase "dark sources" July 7 at 3:16

North Korea has been pointed out to be earning money from nuclear and missile development through cyberattacks. The execution force is said to be hackers belonging to the "General Directorate of Reconnaissance" under the direct control of Kim Jong-un.

We tracked the actual situation for half a year.

What came into view was a small apartment in the Middle East.

(Close-up Contemporary Reporting Team Reporter Yohei Fukuda / Director Takayuki Ishii)

Following North Korean hackers to the Middle East

Kuwait is located at the northern tip of the Persian Gulf.

It is one of the world's leading crude oil producers, with deserts occupying most of the land area about the size of Shikoku.

Kuwait City, the capital city, is a modern city lined with skyscrapers, but few people walk around the city during the day.

Even though it was early June, the temperature was over 6 degrees Celsius, and the outside was as hot and humid as entering a sauna.

"Do you see the Kuwait Tower?"

said Kuwait Tower, the symbol of the city towering along the coast.

We were on a videophone with a former North Korean diplomat.

A man who saw the tower glowing in the strong sunlight through the screen smiled, saying, "I miss it."

We are going to go after the North Korean hackers.

865.<> billion yen "the largest" crypto asset theft case in history

In March last year, a cryptocurrency theft case occurred that caused 3.865 billion yen in damages, which is said to be the "largest in history."

The target was a Vietnamese online game company.

The FBI of the United States announced that the crime was committed by "a hacker group that is a subordinate organization of the North Korean authorities".

It is believed that the modus operandi of the invasion and the characteristics of the virus are consistent with those of North Korea in the past.

【Click here for details】"865.<> billion yen was lost to the North" The story of the incident told by the top executive of the victim company

North Korea is known to have launched cyberattacks around the world for many years.

Especially in recent years, it is said that crypto assets have been repeatedly hacked as a means of "foreign currency acquisition" amid severe economic sanctions.

According to the American cryptocurrency analysis firm Chainalysis, last year alone, they took about 1 billion yen in Japan yen.

The Japan cryptocurrency exchanges are also estimated to have suffered a total of about 2300 billion yen in damage.

General Secretary Kim's Reconnaissance Directorate "Hackers = Elite"

Who are the North Korean hacker groups?

Yoo Dong-yeol, who has been investigating North Korean cyberattacks for years at a research institute affiliated with South Korea's National Police Agency, said North Korean hackers belong to the Reconnaissance Directorate, an organization that reports directly to Supreme Leader Kim Jong Un.

Yoo
Dong-yeol: "I belong to the military, but in reality, it is a separate task force that reports directly to General Secretary Kim and receives instructions.

According to security firms, there are hacker groups called "Lazarus" and "Kimsky" under the Reconnaissance Directorate.

According to Dong-yeol, in North Korea, students learn about computers from junior high school and go on to college.

Among them, only the elite with outstanding grades will be admitted to hacker training organizations.

Yoo
Dong-yeol: "It takes at least 20 years to train. Cyber operations cannot be done without understanding English and other foreign languages."

Are there bases scattered throughout the country?

According to Yoo Dong-yeol, North Korean hacker bases are scattered around the world.

Yoo
Dong-yeol: "First in Beijing, and then we expanded to Southeast Asia, Laos, and other countries. The 10 people work as one team, and there are bases in various places."

However, there have been no reports of the location or detection of these hacker bases.

Yoo Dong-yeol
: "They keep changing locations, they move so often that they can't identify their location."

Who the hell is that?

Cyberattacks that North Korea's "cyber elite" are carrying out all over the world. The reality of this is shrouded in mystery.

In addition to Korean experts like Dong-yeol, we expanded our coverage to experts who were investigating at the United Nations, former FBI agents in the United States, and security companies around the world.

I was able to hear from a person who testified that he had visited a "hacker's base" for six months after I started interviewing him.

That was Ryu Hyun-woo, a former North Korean diplomat, who made a videophone call in Kuwait.

Former diplomat who opened his mouth

Ms. Ryu majored in Arabic at Pyongyang University of Foreign Studies.

He then joined the Ministry of Foreign Affairs and served as Kuwait's deputy ambassador.

In 2019, he defected to North Korea.

When he was in the embassy in Kuwait, he was in charge of immigration control for people visiting the Middle East from his home country.

Ryu
Hyun-woo: "When everyone with a North Korean passport goes to the area where they are dispatched, they are supposed to inform the embassy in that area, they had to go to the workers, check if there are any problems, what the quality of the food is, etc., and report it to the party."

