
Analysis: How Chinese Nationals Linked to North Korea Laundered Hundreds of Millions of Dollars’ Worth of Stolen Cryptocurrency Through Several Banks and Cryptocurrency Exchanges
CipherTrace has previously reported on North Korea using cybercrime to avert economic sanctions and raise hard cash to fund its weapons of mass destruction (WMD) development. For example, in August 2017, we revealed details of a then unreleased UN research report to the Security Council that showed how North Korean state actors had, over a period of several years, hacked US$2 billion from banks and crypto exchanges. Our CryptocurrencyA cryptocurrency (or crypto currency) is a digital asset des... More Anti-Money Laundering Report also detailed some ways in which Kim Jong Un’s rogue regime was laundering stolen or extorted crypto. Now there are new signs of individuals laundering these ill-gotten gains, involving approximately 100 million dollars’ worth of stolen tokens. This blog looks at those crimes and how the bad actors laundered the stolen funds.
OFAC sanctions two Chinese nationals linked to North Korean state-backed hackers
The U.S. Treasury’s Office of Foreign Assets Control (OFAC) administers and enforces economic sanctions programs against countries and groups of individuals. As part of that effort, it regularly publishes a list of sanctioned individuals, groups and entities involved in a range of illicit activities such as terrorism, narcotics trafficking, or WMD proliferation financing. Collectively, these individuals and companies are called Specially Designated Nationals (SDNs). Once placed on the SDN list, their assets are blocked and US persons are prohibited from transacting with them.
On March 2, two Chinese nationals, Tian Yinyin and Li Jiadong, were added to the list for their involvement in laundering stolen virtual currency from a 2018 crypto exchange hack perpetrated by a collection of cyber criminals known as the Lazarus Group. While not a great deal is known about the group, it is generally acknowledged to work under the direction of the intelligence unit of the Korean People’s Army. Lazarus was purportedly responsible for the 2014 Sony breach, 2017 Wannacry attacks, and the US$7 million Bithumb cryptocurrency exchangeA cryptocurrency exchange is a business that allows customer... More hack.
“The North Korean regime has continued its widespread campaign of extensive cyber-attacks on financial institutions to steal funds,” said Secretary Steven T. Mnuchin, referring to this action. “The United States will continue to protect the global financial system by holding accountable those who help North Korea engage in cyber-crime.”
According to the official Treasury department press release, Tian and Li received approximately US$100.5 million worth of stolen virtual assets from several North Korean controlled cryptocurrency addresses. Tian ultimately moved more than US$34 million worth of these illicit funds through a bank account linked to his account on a cryptocurrency exchange. Similarly, Li moved an additional US$33 million through nine different banks.
In parallel, the two were charged with money laundering conspiracy and operating an unlicensed money transmitting business by the US Department of Justice. In the DOJ press release, Assistant Attorney General Benczkowski of the Justice Department’s CriminalA Criminal is an individual or group who has been convicted ... More Division stated, “Today’s actions underscore that the Department will pierce the veil of anonymity provided by cryptocurrencies to hold criminals accountable, no matter where they are located.”
“Today’s actions underscore that the Department will pierce the veil of anonymity provided by cryptocurrencies to hold criminals accountable, no matter where they are located.”
Assistant Attorney General Benczkowski of the Justice Department’s Criminal Division
“This indictment shows what can be accomplished when international law enforcement agencies work together to uncover complex cross-border crimes,” explained Acting Executive Associate Director Alysa Erichs of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI). “HSI is committed to upholding the rule of law and investigating those that would steal cryptocurrency for their illicit purposes.”
“This indictment shows what can be accomplished when international law enforcement agencies work together to uncover complex cross-border crimes. HSI is committed to upholding the rule of law and investigating those that would steal cryptocurrency for their illicit purposes.”
HSI Acting Executive Associate Director, Alysa Erichs
Phishers duped exchange employee
In late 2018, the IRS Criminal Investigation Division (IRS-CI) learned that an exchange had been hacked for nearly US$250 million worth of several virtual currencies. Without disclosing the name of the cryptocurrency exchange, IRS-CI revealed the investigation found that in mid-2018 an employee of the exchange communicated with a “potential client” via a phishing email, which fooled the employee into unwittingly downloading malware.
