The U.S. is charging two Chinese with laundering more than $100 million in cryptocurrencies on behalf of North Korean hackers who looted them from South Korean exchanges. The Chinese tried to cover up the traces of Bitcoin, Ether, Ripple, Zcash and Dogecoins – but in the end failed to do so because of the banks.
The United States Department of Justice is charging two citizens of China with laundering more than $100 million worth of cryptocurrencies for North Korean hackers. The two Chinese nationals, Tian Yinyin and Li Jiadong, transferred bitcoins and other cryptocurrencies stolen from South Korean exchanges to other exchanges through a variety of blockchain transactions. To which they were registered through manipulated selfie pictures with ID, including one from Germany. Via iTunes cards as well as transfers to accounts of Chinese and U.S. banks, they eventually wanted to exchange the cryptocurrencies for fiat money – and betrayed their identities in the process.
The investigative success owes much to a thorough analysis of the blockchain by a team from the U.S. Internal Revenue Service, the FBI, Customs, and the South Korean National Police. Prosecutors, who are now taking the case to a U.S. court, charge the Chinese with conspiracy to launder money and operating an unlicensed financial services business in the United States. Investigators have also identified 113 cryptocurrency accounts and addresses belonging to the two defendants. They have already confiscated some of the assets on them, with the rest to follow.
U.S. investigators are celebrating the indictment as another success for the law on cryptocurrencies. “The action today underscores that the Department of Justice is piercing the cloak of anonymity that cryptocurrencies provide and holding criminals accountable no matter where they are located,” touted General Brian Benczkowski of the Justice Department. His partner in the tax investigation, Don Fort, also poses as a defender of cryptocurrencies in the process: “North Korea continues to attack the growing global virtual currency ecosystem by abusing it to evade sanctions imposed by the United States and the World Security Council.”
The exact story behind this lawsuit is intriguing
First, there is North Korea, the quintessential rogue state. The country has long been known to launch hacking attacks against foreign countries, preferably South Korea. Cyberattacks from North Korea have been on the rise since around 2008, and since 2016 the country has discovered in them a method of obtaining foreign currency. Because of financial sanctions, it is extremely difficult for North Korea to export goods in exchange for foreign currency that can be used to import goods from abroad. Cryptocurrencies are useful in this constellation because they ignore financial sanctions and can be exchanged for fiat currencies – real foreign currency – on many exchanges.
Thus, North Korea is apparently often behind ransomware attacks, such as the WannaCry pandemic that also infected German railroad display boards in spring 2017. Since 2019, however, North Korea’s cyber warriors seem to have focused on a different target: On crypto exchanges. A group of U.S. security consultants has identified 35 cases in which hackers from North Korea have attacked exchanges, miners, and other financial institutions to obtain cryptocurrencies. Once again, the attacks are primarily directed at South Korea.
For example, a major South Korean exchange was hacked in late 2018. The loot amounted to 10,777.94 Bitcoin, 218,790 Ether as well as striking sums of other cryptocurrencies such as Dogecoin, Ripple, Litcoin or Ethereum Classic. The attack was cleverly crafted: A hacker had posed as a potential customer of the exchange, communicated with an employee via email, and eventually tricked him into downloading a malware. The malware spread through the system, opened a security hole, and the hacking team emptied the exchange’s wallets. In this case, it was a jackpot, one of the biggest hacks of crypto exchanges ever.
Of course, the exchange informed the police, and of course, the police began to follow the tracks of the coins on the blockchain. As the court indictment explains, the transactions formed what is known as a “peelchain.” This is created “when large amounts of bitcoins associated with an address go through a series of transactions in which a slightly smaller amount is transferred to a new address. With each transaction, a chunk of bitcoin peels off to another address – often by being transferred to an exchange – and the remaining balance moves to the next address.” The North Korean hackers – or already the Chinese money launderers – have formed peel chains with hundreds of transactions to disguise where they send the coins.
This method may confuse lay observers, but it’s more of a primitive way of washing out the trail of cryptocurrencies. Therefore, investigators were able to find out that the coins ended up on four exchanges that were not named in the report. These exchanges, of course, gave investigators more info about the accounts. One of the accounts was created using the email address of an employee of a South Korean construction company whose server was previously attacked. This account received just over 5,600 Bitcoin, 600 Ether, 100 million Dogecoin, 3 million XRP and 1,500 ZEC. He exchanged the altcoins for bitcoin, only to transfer them somewhere else again.
It is now standard for major exchanges to have a know-your-customer program to verify the identity of customers, especially when such large amounts are involved. It should now be impossible to exchange sums of this size anywhere without going through a KYC process. Usually, this is done by making a video call to a service provider or sending in selfies with ID as well as other documents that are supposed to somehow prove that you are who you say you are. Anyone who learns to trade on various crypto exchanges is familiar enough with the procedures that often raise concerns. Exchange or other platforms store IDs on their servers, and when these fall victim to a hack, it is not uncommon for the IDs to end up on marketplaces on the darknet.
The hackers or money launderers verified themselves in a very common way: they sent a selfie with ID to the stock exchange. Besides a South Korean one, for instance, a German ID was also involved. The photos looked genuine enough to convince an exchange KYC team. Only a check of the metadata showed that the images had been manipulated.
- Still, the exchanges reveal the hackers. For one thing, a clear trail leads from them to North Korea.
- Payouts from the exchanges were used, for instance, to buy web domains involved in fraudulent schemes.
- For example, there was a company, Celas LLC, whose employees also had LinkedIn profiles and posted on Twitter.
- The site claimed to be an exchange under construction and still looking for employees.
- Applicants were asked to download a form, which then contained malware. At the same time, Celas’ Twitter accounts attempted to position themselves as crypto-influencers, streaming links that also lead to malware.
U.S. authorities have previously identified Celas as originating from North Korea. For instance, the Celas website used the same IP server that hosted the Fallchill malware, which the FBI found to be linked to the Landes government. In addition, certain commands in the Celas app are consistent with hacking campaigns from 2016 attributed to North Korea.
Finally, pointing in the other direction, the exchanges also led to the two Chinese. Namely, the latter used exchanges and other payment methods – such as iTunes cards for Apple – to attempt to exchange cryptocurrencies for fiat money. To accomplish this, they had accounts at banks in China and in the United States. Through this connection, U.S. investigators were eventually able to link the pseudonymous happenings on the blockchain to the real identities of the two Chinese.