The World’s Underground Bankers

On Feb. 21, North Korean hackers perpetrated the largest crypto heist in history, stealing nearly $1.5 billion (roughly 5 percent of the Hermit Kingdom’s annual gross domestic product) within seconds from Bybit, one of the world’s largest exchanges. The hack presents a massive U.S. national security problem—and not just for the obvious reasons.

North Korean cyber thieves have stolen billions of dollars’ worth of assets in recent years to support Kim Jong Un’s nuclear weapons program; and there’s little doubt the Kim regime will seek to leverage the most recent hack to bolster its proliferation efforts. But digital assets can be traced in ways cash cannot, and the astonishingly complex paths the stolen crypto has taken in the past few weeks confirm a deeper reality: At this very moment, hundreds of millions of dollars’ worth of illicit funds are actively being liquidated through the assistance of underground Chinese money laundering organizations (CMLOs).

This incoming tsunami of dirty money represents a huge problem for U.S. national security. Informal Chinese banking channels, sometimes dubbed “fei qian” (or “flying money”), are increasingly facilitating criminal activities on a global scale—not just North Korean cyber theft, but also fentanyl distribution, Mexican drug cartel money laundering, and Southeast Asia-based investment (or “pig butchering”) scams.

In fact, CMLOs have emerged as a central node in the various illicit financial ecosystems—which previously were largely unconnected—that now serve as a force multiplier for those who wish to inflict harm on the United States. North Korea’s ability to steal an unprecedented amount of money, and then begin laundering that haul at a rapid rate of roughly $100 million a day, speaks to the capacity of illicit networks to efficiently move and clean money at a speed and scale no one has witnessed before.

Despite the severity of the problem, no single U.S. government strategy prioritizes disrupting Chinese underground banking networks. That needs to change. Moreover, the same novel, internet-based technologies that these networks have been leveraging also render them uniquely vulnerable. Disrupting these channels will require implementing a strategy that combines new types of intelligence collection with a more robust deployment of offensive cyber capabilities—including, potentially, those in the hands of credentialed private actors.

How It Works

Chinese underground banking networks serve as a financial lifeline for criminals worldwide, effectively operating a parallel banking system that skirts official scrutiny. These networks typically involve brokers who can seamlessly swap funds across jurisdictions without leaving a trace in regulated bank accounts. Increasingly, they have turned to cryptocurrency to facilitate rapid, pseudonymous cross-border transactions. As a result, Chinese underground bankers and their criminal clients (including North Korean hackers, Mexican cartels, Russian crime syndicates, and Triad gangs) have built a sprawling illicit finance ecosystem that exploits crypto assets and underground financial systems to launder dirty money on a global scale.

U.S. drug dollars, for example, are increasingly exchanged for Chinese renminbi through an informal value transfer: A broker located in the U.S. collects cartel cash and mirrors the transaction by providing equivalent value to a counterpart in China, often via crypto or other off-record methods.

The advantage of this “mirror exchange” is that no cross-border wire ever occurs—dollars stay in the U.S. and renminbi remain in China—thereby minimizing red flags for regulators and private-sector compliance professionals. Instead, brokers settle accounts through creative means like trade-based money laundering: They use the renminbi to purchase goods in China, export those goods to cartel affiliates in Latin America, and then sell them for local currency to recoup the broker’s funds. This intricate web of currency swaps and trade deals, increasingly facilitated by cryptocurrency, is highly effective at moving criminal profits under the radar.

Research reveals that Chinese underground banks have a symbiotic relationship with organized crime groups worldwide, including Mexican cartels. The banks provide a service that both circumvents China’s strict capital controls (helping wealthy Chinese citizens move money abroad in violation of domestic law) and bolsters foreign criminals’ efforts to repatriate or reposition their illicit earnings.

U.S. authorities have uncovered concrete instances in which these networks laundered drug proceeds for cartels. In one case, a Los Angeles-based ring led by Sinaloa cartel operatives laundered over $50 million in narcotics revenue via Chinese underground bankers, using trade-based schemes and crypto transactions to conceal the money’s origins. Large seizures of cash and drugs in that investigation underscored the extensive collaboration between cartel operatives and Chinese underground banks in concealing and transferring illicit drug proceeds.

Such networks effectively bridge the gap between the cash-intensive criminal underworld and the formal economy, offering criminals a reliable way to convert dirty cash into usable assets. This same Chinese money laundering infrastructure has also been repurposed to assist cybercriminals and sanctioned regimes, proving its versatility as a global crime enabler.

