Inside the worldwide sting operation to apprehend North Korean cryptocurrency hackers
In January, only a few days after North Korea launched three ballistic missiles into the sea, a team of South Korean spies and American private investigators assembled in secret at the South Korean intelligence office.
They had been monitoring the whereabouts of $100 million that had been stolen from a cryptocurrency company in California called Harmony for several months, waiting for North Korean hackers to move the stolen cryptocurrency into accounts that could eventually be converted to dollars or Chinese yuan, forms of hard currency that could fund the country’s illegal missile programme. Harmony had been hacked.
When the time came, the spies and sleuths operating out of a government office in a place called Pangyo, which is known as South Korea’s Silicon Valley, would only have a few minutes to help grab the money before it could be washed to safety via a succession of accounts and become untouchable. Pangyo is renowned as South Korea’s Silicon Valley.
Finally, towards the end of January, the cybercriminals handed up temporary control of the stolen cryptocurrency by moving a portion of the funds they had stolen into an account tied to the dollar. After seizing the opportunity, the spies and detectives reported the transaction to US law enforcement officers who were waiting in the wings to freeze the money.
That day, the group in Pangyo contributed to the seizure of little more than one million dollars. Even while experts told CNN that the majority of the stolen $100 million remained unreachable in the form of cryptocurrencies and other assets owned by North Korea, this seizure was the sort of seizure that the United States and its allies will require in order to avoid large payouts for Pyongyang.
The sting operation, which was described to CNN by private investigators at Chainalysis, a blockchain-tracking firm based in New York, and confirmed by the South Korean National Intelligence Service, offers a rare window into the murky world of cryptocurrency espionage — and the growing effort to shut down what has become a multibillion-dollar business for North Korea’s authoritarian regime. Chainalysis is a New York-based blockchain-tracking firm.
According to estimates from the United Nations and commercial corporations, North Korean hackers have stolen billions of dollars over the course of the last few years from financial institutions and cryptocurrency companies. According to authorities in the United States and private experts who spoke with CNN, the North Korean government has been exploring more complex methods to convert the stolen digital money into actual cash as investigators and regulators have become more aware of its activities.
Blocking North Korea’s access to cryptocurrency exchanges has emerged as an urgent matter of national security concern for both the United States and South Korea. The capacity of the government to utilise the stolen digital money — or remittances from North Korean IT employees overseas — to finance its weapons programmes is included in the regular set of intelligence products supplied to top US officials, including, on occasion, President Joe Biden, according to a senior US official. This information is delivered to high US officials on a regular basis.
According to the individual who spoke with CNN, the North Koreans “need money, so they are going to keep being creative.” Because it is an authoritarian state that is subject to hefty penalties, “I don’t think there is any chance in hell that [they] are ever going to stop looking for illegal ways to glean funds.”
At a meeting on April 7 in Seoul, representatives from the United States, Japan, and South Korea released a joint statement lamenting that Kim Jong Un’s regime continues to “pour its scarce resources into its WMD [weapons of mass destruction] and ballistic missile programmes.” The North Korean government’s hacking of cryptocurrency exchanges was a primary topic of discussion at the meeting.
In the statement released by the three governments, it was said that “we are also deeply concerned about how the DPRK supports these programmes by stealing and laundering funds as well as gathering information through malicious cyber activities.” The DPRK is an acronym for the government of North Korea.
In the past, North Korea has refuted charges that are comparable. CNN has reached out to the North Korean Embassy in London through email and phone in an effort to get comment.
‘North Korea Inc’ goes virtual
Beginning in the late 2000s, authorities from the United States and its allies began searching international waterways for indications that North Korea was attempting to evade sanctions by trading in weapons, coal, or other valuable goods. This practise is still in use today. Now, a very contemporary take on that competition is taking place between cybercriminals and money launderers in Pyongyang, on the one hand, and intelligence agencies and law enforcement authorities, on the other, from Washington to Seoul.
Both the FBI and the Secret Service have been in the forefront of that effort in the United States. (both agencies declined to comment when CNN asked how they track North Korean money-laundering.) In January, the FBI made public its decision to place a hold on an undefined amount of the $100 million that had been stolen from Harmony.
According to the opinions of several observers, all of the Kim family members who have taken turns ruling North Korea over the last seventy years have used state-owned firms in order to enrich the family and assure the regime’s continued existence.
Scholar John Park refers to it as “North Korea Incorporated,” yet it is really a family-run company.
According to Park, who runs the Korea Project at the Belfer Center of the Harvard Kennedy School, the current ruler of North Korea, Kim Jong Un, has “doubled down on cyber capabilities and crypto theft as a revenue generator for his family regime.” “North Korea Incorporated has made the transition to the digital realm.”
According to Park, stealing bitcoin requires far less human labour and financial investment than the coal trade, which North Korea has traditionally depended on as a source of cash. Additionally, the earnings are through the roof.
According to Chainalysis, in 2017, a record-breaking amount of $3.8 billion worth of cryptocurrencies was stolen from locations all over the globe. According to the company, hackers with connections to North Korea were responsible for over half of it, or $1.7 billion.
