CryptocurrencyInvestingBanksReal Estate

These are the largest cyber thefts of the past decade—and 80% of them involve Bitcoin

April 7, 2021, 12:30 AM UTC

In the 1970s, a reporter asked the legendary, and then retired, burglar Willie Sutton why he specialized in hitting banks. “That’s where the money is,” Sutton famously retorted. A recent report from the site Traders of Crypto illustrates that the world’s fattest Bitcoin wallets are today’s equivalents of the cash drawers and vaults that lured bandits in Sutton’s time.     

Traders of Crypto researchers assembled a list of the 80 largest cyber thefts from 2011 to 2020. The roster encompasses a wide variety of attacks, including multiple forays that pilfered cash from banks in such developing nations as Nigeria, Bangladesh, Tunisia, and Liberia. Thirty-nine, or just under half, of the robberies involved cryptocurrencies. Those were typically the biggest scores.

Of the total of almost $2.5 billion in attempted thefts, Bitcoin and other digital currencies accounted for a remarkable $2 billion or 80%. The criminals who grabbed cash instead of coins got hit-or-miss results: Of their 41 capers, 11 failed, and in another four cases, the money was returned or recovered. By comparison, it appears that the crypto criminals achieved a better batting average. A few of the hacked exchanges, notably KuCoin, recouped part or most of the stolen coins. But the overwhelming share of the $2 billion went to the looters, notably stuffing the pockets of Kim Jong-un’s Mao suit.

The thievery that started with the infamous Mt. Gox hack has abated but not stopped

In the years following Bitcoin’s creation in 2009, the Mt. Gox exchange in Tokyo dominated trading. From late 2011 to early 2013, 850,000 Bitcoin, accounting for 7% of the total in circulation, disappeared from customers’ wallets held by Mt. Gox, and from the coffers of the exchange itself. Although fraud and mismanagement accounted for some of the losses, the biggest source appears to be break-ins by hackers, and the search for the robbers is still ongoing.

When the scandal went public in November of 2014, the Mt. Gox losses stood at $450 million, forcing the exchange handling 70% of all global trades into bankruptcy. “The Mt. Gox attack marked the first time the press really talked about Bitcoin,” says Alex Pickard, a former miner now at investment firm Research Affiliates. “The negative publicity effectively ended Bitcoin’s first bull market.”

Mt. Gox stood as the biggest crypto scam ever until January of 2018, when North Korean hackers snatched $534 million from another leading Japanese exchange, Coincheck. The site returned all the investors’ lost money, and Coincheck is now thriving in the current frenzy over Bitcoin. The crypto pirates struck big again in September of last year, hacking $280 million from KuCoin of the Seychelles, chiefly in Ethereum. KuCoin acted fast to recover most of the money, but the thieves still managed to sell $13 million worth of coins, and launder the cash proceeds. The UN announced that its investigation “strongly suggests” the attack originated in North Korea.

Almost all raids target large exchanges, says Ondrej Krehel, chief of Lifars, a cybersecurity firm that helped unmask the crooks in one of Kim Jong-un’s most lucrative heists. “The North Koreans and other culprits will keep trying to find ways to break in,” Krehel tells Fortune. “These are military-trained hackers who execute their cryptocurrency swindles with military precision.” He explains that institutions move goods from “cold” to “hot” wallets where the coins are ready to be exchanged. It’s the equivalent of a bank’s moving cash from vaults to ATMs. The criminals, he says, hack to discover when the transfers will happen, then pounce.

North Korea is cybercriminal No. 1

“Almost all of the cryptocurrency thefts are coming from the DPRK [Democratic People’s Republic of Korea],” declares Krehel. “It requires a really skilled team to do the hacking, and the DPRK builds them.” According to the Traders of Crypto study, the DPRK is behind 12 of the 39 digital coin strikes since 2011 if we include their suspected role in the KuCoin raid. In those dozen cases, the North Koreans appear to have stolen around $1 billion in cryptocurrency, half the total swiped in the largest cases documented by Traders of Crypto.

In another 20-odd hacks that snared hundreds of millions of dollars more, the perpetrators are still unknown. It’s likely the DPRK engineered many of them, according to the UN and cybersecurity experts. North Korea also led assaults on banks that reaped an additional $200 million or so in cash.

The DOJ indicts three North Koreans for crypto theft in a landmark case

On Feb. 17, the U.S. Department of Justice announced the indictments of three North Korean computer programmers for targeting “hundreds of cryptocurrency companies” and stealing “tens of millions of dollars worth of cryptocurrency.” The DOJ accused the trio of helping mastermind the “unprecedented cyberattacks conducted by the North Korean regime”––acting as operatives for its notorious Lazarus ring.

