It has also created a shadow workforce of well-paid overseas IT professionals using fake identities, he said, giving Kim Jong-un a vital resource to fund his nuclear ambitions.
“We believe cyber heists and overseas IT workers are right now North Korea’s biggest revenue generator,” he said.
It was “worrisome” these “malicious cyber actors” were linked to the North’s munitions industry, defence ministry and General Reconnaissance Bureau – the intelligence agency behind the North’s clandestine activities – all of which are sanctioned for their weapons development, he added.
“We do assess that of the money they make out of these [cyber] activities, a substantial amount goes to their weapons programme.”
The UK, as a global financial hub, “could also be a very good target for North Korea,” Mr Lee warned.
Unprecedent surge in tests
It is impossible to pin an exact figure on precisely how lucrative cybercrime is for the authoritarian regime.
According to Elliptic, over 5,000 crypto accounts are believed to have been impacted by the Atomic Wallet attack, with at least ten users losing more than $1m, and more than 160 others losing more than $100,000.
South Korea’s National Intelligence Service estimates that the North has stolen $1.2bn in cryptocurrency since 2017, with some $626m being stolen in 2022 alone. American estimates are higher.
Digital heists over the past five years have netted more than $3 billion for North Korea, the Wall Street Journal reported this week, citing the blockchain analytics firm Chainanalysis.
That money is being used to fund about 50 per cent of North Korea’s ballistic missile programme, according to US officials, who previously believed it accounted for one third.
The rise coincides with a sharp and unprecedented surge in weapons tests, including intercontinental ballistic missiles, over the past year.
US officials say teams of covert North Korean IT workers, posing as East Asian, Eastern European or US-based teleworkers with fake IDs collectively earn more than $3 million a year for the regime.
The illegal workers are hard to spot, operating primarily out of Russia and China and obtaining freelance contracts for software and mobile application development. They are known to hire “front people” as actors to help them through job interviews, and when recruited they sometimes alter products to allow them to be hacked.
Collateral damage
Mr Lee and his team have compiled a list of red flags to help companies identify fraudulent North Korean cyber experts.
He warned that if North Korea reopens its borders post-pandemic, there may be an outflow of such cybercrime teams.
“Where there is a vulnerability, they exploit it. That’s why we have been doing outreach all over the world to raise awareness of the threats,” he said.
But as the North Koreans evolve their techniques, more innocent bystanders are becoming collateral damage.
Another victim of the Atomic Wallet heist, who did not want to be named, said she had used the account for her salary and, like Mr Anastasiou, had not been able to recover the funds.
“This was all the money I had leaving Russia to start a new life,” she said. “Now it’s going to be a thousand times harder.”
Mr Anastasiou suspects the hack could have been caused by a malicious code, but is sceptical towards the idea of a North Korean plot, but he and other victims believe the company has not done enough to help.
Atomic Wallet said it was “committed to helping as many victims of the recent exploit as possible” and had engaged a leading crypto incident investigator “to trace stolen funds and liaise with exchanges and authorities.” The Telegraph contacted Atomic Wallet for further comment.