It is unknown what percentage of North Korea’s billions worth of stolen cryptocurrencies it has been able to convert into fiat money. A US Treasury official whose primary responsibility is North Korea refused to provide an estimate when asked about it in an interview. The public record of blockchain transactions lets US agents trace the attempts of suspected North Korean spies to shift bitcoin, according to the source from the Treasury Department.
The fact that North Korea receives assistance from other nations in the process of money laundering is “extremely concerning,” according to the official. (They refused to mention a specific nation, but in 2020 the United States arrested two Chinese individuals on charges of allegedly laundering over one hundred million dollars for North Korea.)
According to a confidential United Nations study from February that was accessed by CNN, hackers working for the regime in Pyongyang have also reportedly scoured through the computer networks of a wide variety of international governments and businesses in search of vital pieces of technical knowledge that may be valuable for the country’s nuclear programme.
CNN was informed by a representative for South Korea’s National information Service that the agency has established a plan to react to the danger by establishing a “rapid intelligence sharing” system with friends and commercial organisations. Additionally, the agency is looking into innovative methods to prevent stolen cryptocurrencies from being transported into North Korea.
Recent attempts have concentrated on North Korea’s use of tools that are freely accessible to the public and are known as mixing services. These tools are used to conceal the origin of cryptocurrencies.
On March 15, the Justice Department and European law enforcement agencies announced that they had shut down a mixing service known as ChipMixer. This service was allegedly used by North Koreans to launder an unspecified amount of the approximately $700 million that had been stolen by hackers in three separate cryptocurrency heists, one of which was the $100 million theft from the California cryptocurrency company Harmony.
Private detectives employ blockchain-tracking tools, as well as their own eyes when the programme notifies them, to identify the exact moment when stolen monies are no longer in the possession of the North Koreans and may be reclaimed. However, those investigators need to have trustworthy ties with law enforcement and crypto businesses in order to proceed rapidly enough to reclaim the assets that were stolen from them.
One of the most significant actions taken by the United States so far was taken by the Treasury Department in August when they sanctioned a cryptocurrency “mixing” business known as Tornado Cash. This service is suspected of laundering $455 million for North Korean hackers.
Tornado Cash was especially significant since, in comparison to other services, it offered a higher level of liquidity, which made it simpler for North Korean money to be concealed amid other forms of funding. As a result of the restrictions imposed by the Treasury, Tornado Cash is now executing a lower volume of transactions. The North Koreans were obliged to seek for other mixing providers.
According to Chainalysis, individuals believed to be North Korean agents moved $24 million via a new mixing service known as Sinbad between the months of December and January. However, there is currently little evidence to suggest that Sinbad will be as successful at transferring money as Tornado Cash.
The individuals who are behind mixing services, such as the inventor of Tornado Cash Roman Semenov, often refer to themselves as privacy champions and believe that the cryptocurrency tools they provide may be used for either positive or negative purposes, just like any other technology. However, this has not prevented law enforcement authorities from taking stricter measures. In August, Dutch law enforcement officials detained a second individual suspected of being involved in the development of Tornado Cash for alleged involvement in money laundering.
Private crypto-tracking organisations such as Chainalysis are increasingly staffing themselves with former law enforcement officials from the United States and Europe. These individuals are using what they learnt working in the classified realm to track down Pyongyang’s money laundering operations.
Elliptic, a company located in London that employs former members of the law enforcement community, says that it assisted in recovering $1.4 million in North Korean money that was taken in the Harmony breach. CNN has been told by analysts working for Elliptic that they were able to track money in real time throughout the month of February as it was momentarily transferred to the famous cryptocurrency exchanges Huobi and Binance. According to the experts, they immediately contacted the exchanges, which caused the funds to be frozen.
Tom Robinson, one of the co-founders of Elliptic, was quoted as saying to CNN, “It’s a bit like large-scale drug importations.” “[The North Koreans] are prepared to lose some of it, but a majority of it probably goes through just by virtue of the volume that they do, the speed at which they do it, and the level of sophistication that they have in doing so.”
The North Korean government is not only attempting to take from cryptocurrency companies, but also from individuals who steal bitcoin themselves.
According to Elliptic, when an unidentified hacker stole $200 million from the British company Euler Finance in March, suspected North Korean agents attempted to build a trap for the hacker. They sent the hacker a message on the blockchain that was laced with a vulnerability, which may have been an effort to obtain access to the cash. (The ruse did not prove successful.)
According to estimations provided by Nick Carlsen, who worked as an FBI intelligence analyst focused on North Korea until 2021 and left that position in 2021, North Korea may only have a few hundred personnel working on the job of using cryptocurrencies in order to avoid sanctions.
Carlsen is concerned that North Korea may resort to less obvious types of fraud in light of recent efforts at the international level to penalise fraudulent cryptocurrency exchanges and recover stolen funds. He stated that Pyongyang’s agents may build up a Ponzi scheme that gets far less notice as an alternative to stealing a half a billion dollars from a cryptocurrency exchange. This would be much more efficient.
However, even with lower profit margins, theft of cryptocurrencies is still “wildly profitable,” according to Carlsen, who now works for a company that investigates fraud and is called TRM Labs. Therefore, there is no need for them to cease.