A Letter in Response to Senators Warren and Reed

On May 19th, Senators Elizabeth Warren and Jack Reed wrote a letter to Secretary of Treasury Scott Bessent and Attorney General Pamela Bondi concerning North Korea’s hack of ByBit. The Senators express concern over North Korea’s theft and money laundering efforts, which are valid concerns generally, but paint a false narrative that cryptocurrency is “keeping the regime afloat” and demonstrate a fundamental misunderstanding of the ByBit hack that ignores traditional cybersecurity risks.

While there is no doubt North Korea – and specifically the Lazarus Group – have significant hacking capabilities, North Korea frequently relies on social engineering and supply-chain attacks to compromise their targets. That is: manipulating people to provide access or sensitive information and compromising trusted third-parties to reach their actual targets. This is what the Senators initially acknowledge as common approaches by North Korea but seem to stray from in their reference to the ByBit hack as reflecting “a further escalation in North Korea’s ability to execute complex crypto theft schemes.” However, the ByBit hack falls under the latter.

In ByBit’s case, hackers manipulated the user interface (UI) of Safe{Wallet} – a blockchain application requiring multiple private-key holders to sign a transaction – by compromising a Safe{Wallet} developer’s computer and then injecting malicious code into the Safe{Wallet} UI. The ByBit signers, relying on the manipulated interface, were presented with what appeared to be a routine internal transfer of funds, which led them to approve a transaction that subsequently drained their depository.

While sophisticated and deeply unfortunate, nothing about this attack suggests that the North Korean hackers were able to compromise ByBit’s cold storage wallet – the device used to sign transactions via Safe{Wallet} – as the Senators seem to suggest. This was entirely at the interface level, as North Korea was only able to acquire the cryptocurrency upon ByBit’s approval of a manipulated transaction – an innately human error and not related to the cold storage wallet.

And North Korea does not discriminate between traditional finance and crypto in their cyber attacks. For example, in 2016, North Korea attempted to steal $1 billion from the Bangladesh Bank by compromising the bank’s computer system with employee credentials. In the end, the hackers were able to steal $101 million, with $81 million remaining unrecovered. Furthermore, North Korea is able to raise funds in various ways that have nothing to do with cryptocurrency, including through illegal gambling sites and online scams. In fact, illicit activity in general is not primarily conducted with cryptocurrency, and remains rampant in the traditional financial system with $2 trillion in illegal transactions globally each year. All while anti-money laundering (AML) efforts like the Bank Secrecy Act (BSA), a program designed to detect and counter the laundering of illicit funds among other things, have proven ineffective. 

Evidently, the issue is broader, and arguably different, than what Senators Warren and Reed seem to suggest. Cyberattacks and money laundering certainly remain a concern, but Senator Warren and Reed’s assertion that North Korea “relies on cryptocurrency” to undermine U.S. national security efforts conflates technology with what is inherently a cybersecurity risk and the primary means for North Korea’s money laundering. If anything, their “Anti-Crypto Army” rhetoric is merely an attempt to turn neutral technology into a partisan issue.

Instead, to address the Senators’ questions to Secretary Bessent and Attorney General Bondi, the United States should focus on promoting sound cybersecurity across all industries and focus on improving existing AML efforts where money laundering is most prevalent: traditional finance.

With regards to crypto specifically, the United States should continue to encourage and work with industry participants on bolstering existing crypto cybersecurity efforts – the Security Alliance (SEAL) is a good place to start. (SEAL formed in 2024 to remedy security risks, provide legal protection for white hat hacking in crypto, and help with incident response, among other initiatives.)

We would also encourage the Senators to dig into how the crypto industry has been responding organically to mitigate risk of supply chain attacks. For example, since the ByBit hack, Safe{Wallet} has added verification mechanisms for users to confirm the validity of transactions on their UI and provided separate tools for independent verification. Software developers within the industry have also shared code to detect and prevent UI spoofing attacks – i.e., when a hacker manipulates the appearance of the UI like in ByBit.

But, more importantly, the United States should recognize and protect the inherent security in cryptocurrency’s cryptographic software and decentralized base layer networks. Blockchain infrastructure makes it nearly impossible for bad actors to hack or manipulate the ledger of financial transactions itself, and would, if managed properly, strengthen the United States’ national security efforts. 

In shifting our collective focus to the actual cybersecurity risks bad actors hope to exploit, while also promoting the development of novel technologies that can help keep us safe, the United States can make significant strides in preventing North Korea’s ability to fund its military development and economic initiatives. Blaming the crypto industry for all illicit activity is short-shighted, dangerous, and will not make America safer from North Korea.

If Senators Warren and Reed are interested in learning about the realities of the technology they criticize, we at the DeFi Education Fund would welcome the opportunity to engage with them. 

The following blog post was written by Lizandro Pieper, Research Director at the DeFi Education Fund.