At that time, many construction workers were dispatched from North Korea to the Middle East, and Mr. Ryu constantly checked their living conditions and reported them to his home country.

Liu said some of them belonged to the General Directorate of Reconnaissance.

The activities of the General Directorate of Reconnaissance are allegedly carried out in secret, but Mr. Liu testified that he had heard firsthand from a person belonging to the General Directorate of Reconnaissance that they were "hacking".

Hyun-woo
Ryu said: "There were eight people in Kuwait, nine in Qatar, and 8 in the United Arab Emirates. You can't hack when you're older.'"

In Kuwait, he visited their homes many times.

Of the eight, half were contracted to develop apps and earn a living as so-called "IT engineers," while the rest were engaged in hacking and other activities.

Hyun-woo
Ryu: "Four people slept in a small room with bunk beds side by side, and the drawing room was large enough with just a sofa and a TV. I was using a good laptop or desktop."

According to Lyu, he rarely went out and spent his days just facing the computer.

Hyun-woo Ryu:
"For example, if you run out of cigarettes and want to go buy them, you have to report them before leaving. They are like worker bees. I don't get anything. You just get a medal of honor."

Is the "hacker's base" that Mr. Ryu visited five years ago still exist?

"Front company" in the mall

Point the camera a little higher. This building."

We started the investigation by sending the local video to Mr. Ryu in real time on our smartphone.

With Mr. Liu's guidance, the first thing he aimed for was a trading company where a person in charge dispatched from the General Directorate of Reconnaissance worked.

I drove from the city center and arrived at a shopping mall in the suburbs.

It is a commercial facility that can be found in a Japan with select shops selling clothes, miscellaneous goods, and electrical appliances.

Perhaps because it is daytime on a weekday, there are few people and security guards are just going around the building.

「そこにエレベーターがあります。2階のボタンを押して」

2階（日本では3階）に上がり、渡り廊下をわたった。

「左に曲がって、まっすぐ行ってください」

「ここからオフィスの方をみせてください。ここだと思います」

偵察総局のメンバーのまとめ役だった人物が勤めていたという貿易会社のフロア。

しかし、中をのぞくと、テナントは、今は使われていない様子だった。

ほかにも、取材を試みたが、それ以上の情報を集めることはできなかった。

ハッカーの拠点は…

「ハッカーたちが住んでいた場所は、すぐ近くだ」

案内に従ってさらに車を走らせ、外国人労働者たちが数多く集まる住宅地に入った。

砂ぼこりが舞い、いたるところにゴミが散乱している。

ベージュ色の似たような集合住宅が建ち並ぶ。

リュ氏は、声を張り上げて、ルートを示し始めた。

「違う！右です。もう一度、前にいた道に戻って入り直してください！」

小道に入ると小さな商店が視界に入ってきた。

「この商店の右を！右を見せてください！」

見上げると、そこには9階建てのアパートがたたずんでいた。

「ここに間違いありません。2階に拠点があったのは確かです」

アパートの住民は…

アパートに入った。

薄暗いエントランスには、洗濯物が干され、いすが雑然と並んでいる。

階段は、ところどころ、床のタイルが欠けている。

リュ氏が示した2階にある部屋を訪ね、呼び鈴を押した。

玄関から、小さな子どもと父親が出てきた。

東南アジア人のように見える。

「こんにちは。ここにはどれくらい住んでいますか？」

住民
「1年ちょっとです」

「この建物に北朝鮮の人は住んでいますか？」

住民
「わかりません。この建物には、いろいろな国籍の人が住んでいますから」

ほかにも複数の住人に聞いてみたが、北朝鮮の人が住んでいるという情報は得ることができなかった。

5年前までいた？

1階に降りると、玄関の窓に管理者らしい人物の連絡先が貼ってあった。

電話をしてみたが、つながらない。

途方にくれていると、エントランスにいた若い男性が、管理者を呼んできてくれた。

イラン出身だという管理者の男性。

北朝鮮の関係者が住んでいるのか、聞いてみた。

管理者の男性
「いえいえ、いま住んでいるのはインド、スリランカ、フィリピン人です」

それ以上は話したがらない様子だったが、質問を重ねると…。

管理者の男性
「北朝鮮の人は、数人の仲間で住んでいましたが、5年ほど前に皆出て行きました」

管理者からは、それ以上詳しく聞くことはできなかった。

その後、建物内の別の空き部屋を見せてもらうことができた。

玄関を入ると、狭い廊下と小さな部屋。

5年が経過していたが、リュ氏の証言と似た特徴があった。

決して環境がいいとは言えないこのアパートで、高度なITスキルを持つトップエリートたちが世界の企業や国家を相手にハッキングを行っていたのだろうか。

その「落差」に、北朝鮮の苦境の一端が見えた気がした。

資金洗浄のキーマン

4月下旬、北朝鮮ハッカーの、中東での活動に関する証言が得られたちょうど、その頃。

アメリカ政府が、ある北朝鮮の人物を指名手配した。

Shim Hyun-seop.

