Bitcoin to bombs: Illicit money and the preservation of Kim Jong-un

6 April 2022

For several years, North Korea has steadily improved its cyber capabilities, using the digital realm to inflict harm on its adversaries, signal the country’s asymmetric abilities in conflict, and achieve key strategic objectives around the world. Indeed, Kim Jong-un has referred to cyber warfare as an “all-purpose sword” — a sword the regime has been sharpening for decades.

Like China and Russia, North Korea’s ambitions in cyberspace accelerated after witnessing the US and other countries use electronic warfare (EW) technologies in conflict — specifically, the first Gulf War in 1991, and NATO operations in the Balkans in 1995. In 1995, the same year NATO was using EW tactics to confuse Serbian defences, Kim Jong-il reportedly said, “if warfare was about bullets and oil until now, warfare in the 21st century is about information. War is won and lost by who has greater access to the adversary’s military-technical information in peacetime, how effectively one can disrupt the adversary’s military command and control information, and how effectively one can utilise one’s own information”.

In the years since, cyber has become a key weapon in Pyongyang’s toolkit, which the regime has primarily relied on to attack, harass, and agitate its two main rivals, the US and South Korea. Steadily, the regime has improved its technological abilities in the cyber domain, undertaking a variety of operations, ranging from rudimentary denial-of-service attacks, to invasive and destabilising espionage campaigns, and crippling cyber robbery intrusions. Notably though, over the last number of years, Kim’s regime has drilled down and narrowed the focus of their cyber activities — honing in on attacks that can and do generate troves of stolen money for the Supreme Leader. Some have suggested these efforts are generating as much as a billion dollars a year for North Korea, while others have stated at least eight per cent of the country’s economy comes from cybercrime. Given this shift, policymakers, scholars, and practitioners alike have become increasingly focused on what has become the Hermit Kingdom’s priority in cyberspace: acquiring illicit financial resources.

If he is going to be compelled to behave differently, or if regime change is the end goal, policymakers, practitioners, and cyber experts need to cut off North Korea’s digital “bank robbers”.

Yet, regardless of the volume of material assessing North Korea’s online criminal activities, few observers pay attention to the importance money and material assets play for the Kim regime in co-opting a small cadre of elites, maintaining the façade of Kim’s ‘right to rule’, and ensuring the long-term survival of the Kim dynasty. From stealing cryptocurrencies to fraudulent financial transactions to carrying out ransomware attacks and other malicious activities, Kim Jong-un is using cyberspace to provide for the select few who matter most to him and to preserve his family’s power. For Kim, the value of revue-generating cyberattacks goes far beyond funding the country’s weapons programmes: these attacks and intrusions are a matter of survival.

Missing the point

Often, studies assessing North Korea’s strategic motivations for carrying out financially driven cyberattacks focus on two underlying determinants that influence the country’s cyber behaviour. First, scholars typically point to the Kim regime’s realisation that winning a conventional war on the Korean peninsula has become increasingly unrealistic over the last decade. Knowing the military balance between the North and South has shifted in favour of the latter, the cash-strapped Kim regime, they argue, relies on cyberspace to acquire money for the country’s nuclear programme, something the regime now considers a vital strategic deterrent. Second, many argue that Pyongyang relies on cyberspace to make and move money in the face of economically crippling international sanctions. Writing for the New York Times in 2020, David E. Sanger said, “North Korea has vastly expanded its use of the internet in ways that enable its leader, Kim Jong-un, to evade ‘maximum pressure’ American sanctions campaign and turn to new forms of cybercrime to prop up his government”.

Undoubtedly, both lines of thinking are accurate. For Kim, his moneymaking cyber army provides a lifeline for the nation’s weapons programmes and for the regime to function and provide at least nominal goods and services to the country’s 25 million citizens. However and perhaps more importantly, Kim is aggressively exploiting cyberspace to acquire financial resources and line the pockets of the country’s elite — a strategy he and other personalist dictators like Vladimir Putin rely on to ensure their country’s highest class of people acquiesce. Considering that the global financial sector has become almost entirely digitised and that North Korean hackers now have more opportunities than ever before to make money for the country’s upper crust, it is worth unpacking what this might mean for Kim, his autocratic peers, and their ability to indeterminately maintain power.

