Skip to Content
MIT Technology Review

This is how North Korea uses cutting-edge crypto money laundering to steal millions

Hackers working for Kim Jong-un have become experts at covering their tracks on the Bitcoin blockchain.

March 5, 2020
North Korean students use computers near portraits of the country's later leaders Kim Il Sung, left, and his son Kim Jong Il at the Kim Chaek University of Technology in Pyongyang, North Korea.North Korean students use computers near portraits of the country's later leaders Kim Il Sung, left, and his son Kim Jong Il at the Kim Chaek University of Technology in Pyongyang, North Korea.
North Korean students use computers near portraits of the country's later leaders Kim Il Sung, left, and his son Kim Jong Il at the Kim Chaek University of Technology in Pyongyang, North Korea.
Associated Press

The US government has just come down hard on two Chinese nationals for allegedly conspiring with North Korean state-sponsored hackers to steal millions of dollars’ worth of digital money from cryptocurrency exchanges. In the process, it has provided a glimpse at the cutting edge of crypto money laundering.

The Department of Justice charged Tian Yinyin and Li Jiadong with laundering over $100 million worth of cryptocurrency to benefit co-conspirators in North Korea. The Department of the Treasury placed their names (and 20 of their Bitcoin accounts) on a list of foreign individuals and entities that are blocked from doing business in the US.

The government also unsealed a legal document explaining why it wants to seize 113 cryptocurrency accounts associated with North Korean money laundering. That document painted a detailed picture of Tian and Li’s alleged crimes. And it lifted the curtain on a high-tech cat-and-mouse-style conflict going on behind the scenes, in which launderers have turned to elaborate automated schemes to obfuscate their cryptocurrency transactions and flummox law enforcement.

Kim Jong-un’s regime is economically isolated by sanctions aimed at hampering its nuclear weapons program. In the past few years it has turned to the cryptocurrency world to generate revenue, mostly by stealing it. In August last year, sanctions experts told the United Nations not only that North Korea has used “widespread and increasingly sophisticated” cyberattacks to pilfer as much as $2 billion from crypto exchanges and other financial institutions, but also that it is using the money to fund its weapons program.

The North Koreans have also apparently become experts in the dark art of digital money laundering. It makes sense: very few businesses accept cryptocurrency, so the North Koreans need a way of converting their stolen crypto-cash into good old-fashioned dollars or some other fiat currency. 

This is where the freshly indicted Tian and Li come in: allegedly, they were cogs in an elaborate money-laundering machine that successfully cashed out $100 million worth of stolen cryptocurrency. The US says that in late 2018, hackers working for Kim Jong-un stole around $250 million worth of cryptocurrency from an unnamed South Korean exchange. Much of that money, mostly Bitcoin, apparently landed in accounts at different exchanges held by Tian and Li, who converted it into fiat currency. But it’s what happened before it got to them that is really eye-opening.

Anyone trying to launder illicit cryptocurrency funds faces at least two big challenges. First, you can’t just deposit huge sums of Bitcoin at different exchanges without raising red flags. Second, and perhaps more important, Bitcoin transactions can be traced; they are all recorded on its public blockchain. Users are pseudonymous, represented on the blockchain by strings of numbers and letters called addresses. But if investigators can tie an address to a real-world identity, they can track its every single transaction.

To clear these hurdles, the North Korean hackers sent the stolen Bitcoin through a long chain of transfers to new addresses, each of which peeled a small piece from the whole and sent it to yet another address, often associated with an account at an exchange.

According to the government, the North Koreans engaged in “hundreds of automated transactions” with new Bitcoin addresses to create so-called “peel chains” leading to four different exchanges, making them hard to track.

Peel chains can become very complicated when they get long, and particularly when money launderers generate new ones using money peeled from the original—”peel chains of peel chains,” says Philip Gradwell, chief economist at Chainalysis, a blockchain analytics firm. They make it difficult to determine when money is actually changing hands and when it is just being moved to another address the money launderer controls, he says.

Meanwhile, the use of exchanges to launder stolen cryptocurrency appears to be a growing problem. According to Chainalysis, in 2019 criminal entities moved $2.8 billion in Bitcoin to exchanges—up from around $1 billion the year before. How is this happening, given that most exchanges are required by anti-money-laundering rules to keep track of their customers’ identities? Chainalysis has concluded that money launderers have found a workaround: a small number of “rogue” brokers who use their legitimate-appearing accounts at exchanges to help them cash out. That sounds a lot like how the US government describes the work of Tian Yinyin and Li Jiadong.