This employee was only one of many targeted by the North Korean linked phishing attacks aimed at thousands of email accounts at exchanges around the world. To provide credibility to their bogus online personas, the phishers created fake social media profiles and posts. These phishing emails would pose either as an advertisement for the fake company Celas LLC, as developers looking to work at the targeted exchange, or as prospective clients. The emails often contained a link to celasllc.com or an attachment containing malware that would allow Lazarus to infiltrate the exchange. These emails were often optimized by plugins that would enable human editors to write and respond to email for a client, ensuring “perfect English.”
The malware gave the Lazarus hackers remote access to the exchange and unauthorized access to the private keys controlling wallets holding multiple virtual currencies. Once they had control of the private keys, the hackers were able to steal the following virtual currencies:
Currency Estimated Amount Estimated Value
BTC 10,777.94 $94,145,839
ETH 218,790 $131,005,511
ZEC 3,783 $1,020,809
DOGE 99,999,000 $560,944
XRP 3,043,268 $2,660,100
LTC 11,000 $1,639,699
ETC 175,866 $3,304,763
Total $234,337,668
However, controlling the private keys was only the first step in stealing the funds. The attackers had to move the funds toward fiat offramps without raising suspicions. And this is where Tian and Li come into the picture.
A single deposit of over 10,000 BTC would generate multiple red flags for the exchange that received the deposit, which could result in the assets being frozen. Consequently, the criminals first had to hide their trail. The DOJ complaint explains this problem facing today’s bad cyber actors and money launderers to the court in basic terms:
“BitcoinThe term "Bitcoin" can either refer to Bitcoin the network, ... More (BTC) and Ether (ETH)Ether (ETH) is the native cryptocurrency of the Ethereum blo... More are pseudonymous virtual currencies. Although transactions are visible on a public ledger, each transaction is referenced by a complex series of numbers and letters (as opposed to identifiable individuals) involved in the transaction. The public ledger containing this series of numbers and letters is called a blockchainA blockchain is a shared digital ledger, or a continually up... More. This feature makes BTC and ETH pseudonymous; however, it is often possible to determine the identity of an individual involved in BTC and ETH transactions through several different tools. For this reason, many criminal actors who use BTC and ETH to facilitate illicit transactions online (e.g., to buy and sell drugs or other illegal items or servicesGeneral services, including non-profits, forums and news sit... More) look for ways to make their transactions even more anonymous.”
How criminals use peel chains to launder crypto
Tian and Li attempted to make their transactions anonymous by sending funds to several accounts at four different exchanges through hundreds of automated transactions by using a technique known as peel chains. The DOJ complaint explains this process to the court as well:
“A ‘peel chain’ occurs when a large amount of BTC sitting at one addressIn a cryptocurrency context, an address is a cryptographic k... More is sent through a series of transactions in which a slightly smaller amount of BTC is transferred to a new address each time. In each transaction, some quantity of BTC “peel off” the chain to another address – frequently to be deposited into a virtual currency exchange – and the remaining balance is transferred to the next address in the chain.”
The graphic below illustrates a simple peel chain in which a subject seeking to deposit 50 BTC into Exchange A uses a peel chain to make the transaction more difficult to track and less likely to set off red flags.
In the case of Tian and Li, they again moved the stolen cryptocurrency from the four exchanges through the use of multiple peel chains until they were reconstituted at two new exchanges. This allowed the North Korean co-conspirators to convert stolen alt-coins to BTC and further obfuscate their trail.
The example below demonstrates a sample of one of many large peel chains that IRS-CI analyzed in the course of the investigation.
With more complicated peel chains such as the one depicted in the graphic above, money launderers commonly automate the process using computer programs. Due to the complexity of addresses and the number of transactions that have to take place, human error could easily lead to the loss of funds. In this case, the Tian and Li used a computer script that rapidly laundered the BTC to and from addresses and exchanges.