The North Korean Connection

North Korea’s state-sponsored hackers have stolen billions of dollars in cryptocurrency through exchange hacks and cyber heists. But stealing crypto is only half the challenge. Converting those digital assets into money that Pyongyang can use (e.g., to fund its weapons programs) requires a laundering pipeline that circumvents global sanctions.

Chinese underground banking networks and loosely regulated crypto brokers have provided exactly that service. U.S. authorities and blockchain intelligence firms have uncovered how North Korean operatives rely on Chinese over-the-counter (OTC) crypto brokers and financial facilitators to wash stolen coins into fiat currency or hard commodities.

The Middlemen: Chinese OTC Brokers

A 2023 federal indictment, for example, leveled charges against North Korean banker Sim Hyon-Sop and three Chinese OTC brokers for conspiring to launder cryptocurrency pilfered by Pyongyang’s hackers.

According to court documents, Sim, a representative of North Korea’s Foreign Trade Bank, worked with these China- and Hong Kong-based brokers to convert stolen crypto into U.S. dollars by funneling it through exchanges and shell companies (that is, companies existing only “on paper,” with no significant operations) and then using the funds to purchase goods via Hong Kong front firms for North Korea’s benefit. This scheme effectively turned hacked crypto into sanctioned commodities, illustrating the marriage of cybercrime proceeds with underground trade channels.

Blockchain analysis shows that Chinese OTC brokers act as critical middlemen in North Korea’s laundering playbook, using their access to major crypto exchanges and bank accounts to swap illicit crypto for fiat under the cover of legitimate high-volume trading. Once funds enter traditional banks (often via accounts of offshore companies in lax jurisdictions), they are layered through a maze of transfers to obscure their North Korean origin.

China—North Korea’s largest trading partner—often serves as the geographic hub for these operations, with key facilitators based in Chinese territory. Notably, Sim Hyon-Sop himself relocated to Dandong, China, a border city long known as a nexus for North Korean illicit commerce. His physical movements—and those by others like him—highlight how Pyongyang’s financial emissaries embed within China to exploit the gray areas in that nation’s financial system.

North Korea’s Expanding Laundering Infrastructure

North Korea’s crypto laundering methods have evolved to maximize speed and anonymity. After major cyber thefts, Pyongyang’s hackers and the Chinese launderers who work with them rapidly move stolen virtual assets through complex chains of transactions using decentralized exchanges, cross-chain “bridges” between blockchains, and online mixers (that is, services that mix “potentially identifiable cryptocurrency funds with vast sums of other funds” in an effort to “anonymize fund transfers between services”), before handing off to OTC brokers for the final cash-out.

The Feb. 21 hack targeting Bybit highlights the complexity of these tactics. It also confirms these networks’ capacity to refine those tactics in real time in order to launder increasingly large amounts of funds.

Blockchain analysis reveals, for example, that within two days of the nearly $1.5 billion theft of Ether (the native cryptocurrency of the Ethereum blockchain) held by Bybit, at least $160 million had been funneled through illicit channels. By Feb. 26, over $400 million had been moved. Less than a week later, the hackers finished the initial phase of the laundering, having transferred nearly all the stolen Ether to new crypto addresses, with the vast majority bridged to Bitcoin via decentralized protocols. This rapid layering represented an unprecedented level of operational efficiency; it also revealed a significant expansion of North Korea’s laundering infrastructure.

Over the past several weeks, hundreds of millions of dollars in proceeds from the Bybit hack have been transferred to probable CMLO brokers operating on the Tron blockchain. Many of these brokers have close transactional links to services like Huione/Haowang Guarantee (the notorious money laundering bazaar at the heart of Chinese money laundering in Southeast Asia that, on May 1, received the extraordinary designation of being a “primary money laundering concern” by the U.S. Department of the Treasury). While law enforcement and industry investigators have blocked some of these transactions, the vast majority has been successfully completed, and likely converted to fiat.

The Expanding Web

In her March 25 written testimony to Congress providing the U.S. intelligence community’s annual global threat assessment, Director of National Intelligence Tulsi Gabbard highlighted both “the threats presented by ... non-state actors [including] [c]artels, gangs, and other transnational criminal organizations” and the threats posed by “key state-actors” including “China, Russia, Iran, and North Korea,” which, as she observed, are “in some cases[ ] working together in different areas to target U.S. interests and protect themselves from U.S. sanctions.”

CMLOs serve as a critical mediating link that brings these two sets of threats together.  