Autocrats, elite cohesion, and the power of money

Scholars and analysts have researched at length how autocrats stay in power and the factors that contribute to their survival or demise. Generally, according to Erica Frantz and Andrea Kendall-Taylor, dictators can rely on two strategies to keep their jobs: repression and co-optation. In the case of North Korea, the Kim regime uses both tools ruthlessly and routinely. However, co-optation — bestowing benefits to potential opponents and challengers in exchange for acquiescence — has been an enduring method the family has unabashedly used to ensure those closest to the Supreme Leader remain docile supporters. As Daniel Byman and Jennifer Lind wrote in 2010, “Kim Jong-il cultivates an elite selectorate to stay in power. Under this strategy, the health of the overall economy is less important than the regime’s ability to bribe elite supporters”. Ranging from a few hundred to as many as several thousand people, this strategically vital group — comprised of military officers, party officials, and senior bureaucrats — acquiesced to Kim in 2011 following the death of his father, and in the time since they have played a foundational role in keeping him in power.

While it remains nearly impossible to determine the extent to which illicit money obtained by North Korean hackers goes towards Kim’s co-optation slush fund, the scale of Pyongyang’s cybercrime suggests it likely plays a crucial role in buying elite loyalty. For instance, according to investigators from the United Nations and United States government, North Korean hackers have made away with as much as USD 2.3 billion through a range of online criminal activities. Indeed, in 2021, the US government charged three North Korean nationals over a cyber scheme to steal and extort over USD 1.3 billion from international businesses and financial institutions, with Assistant Attorney General for National Security John Demers calling North Korean operatives “the world's leading bank robbers”. Further, a 2022 report found that “North Korean cyber criminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400 million worth of digital assets last year”.

This surge in cybercrime comes at a time when North Korea’s economy is arguably at its lowest point under Kim Jong-un. Yet, the country’s elite are reportedly enjoying new amenities such as ski resorts, theme parks, and a new airport — luxuries a select few in the Asia Pacific’s poorest nation can enjoy, let alone afford. In addition, high-end cars, luxury watches, expensive jewellery, modern electronics, and access to the internet are other benefits Kim — as ‘Capo dei capi’ — bestows to his loyal acolytes. Ultimately, without North Korean hackers making the money they do for the regime, it is unlikely much of this would be possible. The country is isolated, the regime continues to carry out a range of hostile acts thereby pushing it further away from the West, it is experiencing food shortages, and even Kim recently admitted the nation has not met its economic or developmental goals. Still, the country’s influential families enjoy the fruits of their devotion.

Without hackers, Kim will not survive

Going forward, if South Korea, the US, and other countries want to make life harder for Kim, they should pay more attention to the role his hackers play in co-opting elites, keeping his inner circle happy, and ensuring he lives to see another day. As political scientist Steffen Kailitz has said, “as soon as the personalist autocrat cannot provide enough ‘booty’ to his personal gang, they will start to look for an alternative. Eventually, the personalist autocrat is alone in his fight to survive”. For Kim, this “booty” is found online. If he is going to be compelled to behave differently, or if regime change is the end goal, policymakers, practitioners, and cyber experts need to cut off North Korea’s digital “bank robbers”.

To do this, the international community needs to develop a supranational strategy to more effectively combat and respond to North Korea’s cybercrime and online criminal activities carried out by other hostile actors. Further, greater coordination with the private sector and more specifically, the international financial community must take place. Threat-related information, intelligence, analyses, and mitigation strategies will be most useful in confronting these challenges if they are disseminated widely to entities under attack. Moreover, countries should explore and be ready to apply calibrated punitive measures to any individual or entity involved with North Korea’s illegal cyber activities. As Bruce Klinger rightfully points out, “Despite the severity of Pyongyang’s cyberattacks, the US government has taken action only against a handful of North Korean actors”. This needs to change.

Finally, though these are not exhaustive recommendations, greater analysis is needed on what future regulation of cryptocurrency exchanges should look like to make life harder for criminal actors, including North Korean hackers. Relatedly, greater research is warranted on what the future of emerging currencies and financial technologies could mean for North Korea, and other nefarious actors eager to increase their strategic power positions. After all, without his country’s devoted hackers making the money they do, Kim would not last long.

DISCLAIMER: All views expressed are those of the writer and do not necessarily represent that of the 9DASHLINE.com platform.

Author biography

Casey Babb is an Associate Fellow at the Royal United Services Institute, an Affiliate with the Canadian Network for Research on Terrorism, Security and Society, and a former advisor to Canada’s Minister of National Defence. Image credit: Flickr/李季霖.