Countering North Korean Cybercrime and Its Enablers

North Korean threat actors have stolen billions of dollars in cryptocurrency over the past decade, generating funds that help the Kim regime finance its nuclear weapons and ballistic missile programs and undermine international sanctions, among other malign ends. Pyongyang’s cybercriminals have come to rely heavily on anonymity-enhancing blockchain protocols called mixing services, known as mixers, to obfuscate the trails of virtual assets they obtain illicitly. Since early 2022, a burgeoning U.S.-led coalition has taken aggressive action against mixers in the hope of degrading North Korea’s digital illicit finance capacity, but as I conclude in a new report for the Royal United Services Institute, so far the strategy has met with limited success. While authorities have managed to take down or severely compromise individual platforms, such as Blender and Tornado Cash, in each case replacements have emerged quickly, often with stronger privacy features, and North Korean fund flows have merely shifted rather than dissipated. In light of these shortcomings, authorities should consider experimenting with new approaches to countering mixer-enabled digital asset crime, particularly efforts that target mixing transactions as a class and that nurture the development of compliant anonymity-enhancing technologies.

The Democratic People’s Republic of Korea’s (DPRK) foray into digital illicit finance represents the latest evolution of the cybercriminal statecraft strategy it has pioneered. Having refined its capacity for physical-world crime and sanctions evasion in the decades prior—DPRK outfits became some of the 20th century’s preeminent traffickers of arms, narcotics, and counterfeit bills—Pyongyang in the mid-2010s launched a campaign of financially motivated computer intrusions, becoming the first state to generate revenue via offensive cyber operations. In February 2016, North Korean threat actors defrauded the Bank of Bangladesh to the tune of $80 million, narrowly missing out on hundreds of millions more because of a typo in their phony wire instructions. The WannaCry ransomware, deployed in May 2017, affected machines in more than 150 countries, though it was not especially remunerative. Various other operations, such as the global string of ATM compromises U.S. authorities call FASTCash, have raised tens of millions of dollars. As then-Assistant Attorney General for National Security John Demers remarked in February 2021, “North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers.” That it has managed to develop a novel cybercrime program in the face of resource constraints and international isolation reflects North Korea’s deftness at overlaying new technologies onto its established criminal enterprises.

Over the past few years, DPRK actors have pivoted toward virtual assets, capitalizing on the enormous influx of cash, the move-fast-and-break-things ethos prioritizing growth over security, and the ambient skepticism or outright antagonism toward government that have characterized the space. That combination has proved appealing to the Kim regime’s highly motivated thieves, who have stolen more than $3 billion in cryptocurrency since 2019. For perspective, North Korea’s annual foreign trade volume—long its chief source of hard currency—has not surpassed that figure since 2019. North Korea’s greatest cryptocurrency heist came in spring 2022, when threat actors deceived an employee of the blockchain gaming company Sky Mavis with a fake job offer, broke into internal systems, and extracted $625 million from its popular Axie Infinity game and the Ronin Network on which it operates. The September 2020 KuCoin exchange hack and the June 2023 Atomic Wallet hack cost victims roughly $275 million and $100 million, respectively. According to the blockchain analytics firm Chainalysis, DPRK-attributed compromises in 2022 accounted for roughly one-third of the funds stolen from decentralized finance platforms and nearly half of all the virtual assets pilfered that year.

Mixers play a key role in North Korean actors’ virtual asset laundering process, helping disguise their funds’ criminal provenance and throw off investigators. In exchange for a small fee, the services enable users to blend in with a much larger crowd, generally by pooling many deposits together or whisking them through a flood of transactions manipulated to appear unremarkable. Sophisticated cybercriminals tend to utilize a complex process that may involve multiple mixers, bridging across blockchains (a practice known as “chain-hopping”), and various other techniques deployed in combination. North Korean actors are some of the world’s most prolific mixer users, having tumbled more than 65 percent of the cryptocurrency they stole in 2021. In 2022, DPRK threat clusters accounted for 30 percent of the funds sanctioned entities passed through mixers, behind only the leading darknet marketplace. TRM Labs, another blockchain analytics firm, reports that North Korean actors laundered more than $1 billion gleaned across at least 10 cyber operations through Tornado Cash before the platform was designated in August 2022.

Authorities have prioritized enforcement against the mixing services that facilitate North Korean cybercrime. In May 2022, the Treasury Department designated Blender, a custodial bitcoin mixer, marking the first sanctions action of its kind. U.S. and German law enforcement coordinated the takedown of ChipMixer in March 2023, in the process seizing the platform’s back-end servers, seven terabytes of data, and more than $46 million in cryptocurrency. The United States imposed sanctions in November 2023 on mixer Sinbad, which had processed substantial portions of the proceeds from the Atomic Wallet, Axie Infinity, and Horizon Bridge heists. The highest-profile mixer action to date remains the August 2022 designation of Tornado Cash, a noncustodial ethereum mixing protocol alleged to have laundered more than $7 billion in less than four years of operation, including nearly $500 million for North Korean actors. The Justice Department brought charges against two of Tornado Cash’s three founding developers, one of whom is in U.S. custody, alleging that they knowingly created “a haven for criminals to engage in large-scale money laundering and sanctions evasion.” Dutch authorities separately arrested the third principal co-founder. Beyond designations, takedowns, and arrests, the toolkit for countering mixers has comprised fines, asset seizures, and regulation-making, often deployed simultaneously and alongside parallel efforts by international partners.

Viewed through a narrow lens, each platform takedown has been successful. The actions against Blender, ChipMixer, and Sinbad abruptly shuttered three of North Korea’s preferred mixing services. The recent seizure of Samourai Wallet, another privacy-enhancing service alleged to have laundered millions in illicit funds, resulted in its immediate shutdown. Authorities have been unable to take Tornado Cash offline because of its decentralized structure, which relies on smart contracts rather than a primary operator and thus is less susceptible to disruption than centralized tumblers. That Tornado Cash never actually takes possession of user funds, unlike custodial mixers such as ChipMixer, makes seizing funds routed through the platform similarly challenging. Nevertheless, sanctions, key personnel arrests, and the takedown of its front-end interface have imposed a serious toll: As of late 2023, Tornado Cash was processing 80 percent less volume than it had handled prior to the designation, which has made it easier for investigators to trace the funds it mixes and marks new deposits with an even brighter red flag.

Enforcement against mixers has also produced favorable knock-on effects, impacting not just North Korean threat actors but Russian-speaking e-crime gangs, purveyors of narcotics and exploitative sexual content, and countless others who have turned to virtual currencies to hide illegal behavior. According to the criminal complaint against the operator of ChipMixer, the platform “was one of the most popular mixing services used by ransomware operators” and a key tool for darknet markets. Even the Russian Main Intelligence Directorate (GRU) paid with ChipMixer-tumbled bitcoin for malware-hosting infrastructure. To be sure, these successes have not been unmitigated: Evidence suggests the team behind Blender regrouped after the designation to launch Sinbad only a few months later, having absconded with tens of millions of dollars from the original platform. This March, North Korean actors processed through Tornado Cash more than $100 million from their November compromise of the HECO bridge and HTX exchange, formerly known as Huobi. Even so, virtual asset criminals have been forced to replace key components of their laundering processes or rely on compromised versions of them. Credit is due to U.S. and international authorities for their responsiveness and policy innovation in the face of rapidly evolving criminal behavior in cyberspace.

Despite these achievements, North Korea’s overall capacity for digital illicit finance remains largely intact. Each platform disruption has spurred competition among market actors eager to attract the lucrative unfulfilled demand to their own products. As a result, anonymity-enhancing services continue to be readily accessible. TRM Labs’ analysis of a German law enforcement operation against an illicit marketplace in 2022 captures this phenomenon, noting, “[t]he vacuum left by Hydra’s takedown resulted in a veritable ‘Cambrian explosion’ in darknet markets, with at least a dozen projects having surfaced in its place to meet user demand.” An Elliptic briefing on “Tornado Cash Alternatives” in the aftermath of that action highlighted six smaller platforms that were well positioned to pick up the market share Tornado Cash had relinquished, one of which, Railgun, subsequently processed more than $60 million of ether for North Korean actors just a few months later. Pyongyang’s virtual asset crime spree proceeds apace, having reportedly generated more than a billion dollars of cryptocurrency in 2023 across at least 20 compromises. Perhaps unsurprisingly, responsible authorities are stuck playing catch-up to the market actors driving digital financial innovation and the criminals exploiting it. While disruptive actions have degraded important pieces of the DPRK laundering machine, substitutes have enabled it to continue operating with limited interruption.

Moreover, the disruption strategy has triggered a range of unintended consequences, some of which have yet to unfold completely. Interventions can reveal sensitive information, such as investigators’ ability to de-mix funds that pass through certain protocols or to obtain cooperation from governments regarded as hospitable to criminals, and may close valuable windows into North Korean actors’ behaviors and fund movements. They are likely to prompt criminals to improve their operational security, either by refining their tactics, techniques, and procedures or by switching from compromised platforms or jurisdictions to others that are ostensibly more secure. Consider that by the time of ChipMixer’s takedown, investigators could trace funds through it with minimal effort, rendering the purported black box functionally transparent. Many of the services to which its former users fled are far more opaque, among them privacy wallets like Wasabi and Samourai, which employ anonymity protocols known as CoinJoins. While few would probably argue ChipMixer deserved to stay open, it is fair to wonder whether the net effect of taking it down was simply to push cybercriminals deeper into the shadows without seriously diminishing their activity.

Aggressive enforcement against virtual asset service providers also risks further alienating the private sector, whose buy-in on matters of security and compliance is crucial to rooting out crypto-crime. The perception that U.S. authorities are hostile to digital financial innovation or capricious in enforcing occasionally nebulous rules may spook developers into offshoring in more permissive jurisdictions without the will or capacity to perform serious monitoring, where illicit financial activity would surely flourish. There can be no doubt that interventions against mixers have harmed legitimate users, among them investors, tech enthusiasts, and citizens of authoritarian countries seeking financial privacy. Aside from the unfortunate collateral damage, some members of these groups have allied with deep-pocketed firms to bring legal challenges against the mixer crackdown. For instance, six Tornado Cash users bankrolled by Coinbase sued the Office of Foreign Assets Control after the service’s designation, arguing that a decentralized blockchain protocol did not meet the legal definition of sanctionable personhood and that the action amounted to an unconstitutional infringement on expression in the form of software code. While a judge rejected those claims, questions linger about the scope of authorities’ powers with respect to virtual asset protocols, some of which have been debated on this platform. More broadly, it is evident that misalignment between the public and private sectors severely hinders the campaign against cybercrime.

Governments should be mindful of these problems and seek to mitigate them as is practicable, but by no means is the answer to stop going after noncompliant mixers. North Korea would assuredly realize far more profit from virtual asset crime if not for ongoing international pressure. As a former senior Justice Department official asserted in a private conversation last summer, DPRK cybercriminals’ adaptiveness and the fact that North Korea is alone in practicing cybercriminal statecraft prove the sanctions regime is causing the intended bite. Nevertheless, North Korean actors continue to steal, launder, and cash out cryptocurrency with relative ease, directly exacerbating the unacceptable threats the Kim regime’s nuclear and ballistic missile programs pose. Authorities’ limited success in countering mixer-enabled DPRK financial crime, along with the second- and third-order effects their interventions have brought about, raises the question: What additional or alternative approaches could be more effective?

Rather than just chasing individual platforms, the U.S. government is beginning to explore ways to contain risks presented by the mixer ecosystem as a whole. Last October, the Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) that would designate mixing as a transaction class of primary money laundering concern under Section 311 of the USA PATRIOT Act and impose new recordkeeping and reporting requirements on domestic financial institutions. Respected industry players such as Chainalysis and the Crypto Council for Innovation have identified elements of the NPRM that deserve refinement, particularly the perhaps overbroad definition of mixers and the likelihood it will force institutions to perform somewhat duplicative, burdensome work. Yet the idea of applying heightened scrutiny to all anonymity-enhanced transactions is promising. While some mixer users are pursuing a legitimate privacy interest, a disproportionate number likely have more nefarious goals in mind. The disparity between the speed with which malign platforms take off and the pace at which governments can respond makes picking them off one-by-one impractical. In addition, targeting the transaction class rather than individual mixers would mitigate the substitution problem, where alternative services quickly absorb shuttered predecessors’ illicit flows.

In tandem, governments should devote more effort to nurturing compliant virtual asset platforms, especially privacy-enhancing technologies. Co-opting the industry gatekeepers of the virtual asset ecosystem is essential in the fight against DPRK financial crime. The emergence of compliant platforms would reduce the number of users on dirty ones—thereby decreasing their effectiveness—while underscoring the use of noncompliant mixers as a clear indicator of risk. As intriguing new protocols that rely on zero-knowledge proofs and demonstrations of non-association with undesirable elements advance through the development process, authorities should do more not only to encourage upstanding market actors but also to promote wider recognition that emphasizing security and compliance is in a business’s long-term profit interest. Meeting with more entrepreneurs and issuing clearer guidance on what is or is not acceptable would provide reassurance to those who otherwise might not risk their time and capital on initiatives they fear will not be approved or, worse, could lead to their arrest or designation.

In the same spirit, efforts to degrade North Korean actors’ capabilities must be accompanied by an energetic push to raise global anti-money laundering and cybersecurity standards. According to the Financial Action Task Force (FATF), “[f]our years after the FATF’s adoption of standards on [virtual assets] and [virtual asset service providers], some jurisdictions have introduced regulations, but global implementation is relatively poor and compliance remains behind most other financial sectors.” Three-quarters of the jurisdictions FATF assessed for its mid-2023 report are only partially or not at all compliant with the standards, and actual enforcement is presumably even less common. In the private sector, far too many virtual asset projects prioritize growth at the expense of due attention to compliance and cybersecurity. Governments should more widely promulgate security guidance for virtual asset enterprises, encouraging measures like smart contract audits and bug bounties, and should consider establishing mandatory standards through regulation or legislation. Achieving wider implementation of current best practices, to say nothing of augmenting them in the face of evolving risks, would go a long way toward improving defenses against cybercrime.

Governments should do more to cultivate a better understanding of the virtual asset ecosystem. Maintaining closer familiarity with trends, new practices and technologies, and shifting stakeholder interests would enable practitioners both to police the virtual asset space and to communicate with industry more effectively. As FinCEN’s successful Innovation Hours Program demonstrates, private-sector engagement positions authorities to be better attuned to new developments. Building on the valuable April 2023 Illicit Finance Risk Assessment of Decentralized Finance, the Treasury Department should consider launching a standing Virtual Asset Risk Board modeled on the Emerging Technology Board the Justice Department envisioned in its 2022 Comprehensive Cyber Review. Members of Congress should accelerate consideration of draft legislative proposals that would commission related studies on decentralized finance, known as “DeFi,” and privacy-preserving technologies, several of which were highlighted during a productive House Financial Services Committee hearing in February.

Finally, authorities should seek to facilitate smoother and more robust cooperation among practitioners working to counter different categories of malign cyber activities. The lines between state and criminal actors and between various types of internet crime have increasingly blurred in recent years, such that institutional silos designed to concentrate expertise may actually delay efforts to investigate and disrupt. For example, Russia’s security services maintain extensive operational ties to Eastern European cybercriminal networks; interlocking North Korean threat clusters may spy on a defense contractor or energy utility one day and rob a bank the next, or an espionage-focused subgroup may transfer network accesses to another specializing in fraud. A remarkable diagram in the 2018 complaint against North Korea’s best-known hacker, Park Jin Hyok, illustrates the extent to which distinct DPRK-attributed intrusions—some financially motivated, some destructive, like the 2014 Sony Pictures Entertainment attack—relied on overlapping malware and computer infrastructure. Cross-cutting threats such as these demand nimble, flexible responses and unimpeded cooperation with interagency and private partners. The Justice Department has taken laudable steps in this direction by merging the National Cryptocurrency Enforcement Team into the Computer Crime and Intellectual Property Section and establishing the National Security Cyber Section, which is designed to promote effective collaboration across the department and the wider government. The assistant attorney general for national security expects these moves will “increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.” The State Department is exploring its own measures to promote agility and collaboration, and other institutions should follow suit.

While the U.S.-led coalition’s impressive victories against individual noncompliant platforms such as Blender and Sinbad are heartening, cybercriminals’ adaptiveness leaves reason for concern as to whether the disruption strategy will achieve enduring positive results. As authorities work to counter the pernicious economic and national security threats North Korean virtual asset crime presents, it will be useful to continually take stock of the current strategy, explore new partnerships and creative approaches, and seek to mitigate the unintended consequences that inevitably arise.