Their role in supporting non-state threat actors (including through “mirror exchanges”) is described above; equally alarming is how Chinese underground bankers have affiliated not only with North Korean hackers but also with elements of Russian organized crime to form an interconnected web that for the first time joins together various threads of the global illicit financial system. Each actor brings different capabilities to the table:

• North Korea contributes elite cybercriminals (like the Lazarus Group and others) who steal vast sums of crypto.
• Chinese underground networks provide the laundering channels and financial infrastructure.
• Russian actors (whether state-linked or organized crime) offer additional safe havens and tools like rogue crypto exchanges and ransomware ecosystems.

The coordination may not always be explicit, but these actors’ activities often complement each other on the blockchain. For instance, North Korean hackers and their confederates have been known to funnel stolen cryptocurrency into services popular with Russian cybercriminals—an illicit fintech collaboration that mirrors the deepening strategic relationship between those two nations. (To be sure, the two nations have established secret “real world” banking relationships in order to evade sanctions, too.) Notably, U.S. authorities have formally alleged that the Russia-based crypto exchange Garantex, which they sanctioned and later shut down, had identified “but nonetheless allowed” transactions and accounts linked to North Korean hackers.

On the flip side, Chinese networks have helped Russian entities evade sanctions and move funds seamlessly across borders. To support the Russian war machine, for example, Chinese companies that manufacture military equipment (such as drones and optical tech) have been selling to Russia, which in many cases uses cryptocurrency to pay for these sanctioned transactions. Research confirms that, since 2021, at least $85 million has been sent to crypto wallets linked to Russian and Chinese entities involved in the trade of military and dual-use equipment—all despite China’s official “position of neutrality” on the Ukraine conflict.

Under this scheme, Russian intermediaries likely obtained crypto (including from sources like ransomware proceeds or illicit virtual assets exchanges) and transferred it to Chinese suppliers, who could then cash out in China, thereby skirting Western financial sanctions.

Such activity underlines how Chinese underground financing isn’t limited to profiteering criminals; it can also facilitate state-level sanction busting. (As such, this activity can conceptually be categorized with broader state-sponsored efforts to create trade and economic frameworks that operate independently of the U.S. dollar.) North Korea has engaged in similar tactics by using stolen crypto to acquire sanctioned goods via China, as seen with the Hong Kong front companies used to buy luxury items and raw materials for Pyongyang.

Notably, these actors learn from each other. North Korean hackers, for example, have emulated Russian cybercriminal techniques—from using ransomware as a fundraising tool to employing Russian-developed malware—and then laundered the proceeds through Chinese brokers. (Despite these growing ties, Pyongyang’s hackers are still believed to target Russian government agencies for intelligence purposes.) Likewise, Russian darknet drug markets have flourished with Chinese precursor chemicals keeping their supplies flowing. Those Chinese chemical suppliers, in turn, readily accept payments via digital assets, feeding the cycle of crypto-fueled crime. In this way, North Korea, China, and Russia are strengthening a de facto illicit finance alliance that reflects, in Gabbard’s words, these nations’ “high levels of [broader] cooperation” on the world stage.

Each one benefits: North Korea gets cash for its regime, Russian actors get partners in crime and access to Chinese markets, and corrupt Chinese brokers and businesses—which sit at the center of it all—earn hefty fees. This nexus poses a multifaceted threat that spans cybercrime, narcotics, and sanctions evasion, all stitched together through blockchain networks and other internet-based technologies that transcend national boundaries.

What Is to Be Done?

Chinese underground banking is deeply connected to U.S. national security threats, especially given that these networks have been sharpening their ability to rapidly process massive sums of illicit funds. Yet, despite the growing severity of this problem, there is no coordinated U.S. national strategy for systematically investigating and disrupting these networks.

The problem is attackable. Though CMLOs are “insular and often decentralized,” at every point in the chain there nonetheless exist key players who can be identified and investigated, with their assets and accounts targeted for disruptive action.

The North Korean government, for example, has long held its financial reserves outside of its borders in ledgers and countless shell company accounts, and as described above, Pyongyang has come increasingly to depend on key proxies like CMLOs to handle its money, launder stolen funds, and buy the foreign goods and components upon which the regime depends. Those proxies are vulnerable, but not enough is being done to identify and dismantle their networks. The same holds true for members of CMLOs who assist the cartels, the fentanyl distributors, and the pig butcherers.

Disrupting these sophisticated laundering networks requires a multifaceted approach that combines financial intelligence, targeted law enforcement efforts, international cooperation, and the implementation of effective private-sector anti-money laundering compliance programs (including by cryptocurrency businesses, fintech companies, and banks). Here, we focus on one important additional lever: offensive cyber operations.

