on
North Korean Hacker Profit Margins
“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” — Assistant Attorney General John C. Demers of the Justice Department’s National Security Division
A few months back, a series of federal indictments served on North Korean hackers was released by the Department of Justice. In these documents, they go through a long laundry list of details about North Korean hackers that sheds an intriguing light on what it is like to be a top hacker in North Korea. In this post, I’m going to calculate up an estimate of how much North Korean hackers make and draw a few interesting parallels between how these gangs operate and startup culture.
First off, as a preliminary, it should be noted that nation state hackers operate differently from normal hackers in that they have a much easier time of operating since they know that in a given worst case scenario they can’t actually be arrested by anyone. Nation state hackers are often actually worse than traditional hackers because they have fewer constraints, they can be as sloppy as they want while still not getting caught so often they are free to do more things and attempt a larger volume of hacks than someone fearing capture would be able to pull off.
This increased workload because of their relative safety leads to an extremely high rate of hacks overall. They seem to operate according to lean principles much like a startup and pivot rapidly between different new ideas. The time between an idea forming, initial production of a viral product or hack, and execution of that idea seems to be around 1-2 month timescale.
Implying that these hackers can create an idea for a project, develop that project, and then actualize it in the wild for some payout in under a month. If the numbers presented by the indictment are to be believed this is an incredible feat besting some of the best developers in Silicon Valley.
The freedom they seem to have in what they are doing seems to have the same atmosphere as a research and development center like Xerox Parc, but if it were oriented toward rapidly pumping out products similar to early stage startups. If we do a little creative reading of the indictment it seems obvious that no managers are telling them what to do or what attacks to cultivate.
The sheer variety and creativity of the hacks and the targets indicate an extremely scattershot approach toward what they are doing and who they are attacking. Many of the hacks sprawl into weird and divergent territory spontaneously from month to month.
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” — Acting U.S. Attorney Tracy L. Wilkison for the Central District of California.
I speculate that their management structure is probably more based on monetary quotas to be met each month as a stipulation with how they achieve that monetary quota being completely up to the developers and hackers. Imagine you are a manager over a team that is bringing in roughly 5-20 million on average each month.
On certain months the team is able to bring in an order of magnitude more. Would you rather restrain these people with explicit directions or would you rather just let them go wild with the only directive being to maximize our profits whatever way you can possibly creatively come up with?
The next question to ask is, how much are they actually taking in?
From the indictment, we can get a pretty reasonable estimate, though what they can be charged with is probably an underestimate of their actual earnings. The time period of the actions within the indictment is “September 28, 2009, and continuing through at least December 8, 2020”. The period that the hackers seemed to be most successful at actually obtaining money regularly was 2016-2020 so that is what I’ll use for my estimate.
| Date | Description | Amount |
|---|---|---|
| November 24, 2014 | Sony Hack | $0 |
| December 2, 2014 | Movie Theatre Phishing | $0 |
| November 2015 | Philippine Bank Hack | $0 |
| December 9, 2015 | Vietnamese Bank Hack | $7.7M |
| February 4, 2016 | Bangladesh Bank Hack | $1.05B |
| July 20, 2016 | African Bank Hack | $104.1M |
| October 2016 | Polish Bank Hack | $0 |
| June 29, 2017 | South Korean Cryptocurrency Company | $16M |
| August 24, 2017 | Individual Extortion | $100k |
| October 3, 2017 | Eastern Europe Bank Hack | $60.1M |
| October 13, 2017 | Central American Casino #1 | $2.3M |
| November 2, 2017 | Central American Casino #2 | $361.5k |
| December 15, 2017 | Slovenian Cryptocurrency Company | $75M |
| January 9, 2018 | Bancomext | $110M |
| September 27, 2018 | Indonesian Cryptocurrency Company | $ 24.0M |
| October 27, 2018 | Bank Islami ATM cashouts | $6.1M |
| February 12, 2019 | Maltese Bank | $15M |
| August 7, 2020 | NY Financial Service Company | $11.8M |
| Total: $1.48B |
Here I’ve listed off most of the highest paying things mentioned in the indictment, there is hardly a month without something listed in the indictment but most of the items either do not have dollar amounts or were failed attempts. I should note that my total here is a little higher than the one presented at the beginning of the indictment because the exchange rates between different currencies have changed and I converted everything into USD for my estimate. In the actual indictment, the value of the stolen goods is estimated at closer to $1.3B.
If we then take this number and divide it over the 4 years of the indictment that gives us an estimate of $371M per year with an average of approximately $31M per month. If we then assume that this is a crew of 20 individuals as an example that means that each of them is bringing in $18.5M per person per year of profit to North Korea.
We can then compare this to the average profit that an employee of Apple, Facebook, Google, and Microsoft provide for each company, and can see that the North Korean hacker in an idealized setting with 20 employees probably brings in more. If we assume that there are many more hackers in this group than 20 this number would probably match that of Apple approximately. We can also assume that this crack team of hackers is providing a significant income stream to the country.
One factor that I am not noting in this analysis is that the amount of money stolen is not necessarily the same amount that was actually cashed out through a money laundering process. The process itself we can assume skims a massive amount of the profit, and we can also assume that much of this money is lost at some stage in the process. It is impossible to tell what the actual profit is after these losses.
Most state based threat actors in Russia, China, or the US have some clear rules and levels of management and restraint in what they do. They often are posed with a general mission or task set that forces them to do assignments as they are ordered, with some level of secrecy. Some of these threat actors will pretend to be another countries hackers in order to shift the blame away from themselves and create plausible deniability.
Here instead we see a set of hackers that appear to be totally unrestrained in terms of what they are actually doing and how they go about doing it. They are not afraid of being caught and have only one directive to make more money as much as humanly possible as fast as possible with no restrictions in terms of the law or their material resources. They exist in a limbo that really doesn’t exist within any other country or place on earth.