The indictment encompasses additional charges, from extorting companies using ransomware to plundering cash from banks. It accuses the crew of leading the notorious 2014 hack on Sony Pictures that plastered confidential emails, top executives’ compensation, and plans for future films all over social media. The crime was reportedly payback for the studio’s 2014 comedy portraying a zany plot to assassinate Kim Jong-un.

In perhaps the most jaw-dropping disclosure, the indictment detailed the trio’s plot for a fraudulent initial coin offering. As presented by the fraudsters, the ICO would sell investors newly minted “Marine Chain” tokens, giving them fractional ownership in cargo ships. The con: Instead of buying the vessels, they would abscond with the tens of millions in cash raised by the bogus offering. In unveiling the charges, the assistant attorney general branded the crew as the cyber-hacker heirs to Bonnie and Clyde (although Captain Kidd might have been more appropriate): “North Korea’s operatives, using keyboards rather than guns, stealing digital wallets instead of sacks of cash, are the world’s biggest bank robbers.”

Krehel’s Lifars cybersecurity firm led the forensic investigation into a major crypto theft, in partnership with the FBI and Secret Service. In 2017, the North Koreans robbed about $75 million in Bitcoin from NiceHash, an enterprise in Slovenia that supplied processing power to miners from other miners who had power to spare. “We pinpointed the theft to Lazarus and the North Koreans,” says Krehel. “As soon as they stole the Bitcoin, they divided it into small amounts and transferred those amounts from country to country so they couldn’t be traced.” The scammers then sold the well-disguised blocks on exchanges for cash. NiceHash repaid its customers; it is now riding the Bitcoin boom and bills itself as the “leading cryptocurrency platform for mining and trading.”

According to Krehel, that cash flowed straight to North Korea’s cyber-warfare operation. “It’s funding their payrolls, their hardware, and software,” he says. “Everything they’re using to wreck computer systems with malware, steal identities, and rob cryptocurrencies.” The UN recently accused North Korea of stealing coins to finance its nuclear program.

Don’t fret, Bitcoin fans. Your wallets should be safe

You’d think that the surge in Bitcoin’s price over the past six months would embolden the thieves, leading to a lot more theft in the months ahead. But so far, that’s not happening. During the current takeoff, raids have been subdued versus earlier years. The only big score since mid-2019 was the KuCoin scam last September––and KuCoin recovered most of the boodle.

Anthony Portno, CEO of Traders of Crypto, believes that “for sure the [high Bitcoin price] will lead to more hacking,” but he goes on to note that the crypto industry has greatly sharpened its defenses. “It’s getting more savvy and experienced, too,” he observes. “The exchanges are multibillion-dollar corporations with better resources than many banks, and much better technology. The trend in recent months is to go after less-savvy customers with fake phishing to capture private keys.”

Pickard, the former miner, notes that many investors today keep their wallets at the exchanges, where they are well protected. “Keeping them there was a big no-no after the Mt. Gox disaster,” he says. “But now you have brighter, smarter people at the exchanges who’ve found out how to safeguard their wallets.” Krehel agrees that exchanges are a safe place for customers’ wallets. Still, he fears that the highly sophisticated North Koreans can still nab tokens held in the exchanges’ own accounts. “If you have a personal wallet at an exchange, you’re hard to get to,” he says. “But if an exchange itself is moving tokens around from cold to hot storage, it could be vulnerable.”

But Evan Kohlmann, chief innovation officer at global risk intelligence firm Flashpoint, finds that if exchanges or individuals who get robbed move fast, they can recover their coins. “If the theft is reported to the exchanges where the thieves may be selling the stolen coins, those exchanges can freeze the coins and return them,” he says. “But in smaller cases, individuals and exchanges need to act on their own. The DOJ does not have the resources to pursue those cases.” What’s different, he says, is the U.S. attorney general’s newfound zeal in pursuing the big crooks like North Korea.

Many Bitcoin users operate in the shadows, and don’t even report to the authorities when they get robbed. “A lot of people holding Bitcoin accounts aren’t paying taxes on that money, and don’t want the government to know about it,” says Kohlmann. “It’s like drug dealers robbed by other drug dealers. They don’t go to the police.”

Far more cryptocurrency has gone to crooks in the cybercrime era than cash or anything else. Those scams are part of Bitcoin’s myth. One hopes its sudden explosion won’t rally the nation that’s arguably our greatest military threat to find ways to keep pilfering, and to use the ill-gotten coins to do what they crave: keep raising the fear factor for the U.S. and other adversaries.

More must-read finance coverage from Fortune: