Published by The Lawfare Institute
in Cooperation With
On March 2, the U.S. Department of Justice indicted two Chinese nationals for allegedly laundering cryptocurrency on behalf of North Korea. The laundering scheme ferreted away part of almost $250 million worth of virtual currencies stolen from a cryptocurrency exchange in 2018 by the North Korean-affiliated Lazarus Group. Through elaborate software programming, the two Chinese nationals, Tian Yinyin and Li Jiadong, converted much of the stolen cryptocurrency into regular currency at Chinese banks, according to a U.S. Treasury announcement sanctioning them both.
The case exemplifies how cryptocurrency obfuscation tools and techniques are likely to play a growing role in financing threats to U.S. national security. As U.S. adversaries get more acquainted with blockchain technology, their hostile cyber operations are likely to rely increasingly on cryptocurrency activity. And rogue states are likely to become more innovative in using cryptocurrencies as they try to dampen the impact of U.S. economic sanctions.
A postmortem of the North Korean laundering scheme, outlined in the Justice Department’s asset forfeiture claim against Tian and Li’s virtual currency accounts, reveals a three-step formula for illicit finance: steal from exchanges, launder the digital currency and convert the tokens into real cash—hack, launder and cash-out.
The first step involved tactics familiar to anyone who has attended a basic cybersecurity awareness orientation. The Lazarus Group hackers tricked an employee of an unnamed exchange into clicking on an email that downloaded malware onto the employee’s computer. That malware gave the hackers remote access to the computer, allowing them to steal the private digital keys that controlled the exchange’s cryptocurrency wallets. They then withdrew $234 million worth of cryptocurrencies and sent them to digital wallets controlled by the Lazarus Group.
Next, the hackers sought to launder the funds by moving the crypto into wallets that would appear unrelated to the hacking. Most cryptocurrency transactions are visible for anyone to follow by browsing the online public ledger of transactions—the blockchain. Since they had a clear connection to the hacking, the Lazarus Group could not directly sell the stolen tokens for cash at most cryptocurrency exchanges. Instead, operatives in North Korea set up accounts at a variety of exchanges, using doctored photos and fake, non-North Korean identity documents. The hackers then transferred the stolen crypto using a programming script that moved the funds automatically through hundreds of newly created digital wallet addresses and eventually into North Korean-controlled accounts at the exchanges. Some of these funds were delivered to cryptocurrency exchange accounts held by Tian and Li, who spent the next several months doing additional laundering before finally converting crypto to cash.
The cash-out step was also multilayered. Tian and Li ran an unregistered cryptocurrency trading operation, converting stolen cryptocurrency into fiat currency and transferring it to customers in exchange for a fee. From July 2018 through April 2019, they traded with customers on various peer-to-peer exchange websites and opened up accounts at multiple Chinese banks to deposit their earnings from these trades. At one U.S.-based exchange, Tian transacted over 8,000 times, trading bitcoin for $1.4 million in iTunes gift cards. Overall, the pair made thousands of deposits into their Chinese bank accounts and laundered more than $100 million worth of ill-gotten crypto traceable to the Lazarus hack.
This laundering scheme probably posed no technical challenge for North Korea. The open-source software programs the hackers used to create thousands of digital wallets in minutes are freely available online, complete with tutorials, and are popular in the blockchain developer community. These wallets are called “unhosted” or “non-custodial” wallets because they are not controlled by any exchange and cannot be blocked or shut down by a third party. Unlike the wallets used at exchanges, there is no need to provide any ID to acquire them. They are truly pseudonymous instruments.
And the scheme was likely cost efficient. The Department of Justice explained that the Lazarus Group funded part of their broader cyber operations with the hacked cryptocurrencies. Using funds sent to their unhosted wallets, the operatives paid in bitcoin for website hosting, domain names and virtual private networks. Those services supported additional phishing campaigns, allowing the hackers to create fake websites that delivered malicious code to other exchanges—a vicious cycle of laundering and hacking.
As the North Korean case highlights, two things enable cryptocurrency laundering: easy access to unhosted wallets and the existence of cryptocurrency exchanges around the world with lax anti-money laundering (AML) measures. Although the U.S. began regulating cryptocurrency exchanges in 2013, most other nations have lagged behind in applying AML rules to cryptocurrency activity. The intergovernmental Financial Action Task Force, which sets global AML standards, provided formal guidance in 2019 for how all countries should regulate their virtual asset sectors. But illicit actors will likely continue exploiting differences in national regulatory regimes to find noncompliant exchanges where they can trade crypto anonymously. Even this month, a Seychelles-based exchange announced it would cease U.S. operations so that it could onboard clients without verifying their identity.
Unhosted wallets pose an even thornier challenge. The ability for parties to transact digitally without a financial intermediary is the primary breakthrough of cryptocurrency technology. And blockchain enthusiasts often argue that unhosted wallets lower the barrier to financial services, bringing financial inclusion to unbanked and underbanked populations—though there is little data to support this assertion. Ultimately, financial authorities cannot realistically ban open-source software, so the current regulatory framework targets the on and off ramps where people cash out: cryptocurrency exchanges. Regulators tolerate the loophole of unhosted wallets because—for the time being—crypto has minimal purchasing value unless converted to fiat currency.
Legal and regulatory activity surrounding crypto and illicit finance will likely grow in the coming years as U.S. adversaries rely increasingly on cryptocurrency operations to fund threats. The U.S. Treasury now designates cryptocurrency addresses just as it designates bank accounts and other property, and the Justice Department is seeking to acquire funds held by 113 cryptocurrency accounts involved in the North Korean laundering transactions. With such enforcement actions likely to continue, intelligence analysts, sanctions compliance officers and financial crime investigators will need to become much more conversant with the world of crypto.
This nexus among cryptocurrencies, state-sponsored cyber operations and U.S. national security has also surfaced with other adversaries. Russian military intelligence officers laundered and spent $90,000 worth of crypto to support their cyber operations and information warfare during the 2016 U.S. presidential election, according to a separate Department of Justice indictment. And Iran’s growing tensions with the United States raise the possibility of the Iranian regime using cryptocurrency to fund information warfare.
National security officials must get smarter on cryptocurrency for the U.S. to combat the money laundering typologies emerging on blockchains rather than in banks. This means training analysts on blockchain technology and getting them acquainted with developments in the crypto space. And financial regulators will have to continually assess whether exchanges are effectively managing the risks from unhosted wallets. If they do not manage them, new regulatory frameworks may be needed to plug crypto’s regulatory gaps. This could involve developing guidelines for how much exchanges can interact with unhosted wallets. But any new rules need not be conceived by regulators in isolation. Blockchain proponents should also innovate to create products that advance the promises of this technology while mitigating the risks from bad actors. As the recent indictments show, U.S. adversaries are working creatively to exploit the loopholes. The U.S. needs to bring its A-game to meet this emerging threat.
Disclosure: In his private consulting work, the author provides consulting services to technology firms, some of which provide blockchain analysis software.