Connect with us

Hi, what are you looking for?



Analysis of North Korea’s Internet Traffic Shows a Nation Run Like a Criminal Syndicate

Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.

Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.

The leadership’s pattern of global internet usage has shifted. A year ago, it peaked at the weekends, primarily for online gaming and video streaming. Over the last year, weekday usage has increased while weekend use has decreased (although weekend use is still primarily for gaming and streaming). Recorded Future does not know why this shift has occurred, but suggests that it is indicative of the global internet becoming a greater part of the leaders’ every day work.

Concurrent with this pattern change has been the construction of North Korea’s new Internet Communications Bureau headquarters in Pyongyang. The combination of changing usage patterns and the completion of this building could, suggests Recorded Future, “signify a professionalization of internet use across North Korea’s most senior leadership. This would mean that these leaders utilize the internet to a greater extent as part of their jobs, as opposed to for their own entertainment.”

North Korea Cybercrime ActivityNoticeably, an earlier spike in the use of secure browsing (use of Tor, VPNs, etcetera) has diminished. The report suggests the spike may have been caused by an internal policy requirement, “which then slowly waned over time as the costs in time, money, and accessibility began to outweigh the benefits.”

A move away from the use of Western social media in favor of Chinese equivalents such as Baidu, Alibaba, and Tencent was first detected in late 2017. This has persisted — except for LinkedIn, where usage has increased.

Cryptocurrencies are known to be used by North Korea as a form of foreign exchange. North Korean cybercriminals are thought to be behind numerous raids on cryptocurrency exchanges in recent years. Recorded Future now believes the country has also been involved in at least two cryptocurrency scams.

The first involved the altcoin HOLD. In early 2018 it went through the process of ‘staking’, where users mine an initial number of coins but are not allowed to trade them. The purpose is to build interest, value and a user base — but it’s a risky process since the developers control the staking timeframe and can limit the trades. 

“Over the course of 2018,” reports Recorded Future, “HOLD coin was listed and delisted on a series of exchanges, underwent a rebranding, changed its name to HUZU, and as of this publication, has left its investors high and dry. We assess with low confidence that North Korean users were involved in the Interstellar/Stellar/HOLD/HUZU altcoin.”

Advertisement. Scroll to continue reading.

The second scam that it assesses with high confidence was conducted on behalf of North Korea was a blockchain application called Marine Chain Platform. Recorded Future notes that in April and May 2018, the Marine Chain website was hosted on the same IP address that hosted Binary Tilt. Binary Tilt has been declared fraudulent by the government of Ontario, Canada. Dozens of users have posted testimonials of losses of tens to hundreds of thousands of dollars and scams on this site. 

Recorded Future has traced Marine Chain connections to North Korea. In particular, Marine Chain’s CEO, Captain Foong, has been connected to Singaporean companies that have assisted North Korean sanctions circumvention efforts since at least 2013. “Capt. Foong,” claims the report, “is part of a network of enablers throughout the world that assist North Korea in circumventing international sanctions. These connections to Marine Chain Platform mark the first time this vast and illicit network has utilized cryptocurrencies or blockchain technology to raise funds for the Kim regime.”

A heuristic developed by Recorded Future to analyze internet traffic between North Korea and other countries has, in the past, enabled the firm to identify eight nations where North Koreans were physically located or living, including India, China, Nepal, Kenya, Mozambique, Indonesia, Thailand, and Bangladesh. Improvements to the heuristic have enable the firm to gain deeper insight on data from China and India. 

In China, this has discovered high volumes of activity involving the Beijing, Shanghai, and Shenyang regions, and also Nanchang, Wuhan, and Guangzhou. It also enables the firm to state with moderate confidence that seven Chinese universities have currently or previously hosted North Korean students, teachers or partners.

In India, Recorded Future detected high volumes of activity involving Delhi, Bangalore, Kolkata, and Hyderabad. It observed suspicious traffic involving the Indian Meteorological Department and National Remote Sensing Centre, but was unable to determine maliciousness.

The heuristic found an overlap with known North Korean illicit financing or logistics networks — but not for Russia. Internet activity with Russia amounts to just 0.5% of that with China. Recorded Future turned to a report published in August by the non-profit organization C4ADS. This includes the comment, that as much as 80% of North Korea’s overseas workforce is located in China and Russia. The implication is that far more North Koreans live and work in Russia than is suggested by the comparison of internet traffic between the two countries.

The C4ADS report also notes, “some estimates suggest that North Korean laborers may generate as much as $1.2 to $2.3 billion USD per year for the Kim regime, which — if true — would be equivalent to as much as 93% of North Koreaís total exports in 2016.” It adds that most worksites exhibit features characteristic of forced labor. The laborers work 12- to 16-hour days and hand over between 70% and 90% to handlers to be sent back to North Korea.

Recorded Future suggests that the difference in North Korea/Russia and North Korea/China internet traffic is that the former work as laborers with no internet requirement, while the latter work in the information economy, buil
ding mobile games, apps, bots, and other IT products for a global customer base. “This type of information economy work,” writes Recorded Future, “creates a different internet fingerprint than exploitative manual labor and likely clarifies the discrepancy between physical presence and internet activity.”

Recorded Future concludes that its research “has demonstrated how adaptable and innovative North Korea’s most senior leadership are. They are quick to embrace new services or technologies when useful and cast them aside when not. The Kim regime has developed a model for using and exploiting the internet that is unique — it is a nation run like a criminal syndicate.”

Related: North Korea’s Elite More Connected Than Previously Thought 

Related: North Korea’s New Front: Cyberheists 

Related: New North Korea-linked Cyberattacks Target Financial Institutions 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.