He represents a North Korean bank in Dubai, United Arab Emirates, and is suspected of conspiring to launder some of the roughly 100 billion yen worth of crypto assets stolen by hackers.

What is Mr. Sim's true face?

Lyu, who was Kuwait's ambassador in Kuwait, said he had been in frequent correspondence with Sim for two years from 2017.

Hyun-woo Ryu:
"I first met him in 2017, and he called himself Hajim. He has a wife and children and his visa is about to expire, but he asked me if I could stay in Dubai."

Sim was not a hacker for the General Directorate of Reconnaissance, but a person who specialized in money laundering, and Liu said he received the embassy's operating expenses through Sim because UN sanctions prevented legitimate money transfers between the embassy and his home country.

Hyun-woo
Ryu: "We relied on Sims because we couldn't officially receive the operating expenses of the embassy, and they were in charge of the exchange of funds with their home country and all the financial and banking tasks. Sim has been in China and knows a lot of Chinese vendors. I had enough language skills for business and had a broad network."

According to the indictment, Sim instructed two men of Chinese nationality.

They exchanged stolen crypto assets for dollars.

In addition, they purchased telecommunications equipment for the North Korean government.

Activities in Dubai

Based on the wanted Americans and Mr. Liu's testimony, we also interviewed Sim in Dubai for information about him.

Dubai is one of the world's leading financial cities.

In the corner of the city centre, where Sim is believed to have been based, there were large mosques and buildings, as well as high-rise apartment buildings, and an Asian restaurant nearby.

"There is information that there are North Korean people, do you know anything?"

"I haven't seen it for 1~2 years."

While it was difficult to obtain convincing information, I also went to the North Korean restaurant of a foreign-affiliated hotel in the center of the city where Ryu had a meeting with defendant Sim, who testified, but the restaurant was already gone.

Similarly, the famous North Korean restaurant where Ryu met in a private room has already closed.

It had been transformed into a Chinese restaurant.

Difficulty in unraveling the reality of national cybercrime

North Korean hacker bases and money laundering networks that span the globe.

For more than six months, we have interviewed experts, law enforcement officials, former investigators, and North Korean defectors from around the world.

In particular, we focused on information about the locations and people of hacker groups, but we found little concrete information.

Many advised that "identification is impossible" and some law enforcement agencies clarified that they were "not intended to prosecute the perpetrators" in the first place.

In cyberspace, it is easy to conceal the source of the attack, and conversely, it is extremely difficult to gather evidence that leads directly to the attacker.

In addition, some of the countries where hacker groups may be based are authoritarian states that are said to have ties to North Korea, and it is not easy to figure out.

Maiko Takeuchi, who was a member of the UN panel of experts and monitored sanctions on North Korea, said international cooperation among countries is essential to address this national crime.

Maiko Takeuchi
: "The question is how the investigative authorities of each country can work together to tackle this issue. Countries must be aware that North Korea is being targeted as a source of funding for its continued nuclear and missile development."

【Click here for details】Get back your stolen crypto assets! Investigative agencies fighting hackers

While this interview did not reveal even a glimpse of the hacker group, what emerged from our coverage in the Middle East was that while the hackers and the people behind their crimes are the elite with some of the country's most intelligent minds, they are engaged in cyberattacks in a foreign land, in a less than privileged environment.

We will continue to conduct interviews to get closer to the real picture of the hacker group.

【Click here for details】Follow the disappeared "865.<> billion yen"! ~North Korea's Dark Funding Source~

Regarding cybercrime by North Korean hackers, "Close-up Gendai" broadcast on July 7, "Follow the disappeared "3.865 billion yen"! ~North Korea's Dark Funding Source~].

Science and Culture DepartmentReporter
Yohei
FukudaJoined the bureau in 2013 After working at the Okayama and Sapporo bureaus, he has been in
charge of IT and cyber security since 2021.

Takayuki Ishii, Director
of the Social Program DepartmentJoined
the bureau in 2009 After working in the International Program Department, he has covered a wide range of international fields such as North Korea and Myanmar, where he currently belongs
, since 2020.