North Korea isn’t much of an early adopter of technology. Compared to its neighbors, the Hermit Kingdom is the tech laggard of Asia. China, Japan, South Korea, and Taiwan have all been technology powerhouses for decades, while nighttime satellite images of North Korea still show the country as a virtual black hole.

And while its neighbors—including Russia—jumped on the cryptocurrency bandwagon quite some time ago, North Korea has kept its distance from the emerging financial technology.

Until recently, that is.

Perhaps owing to the abrupt spike in the trading price of bitcoin over the course of the last year, or maybe as a response to the new multilateral sanctions imposed on the country, North Korea appears to have come around to the potential of bitcoin and cryptocurrencies generally.

Not that North Koreans are using them much. Coinmap, a geographical depiction of where bitcoin is accepted as payment, shows only a few places in the country that purportedly accept it. Another unconfirmed report suggests that the first bitcoin transaction from within the country was made in 2014 by a tourist who had come to see Dennis Rodman play an exhibition basketball game.

At least for the moment, North Koreans seem less interested in spending the currency than finding ways to obtain more of it. One way they’re doing that is by mining, the computationally laborious process of solving complex mathematical problems in exchange for “blocks” of virtual currency. As early as May of this year, Western researchers discovered mining activity attributed to IP addresses inside North Korea.

But only a very few politically connected North Koreans have access to a computer, much less one with internet connectivity and the processor power necessary to mine bitcoin at anything even remotely resembling scale. And while there have been rumors that the DPRK might start mining cryptocurrencies as a state-level project, like nearly everything else about the country, this is also difficult to verify.

But it’s becoming clear that, like the infamous bank robber Willie Sutton, North Korea has decided to go where the money is, and steal it. The former head of GCHQ (Britain’s NSA) estimates that the totality of Pyongyang’s illicit cyber activity may bring the country as much as $1 billon a year. But it hadn’t been interested in bitcoin until fairly recently.

Initially, DPRK hackers went after the low-hanging fruit: bitcoin wallets in South Korea. As far back as 2013, North Korean hackers had compromised accounts in the South, netting them up to $90,000 per month. The group doing the cryptocurrency hacking was also associated with other hacking efforts attributed to the government in Pyongyang; this wasn’t the work of a merry band of freelancers.

But they had a problem: one-off attacks on bitcoin wallets were onerous and time-consuming. They needed a more programmatic solution that could be deployed globally.

That insight may have driven Pyongyang’s interest in another approach: ransomware.

On May 12, 2017, more than 200,000 Windows-based computers in over 150 countries were attacked by a cryptoworm that would come to be known as “WannaCry.” Affected organizations included Britain’s National Health Service, Federal Express, PetroChina, Saudi Telecom, Hitachi, and even the Russian Foreign Ministry.

Machines infected with the worm displayed a simple page of text that began with the alarming sentence, “Oops, your files have been encrypted!” Countdown clocks on the left side of the page gave users two deadlines: one ticking down the moment until the price for decryption went up, and a second telling when the computer’s files would be lost forever. Victims were instructed to send $300 to $600 worth of bitcoin to a specified address.

The attack quickly garnered worldwide attention for its ferocity and scale, but it rapidly faded as antivirus and cybersecurity researchers discovered and publicized the attack vector, a weakness in the Windows operating system called “EternalBlue.” Less than a week after it started, the contagion had trailed off.

(Interestingly, although WannaCry has now for the most part fizzled out, it’s still paying dividends. Someone created a Twitter Bot called “ Actual Ransom” that tracks payments to the bitcoin wallet associated with the WannaCry worm, and the money is still trickling in. Within the last 10 days, it had received bitcoins, presumably for an unlock code.)

Cybersecurity companies quickly noticed similarities between the worm’s code and the hack on Sony Pictures, which had been attributed to a collective called the “Lazarus Group.” The group had also been responsible for earlier attacks on banks in Bangladesh, Ecuador, and Vietnam, as well as a Distributed Denial of Service (DDOS) attack on the South Korean government.

While Pyongyang still denies any connection with the Lazarus Group, there is broad consensus that the North Korean government is behind it and is the originator of the WannaCry attacks. Microsoft’s president, Brad Smith, said, “all observers in the know” agree North Korea unleashed the worm on the world. Britain’s Minister for Security, Ben Wallace, concurred, saying, “North Korea was the state we believe was involved in this worldwide attack on our systems.” The Washington Post reported that the NSA assesses with “moderate confidence” that the attack originated in North Korea’s Reconnaissance General Bureau. And the Trump administration just for the first time publicly blamed Pyongyang for the attack.

The worldwide law enforcement and corporate cybersecurity response to WannaCry apparently taught the North that high profile cyber attacks result in forceful and rapid cyber responses. It’s doubtful that WannaCry’s authors brought in more than a few hundred thousand dollars’ worth of bitcoin despite the scale of the attack.

Unbeknown to security researchers, though, Kim Jong-un’s hackers had already pivoted again.

Cybersecurity company Recorded Future reported in October that it had observed a spike in the use of malware designed to control botnets covertly mining cryptocurrencies. Again using the EternalBlue vulnerability, victims were tricked into allowing the malware to install the cryptocurrency miner on their machine.

Rather than locking users out of their computers as in the WannaCry attack, however, the malware stayed underneath the radar. Victims’ computers appeared to function more or less normally. What they didn’t know was that their computer had become a part of a botnet, a distributed network of computers working together. The mining malware coordinated the botnet to pool CPU resources in order to mine cryptocurrencies.

One type of mining malware (there are perhaps a dozen different packages advertised on the Dark Web) was called “ Adylkuzz.” While it might slow down the host computer, it also sometimes shut itself down if the processor was being used for other computationally-challenging tasks, such as playing games. It was likely designed to do this in order to escape detection by the user.

Working together, 100 or even 1,000 machines could mine any of a variety of cryptocurrencies at scale. Because bitcoin requires a great deal of processor power (miners typically use purpose-built machines to do the math), Adylkuzz and similar trojans have been mining other cryptocurrencies, such as Monero and Zcash. Monero in particular is highly regarded among privacy enthusiasts (and criminals) and is less taxing on processor resources. And Adylkuzz is much more prolific than WannaCry.

Recorded Future stopped short of definitively attributing the botnet cryptocurrency mining operations to North Korea (certainly there are other bad actors doing it as well). But it also noted, in essence, that Pyongyang has the means, motive, and opportunity to use the technique for illicitly obtaining cryptocurrencies.

And the circumstantial evidence linking North Korea to the botnet mining is certainly thought-provoking. It used the same attack vector (EternalBlue) and began around the same time as WannaCry. And while the dollar price of Monero had been fairly flat, hovering around $30, following the release of Adylkuzz in late April, its price has skyrocketed recently, to over $350 as of 19 December (Zcash, the other reported cryptocurrency of choice, has gone up ten times over the same period).

As sanctions pressure mounts on Pyongyang, it’s clear that the regime is seeking alternative ways to finance itself, and has proved to be “creative” in finding new approaches, both legal and illicit. The recent cryptocurrency gold rush may be just the break Kim Jong-un needed.

Marc C. Johnson is a global security consultant and former CIA Operations Officer. Follow him on Twitter at @blogguero.