Circumventing KYC procedures to access exchanges
The IRS-CI investigation found that the North Korean co-conspirators used fake IDs and manipulated photos to circumvent the KYC procedures at several exchanges. They registered two accounts at one virtual currency exchange using fake ID photos (shown below). One photo, which is taken from the DOJ complaint, depicts a male sitting in a chair holding his South Korean government-issued photo ID in front of his face with both hands and a computer monitor visible behind him. The next photo (also taken from the complaint) shows different man, standing with no computer in the background, holding a German government-issued photo ID in front of his face with both hands. While looking at the photos side by side shows the clear use of the same body with different heads, metadata from both photos provided evidence that they had been altered.
IRS-CI noted that attempts to circumvent KYC practices at different exchanges failed after the co-conspirators submitted a photo of a Caucasian male holding a sheet of paper with the name of the exchange and the date written on it in one hand and an Australian passport open to the photo page in the other hand. According to the complaint, the face in the photo was noticeably altered, prompting the exchange to request a video conference with the account holder, which the account holder refused.
Fiat offramps—how the stolen crypto moved to banks
Ultimately, after being laundered through hundreds of peel chain transactions, most of the stolen BTC was deposited into four accounts belonging to Tin and Li at two virtual currency exchanges.
By linking a China Guangfa Bank (CGB) account to his VCE accounts, Tian was able to deposit 233,889,970 CYN (approximately US$34,504,173.43) of the proceeds from his money laundering activities. Tian also had an account at a US-based exchange where he exchanged BTC for prepaid Apple iTunes gift cards—a common money laundering method. Tian used this exchange multiple times to convert virtual currency to US dollars with customers in the United States, according to the DOJ. This exchange did not require ID to make trades.
Similarly, Li linked bank accounts at nine different banks to his VCE account. Together these banks received approximately 2,000 deposits from his money laundering activities, totaling US$32,848,567.
Millions laundered from two other exchange hacks
IRS-CI investigators also found that the pair had used their accounts to launder funds from two additional exchange hacks. This included the November 2019 hack of South Korea-based virtual currency exchange UpBit, in which North Korean state-backed cybercriminals stole approximately 342,000 ETH (US$48.5 million). The hackers again used multiple peel chains to obfuscate their trail before depositing the ETH into various virtual currency exchanges. A few months prior, in April 2019, North Korea held the Pyongyang Blockchain and Cryptocurrency Conference, which led to the arrest of Ethereum Foundation staffer Virgil Griffith, who has since been indicted for delivering a presentation and technical advice on using cryptocurrency and blockchain technology such as Ethereum to evade sanctions. (See the CipherTrace Q4 2019 Cryptocurrency Anti-Money Laundering Report.)
What to do if you have transacted with a sanctioned crypto address
As a result of this designation, all property belonging to these sanctioned entities that is in the US or in the possession or control of US persons or entities must be blocked and reported to OFAC. In addition, persons that transact with Tian and Li or their sanctioned addresses may themselves be exposed to designation or face sanctions violations. To ensure you avoid this risk, you can view a full list of the OFAC sanctioned addresses here: https://ciphertrace.com/sanctions-alert-new-crypto-related-designations/
Additionally, the US Attorney for the District of Columbia has brought a Verified Complaint for Forfeiture in Rem against 113 virtual currency accounts linked to these thefts and money laundering processes. Because the listed virtual assetThe term "virtual asset" refers to any digital representatio... More addresses and accounts were involved in a scheme to operate an unlicensed MSB with customers and financial accounts within the United States, and the property involved represented the proceeds of unlawful activity, the US has maintained jurisdiction to claim such property for forfeiture.
While the identities of virtual currency address owners are pseudo-anonymous, these sanctions demonstrate how law enforcement can identify the owner of a particular cryptocurrency address by analyzing the blockchain with tools such as CipherTrace. The use of accurate tools with high-quality attributionAttribution is the process of attributing otherwise unhelpfu... More can not only reveal additional addresses controlled by the same individual or entity, but can also ensure that you or your customers are not transacting with these entities.
Tian and Li’s use of bank accounts linked to their crypto exchange accounts also demonstrates the importance of banks being able to detect crypto-related transactions in their payment networks. As stealing cryptocurrency continues to provide a lucrative way for the North Korean regime to steal funds, banks will continue to face the threat of bad actors seeking out their institutions for use as a fiat offrampAllows you to withdraw fiat. This makes it easier for crimin... More in laundering the funds.