For years, North Korea’s Kim dynasty has made money through criminal schemes like drug trafficking and counterfeiting cash. In the last decade, Pyongyang has increasingly turned to cybercrime—using armies of hackers to conduct billion-dollar heists against banks and cryptocurrency exchanges, such as an attack in 2018 that netted $250 million in one fell swoop. The United Nations says these actions bring in vast sums which the regime uses to develop nuclear weapons that can guarantee its long-term survival.
But there is a big difference between hacking a cryptocurrency exchange and actually getting your hands on all the cash. Doing that requires moving the stolen cryptocurrency, laundering it so no one can trace it, and then exchanging it for dollars, euros, or yuan that can buy the weapons, luxuries, and necessities even bitcoins cannot.
“I’d say the laundering is more sophisticated than the hacks themselves,” says Christopher Janczewski, a lead case agent at the IRS who specializes in cryptocurrency cases.
Janczewski sees a lot of action these days. He led investigations into the recent hack that affected verified Twitter users, and into the Bitcoin-funded activities of the darknet’s largest site for images of child sexual abuse. Janczewski was most recently the lead investigator in a case to trace and seize $250 million in cryptocurrency from an unprecedented streak of multimillion-dollar hacks allegedly carried out by the North Korean hacking team known as Lazarus Group.
And, he says, Lazarus’s tactics are continuously evolving.
Washing dirty money clean
Once Lazarus has successfully hacked a target and taken control of the money, the group attempts to cover up its trail to throw off investigators. These tactics typically involve moving coins to different wallets and currencies—for example, switching from ether to Bitcoin.
But the North Korean playbook has evolved in the last few years. One tactic, known as a “peel chain,” moves money in rapid and automated transactions from one Bitcoin wallet to new addresses through hundreds or thousands of transactions in a way that both hides the source of the money and lessens the risk of setting off red flags. Another approach, called “chain hopping,” moves the money through different cryptocurrencies and blockchains to get it away from Bitcoin—where every transaction is posted to a public ledger—and into other, more private currencies. The idea is to make the trail go cold or, better yet, raise false alarms for investigators.
The Lazarus laundering operation, says Janczewski, involves creating and maintaining hundreds of false accounts and identities, a consistent level of sophistication and effort that underlines just how important the operation is for Pyongyang. It’s extremely difficult to name a precise amount, but experts have estimated that North Korea relies on criminal activity for up to 15% of its income, with a significant portion of that driven by cyberattacks.
A quiet arms race
Stealing cryptocurrency is far from the perfect crime, however. Police and regulators were once almost clueless, but they now have years of cryptocurrency investigation experience under their belts. In addition, they are gaining increasing levels of cooperation from exchanges, which face government pressure and want greater legitimacy. Investigators have moved from being perpetually on the back foot to being more proactive, with the result that many exchanges have responded with new rules and controls that simply did not exist before. Blockchain surveillance tools are powerful and increasingly widespread, proving that cryptocurrency is not as anonymous as popular myth might have it. It turns out the state still has plenty of power even in this cypherpunk world.
No matter how many peels and hops a hacker might throw the stolen cryptocurrency through, the effort usually comes up against an undeniable fact: if you’re trying to exchange a huge amount of cryptocurrency for US dollars, you’ll almost inevitably have to bring it all back to Bitcoin. No other cryptocurrency is so widely accepted or so easily converted to cash. Though new coins and privacy technologies have been emerging for years, Bitcoin and its public ledger remain “the backbone of the cryptocurrency economy,” says Janczewski.
That means the ultimate destination of the coin is often an over-the-counter trader—a bespoke operation in a country like China that can turn coin into cash, sometimes with no strings attached. These traders often ignore legal requirements, like the know-your-customer laws that make many bigger cryptocurrency exchanges risky places to launder stolen billions.
“What we used to see was just Bitcoin transactions between a theft and the movement toward over-the-counter traders that enable Lazarus to get out of Bitcoin. That’s relatively straightforward,” says Jonathan Levin, the founder of the cryptocurrency investigation firm Chainalysis. “Now there are a lot more currencies involved. They are able to move through obscure currencies, but eventually they end in the same spot, which is moving it back to Bitcoin and through the over-the-counter market.”
Over-the-counter operations are the preferred way for Lazarus to move millions in Bitcoin into cash.
And the business is enormous: the top 100 over-the-counter traders engaging in money laundering receive hundreds of millions of dollars in Bitcoin every month, accounting for around 1% of all Bitcoin activity.
Bitcoin-fueled illegal activity does not account for most use of blockchains, but it does remain significant and continues to grow, according to Chainalysis. Ransomware, for example, is a billion-dollar business made possible by cryptocurrency, while anonymous darknet markets moved over $600 million in Bitcoin in 2019.
“There is a sophistication higher than we’ve seen in the past,” Levin says. “Some of that has been successful, but with the US increasingly taking action and exchanges responding to requests to freeze funds and seize assets, these techniques may not be that effective moving forward.”