Despite North Korea's isolation from the rest of the world, the country's ruling elite use the internet to escape economic sanctions and to find and tackle new money-making opportunities, legal or not.
According to a report Recorded Future shared with BleepingComputer, the Kim regime is familiar with cryptocurrencies, interbank transfer systems, online gaming and are not shy to exploit them for financial gain.
"We have discovered an asset-backed cryptocurrency scam called Marine Chain run by a network of North Korea-enablers in Singapore and at least one other scam coin, called Interstellar, Stellar, HOLD, or HUZU, also possibly tied to North Korea," the report informs.
The Marine Chain asset-backed cryptocurrency was supposed to enable tokenization of ships. However, the scammers made the mistake to use a near clone of another website, which redditors were quick to spot.
The scam works by deceiving potential users with the promise of a stable coin rooted in real-world assets. Once sufficient people invested in the cryptocurrency, the scammers close shop and leave them high and dry.
Recorded Future's threat research team Insikt Group used the Marine Chain website as the starting point for tracking the people behind the scam. By checking domain registration records they found it was hosted at the same IP as the website of a fraudulent company that stole thousands of dollars from users.
After finding the name of the company behind the website, the researchers relied on open-source intelligence to learn the names of to company advisors.
One clue led to another until the researchers discovered a connection between the alleged CEO of Marine Chain and various companies that helped North Korea escape sanctions since at least 2013 by facilitating illicit activity on behalf of DPRK.
"Capt. Foong is part of a network of enablers throughout the world that assist North Korea in circumventing international sanctions. These connections to Marine Chain Platform mark the first time this vast and illicit network has utilized cryptocurrencies or blockchain technology to raise funds for the Kim regime," the report explains.
This type of cryptocurrency fraud is specific to low-level financial crime North Korean defectors describe. Illegal activity that produces more money has been tied to the Kim regime in the past.
In a recent report from cybersecurity company GroupIB, $882 million were stolen between 2017 and 2018 from 14 cryptocurrency exchanges. The company says that at least five attacks were carried by North Korean hackers from the Lazarus group.
Access to the global internet is restricted in North Korea, and only the ruling elite has access to this perk. The less privileged individuals can access the Kwangmyong, which is the heavily restricted domestic intranet.
Since Recorded Future started to monitor the online activity of the leading class in North Korea, the noticed the increased activity over the weekend, when traffic consisted of online gaming and content streaming.
This behavior changed in 2018 when the activity intensified during the week, suggesting that the leaders started to access the global internet at work.
Beginning April, the researches noticed an increased use of traffic obfuscation technology, like Virtual Private Networks (VPNs), Virtual Private Servers (VPSs), the Transport Security Layer (TLS) protocol, and the Onion Router (Tor).
The outbound connections use three IP address ranges, one of them belonging to the country's address space, which is routed by operators China Unicom and Trans TeleCom in Russia.
Another IP range is allocated by China Netcom, and the third is through a range operated by a Russian satellite company, the researchers say.