The Promise of Offensive Cyber

Chinese money launderers often operate in jurisdictions where U.S. law enforcement has limited reach. While agencies like the FBI, Drug Enforcement Administration, and Homeland Security Investigations excel at their work—and law enforcement agencies clearly have an important role to play in disrupting CMLOs’ activities—these agencies’ tools alone are insufficient against actors who operate beyond the reach of extradition treaties and conventional judicial processes. This leaves hundreds of millions, if not billions, of illicit dollars flowing unimpeded into these groups’ coffers, per the status quo.

Ironically, the same technology that helps facilitate these crimes—cryptocurrency—also creates an opening for novel, methodical, and targeted intervention. Unlike cash, digital assets are inherently traceable, which offers a key to unlock and disrupt the spider-webbed financial networks of America’s adversaries. Indeed, the same inherent qualities that “make digital assets a force for good” also render these networks uniquely vulnerable to remote interdiction.

But crypto transfers also occur at the speed of the internet, at America’s adversaries’ time and choosing. In the first Trump administration, the White House adopted a “more proactive cyber strategy” relative to the Obama administration’s policy, implementing internal procedures regarding offensive cyber operations that were “better aligned to the hyper-dynamic and time-sensitive nature of the threat.” Reporting suggests that the Biden administration revised these procedures in ways that could negatively impact these operations’ agility. While the current administration’s policy remains unclear, there is no doubt that combating the CMLO threat will require speed and innovation to match the criminals’ own.

In line with the need for novel, Web3-era solutions, there may also be a significant role for private parties in addressing the continued growth of CMLOs. Due to blockchains’ open, transparent, and traceable nature, crowdsourcing already makes a unique and outsized contribution to crypto investigations. Working outside of formal law enforcement or corporate compliance, independent on-chain detectives use blockchain analytics and social media savvy to track stolen funds, expose scams, and assist authorities—often outpacing those authorities in speed, and working with them to effect recoveries amounting to hundreds of millions of dollars. (These independent crypto sleuths also often provide original, insightful analysis, including on North Korean laundering activities). Bybit itself is attempting to leverage this dynamic to aid in recovery efforts, creating a bounty program that incentivizes ordinary internet users to “track, trace, and freeze” the stolen funds. To date, nearly $53 million has been frozen through the program—and the astonishing sum of nearly $1.25 billion is actively being “tracked.”

Such private-sector initiatives can have real impact: A recently formed collaboration between Tron (the decentralized autonomous organization behind the namesake blockchain), Tether (issuer of the USDT stablecoin), and TRM Labs (a leading blockchain intelligence firm and the authors’ employer) called the T3 Financial Crime Unit is designed to curb illicit activity tied to USDT on the Tron blockchain, in light of data showing that USDT “accounted for the largest amount of illicit volume among stablecoins, reaching $19.3 billion in 2023,” and that “45% of all illicit crypto transactions [in 2023] occurred on Tron.” In six months, the T3 initiative has frozen over $150 million in criminal assets across five continents—including a $26.4 million seizure effected in coordination with Spain’s national law enforcement agency and, recently, a $9 million freeze in connection with the Bybit hack.

Considering the vastness of the surface area, the real-time nature of the threat, and the increasingly sophisticated capabilities in private-sector hands, it may not be surprising that calls have emerged—including specifically in the context of crypto hacks and the associated money laundering—for Congress and the president to authorize “neo-privateering” (namely, the lawful act of hacking crypto wallets and retrieving funds controlled by specified malign actors, in return for a share of the proceeds from the sale of the recovered assets) under modern letters of marque and reprisal.

Neo-privateering comes with its own risks, and the details would need to be carefully worked out. But this is a policy discussion worth having. America’s adversaries operate in the shadows and have never played by the rules, deputizing their own private citizens to target the U.S. To deny those actors the profits that fuel their operations, the U.S. must be willing to act. Empowering trusted (and credentialed) private entities to target the finances of transnational threats—in a structured and transparent way, with appropriate guardrails and oversight—could send a clear message: No one profits from undermining American security.

*   *   *

Chinese underground banking networks and their crypto-laundering schemes represent a complex, global challenge at the nexus of cybercrime, drug trafficking, and sanctions evasion. More needs to be done to bring them to light and disrupt their operations. Through diligent blockchain analysis, interagency collaboration, and bold strategies—including by going on the offense in cyberspace—these shadowy networks can be illuminated, and illicit assets can be tracked and frozen in ways never before possible.