When the moment came, the spies and sleuths — working out of a government office in a city, Pangyo, known as South Korea’s Silicon Valley — would have only a few minutes to help seize the money before it could be laundered to safety through a series of accounts and rendered untouchable.
Finally, in late January, the hackers moved a fraction of their loot to a cryptocurrency account pegged to the US dollar, temporarily relinquishing control of it. The spies and investigators pounced, flagging the transaction to US law enforcement officials standing by to freeze the money.
The team in Pangyo helped seize a little more than $US1 million ($1.5 million) that day. Though analysts tell CNN that most of the stolen $US100 million ($150 million) remains out of reach in cryptocurrency and other assets controlled by North Korea, it was the type of seizure that the US and its allies will need to prevent big paydays for Pyongyang.
The sting operation, described to CNN by private investigators at Chainalysis, a New York-based blockchain-tracking firm, and confirmed by the South Korean National Intelligence Service, offers a rare window into the murky world of cryptocurrency espionage — and the burgeoning effort to shut down what has become a multibillion-dollar business for North Korea’s authoritarian regime.
The North Koreans “need money, so they’re going to keep being creative”, the official told CNN.
“I don’t think [they] are ever going to stop looking for illicit ways to glean funds because it’s an authoritarian regime under heavy sanctions.”
“We are also deeply concerned about how the DPRK supports these programs by stealing and laundering funds as well as gathering information through malicious cyber activities,” the trilateral statement said, using an acronym for the North Korean government.
North Korea has previously denied similar allegations. CNN has emailed and called the North Korean Embassy in London seeking comment.
‘North Korea Inc’ goes virtual
Starting in the late 2000s, US officials and their allies scoured international waters for signs that North Korea was evading sanctions by trafficking in weapons, coal or other precious cargo, a practice that continues. Now, a very modern twist on that contest is unfolding between hackers and money launderers in Pyongyang, and intelligence agencies and law enforcement officials from Washington to Seoul.
The succession of Kim family members who have ruled North Korea for the last 70 years have all used state-owned companies to enrich the family and ensure the regime’s survival, according to experts.
It’s a family business that scholar John Park calls “North Korea Incorporated”.
Kim Jong Un, North Korea’s current dictator, has “doubled down on cyber capabilities and crypto theft as a revenue generator for his family regime,” said Park, who directs the Korea Project at the Harvard Kennedy School’s Belfer Centre.
“North Korea Incorporated has gone virtual.”
Compared to the coal trade North Korea has relied on for revenue in the past, stealing cryptocurrency is much less labour- and capital-intensive, Park said. And the profits are astronomical.
It’s unclear how much of its billions in stolen cryptocurrency North Korea has been able to convert to hard cash. In an interview, a US Treasury official focused on North Korea declined to give an estimate. The public record of blockchain transactions helps US officials track suspected North Korean operatives’ efforts to move cryptocurrency, the Treasury official said.
Pyongyang’s hackers have also combed the networks of various foreign governments and companies for key technical information that might be useful for its nuclear program, according to a private United Nations report in February reviewed by CNN.
A spokesperson for South Korea’s National Intelligence Service told CNN it has developed a “rapid intelligence sharing” scheme with allies and private companies to respond to the threat and is looking for new ways to stop stolen cryptocurrency from being smuggled into North Korea.
Recent efforts have focused on North Korea’s use of what are known as mixing services, publicly available tools used to obscure the source of cryptocurrency.
On March 15, the Justice Department and European law enforcement agencies announced the shutdown of a mixing service known as ChipMixer, which the North Koreans allegedly used to launder an unspecified amount of the roughly $US700 million stolen by hackers in three different crypto heists — including the $US100 million robbery of Harmony, the California cryptocurrency firm.
Private investigators use blockchain-tracking software — and their own eyes when the software alerts them — to pinpoint the moment when stolen funds leave the hands of the North Koreans and can be seized. But those investigators need trusted relationships with law enforcement and crypto firms to move quickly enough to snatch back the funds.
One of the biggest US counter moves to date came in August when the Treasury Department sanctioned a cryptocurrency “mixing” service known as Tornado Cash that allegedly laundered $US455 million for North Korean hackers.
Tornado Cash was particularly valuable because it had more liquidity than other services, allowing North Korean money to hide more easily among other sources of funds. Tornado Cash is now processing fewer transactions after the Treasury sanctions forced the North Koreans to look to other mixing services.
Suspected North Korean operatives sent $US24 million in December and January through a new mixing service, Sinbad, according to Chainalysis, but there are no signs yet that Sinbad will be as effective at moving money as Tornado Cash.
Private crypto-tracking firms like Chainalysis are increasingly staffed with former US and European law enforcement agents who are applying what they learned in the classified world to track Pyongyang’s money laundering.
Elliptic, a London-based firm with ex-law enforcement agents on staff, claims it helped seize $US1.4 million in North Korean money stolen in the Harmony hack. Elliptic analysts tell CNN they were able to follow the money in real-time in February as it briefly moved to two popular cryptocurrency exchanges, Huobi and Binance. The analysts say they quickly notified the exchanges, which froze the money.
“It’s a bit like large-scale drug importations,” Tom Robinson, Elliptic’s co-founder, told CNN.
“[The North Koreans] are prepared to lose some of it, but a majority of it probably goes through just by virtue of volume and the speed at which they do it and they’re quite sophisticated at it.”
The North Koreans are not just trying to steal from cryptocurrency firms, but also directly from other crypto thieves.
After an unknown hacker stole $US200 million from British firm Euler Finance in March, suspected North Korean operatives tried to set a trap: They sent the hacker a message on the blockchain laced with a vulnerability that may have been an attempt to gain access to the funds, according to Elliptic. (The ruse didn’t work.)
Nick Carlsen, who was an FBI intelligence analyst focused on North Korea until 2021, estimates that North Korea may only have a couple hundred people focused on the task of exploiting cryptocurrency to evade sanctions.
The text message to look out for that could trick almost anyone
With an international effort to sanction rogue cryptocurrency exchanges and seize stolen money, Carlsen worries that North Korea could turn to less conspicuous forms of fraud. Rather than steal half a billion dollars from a cryptocurrency exchange, he suggested, Pyongyang’s operatives could set up a Ponzi scheme that attracts much less attention.
Yet even at reduced profit margins, cryptocurrency theft is still “wildly profitable” said Carlsen, who now works at fraud-investigating firm TRM Labs.
“So, they have no reason to stop,” he said.
Discussion about this post