Inside the international sting operation to catch North Korean crypto hackers
By Sean Lyngaas, CNN
A team of South Korean spies and US private investigators gathered quietly at South Korea’s intelligence agency in January, just days after North Korea fired three ballistic missiles into the sea.
For months, they had been tracking $100 million stolen from a California cryptocurrency firm called Harmony, waiting for North Korean hackers to move the stolen crypto into accounts that could eventually be converted into dollars or Chinese yuan, hard currency that can finance the country’s illegal missile program.
When the moment came, the spies and scout – working from a government office in a city, Pangyo, known as South Korea’s Silicon Valley – would have only a few minutes to help seize the money before it could be laundered to safety through a series. of accounts and made untouchable.
Finally, in late January, the hackers moved a fraction of the change to a cryptocurrency account tied to the dollar, temporarily relinquishing control over it. The spies and investigators pounced and reported the transaction to US law enforcement authorities who were ready to freeze the money.
The team at Pangyo helped seize a little more than $1 million that day. Although analysts tell CNN that most of the stolen $100 million remains out of reach in cryptocurrency and other assets controlled by North Korea, it was the kind of seizure the US and its allies will need to prevent big payoffs for Pyongyang.
The sting operation, described to CNN by private investigators at Chainalysis, a New York-based blockchain tracking firm, and confirmed by South Korea’s National Intelligence Service, offers a rare window into the sinister world of cryptocurrency espionage — and the burgeoning effort to shut down what has become a multi-billion dollar enterprise for North Korea’s authoritarian regime.
Over the past few years, North Korean hackers have stolen billions of dollars from banks and cryptocurrency firms, according to reports from the United Nations and private firms. As investigators and regulators have grown wiser, the North Korean regime has tried increasingly sophisticated ways to launder the stolen digital money into hard currency, US officials and private experts tell CNN.
Cutting off North Korea’s cryptocurrency pipeline has quickly become a national security imperative for the US and South Korea. The regime’s ability to use the stolen digital money — or remittances from North Korean IT workers abroad — to fund its weapons programs is part of the usual set of intelligence products presented to senior U.S. officials, including sometimes President Joe Biden, a senior American president. said the official.
The North Koreans “need money, so they’re going to continue to be creative,” the official told CNN. “I do not think [they] is ever going to stop looking for illegal ways to raise money because it is an authoritarian regime under heavy sanctions.”
North Korea’s cryptocurrency hacking was top of mind at an April 7 meeting in Seoul, where US, Japanese and South Korean diplomats issued a joint statement lamenting that Kim Jong Un’s regime continues to “pour its scarce resources into WMD. [weapons of mass destruction] and ballistic missile programs.”
“We are also deeply concerned about how the DPRK supports these programs by stealing and laundering funds as well as gathering information through malicious cyber activities,” the trilateral statement, using an acronym for the North Korean government, said.
North Korea has previously rejected similar claims. CNN has emailed and called the North Korean embassy in London for comment.
‘North Korea Inc’ goes virtual
Beginning in the late 2000s, US officials and their allies scoured international waters for signs that North Korea was evading sanctions by trading in weapons, coal or other valuable cargo, a practice that continues. Now a very modern twist is playing out on that competition between hackers and money launderers in Pyongyang, and intelligence agencies and law enforcement from Washington to Seoul.
The FBI and Secret Service have led this effort in the United States (both agencies declined to comment when CNN asked how they track North Korean money laundering.) The FBI announced in January that it had frozen an unspecified portion of the $100 million stolen from Harmony. .
The succession of Kim family members who have ruled North Korea for the past 70 years have all used state-owned companies to enrich the family and ensure the regime’s survival, according to experts.
It is a family business that scholar John Park calls “North Korea Incorporated.”
Kim Jong Un, North Korea’s current dictator, has “doubled down on cyber capabilities and crypto theft as a revenue generator for his family regime,” said Park, who directs the Korea Project at the Harvard Kennedy School’s Belfer Center. “North Korea Incorporated has gone virtual.”
Compared to the coal trade North Korea has depended on for revenue in the past, stealing cryptocurrency is much less labor- and capital-intensive, Park said. And the profits are astronomical.
Last year, a record $3.8 billion in cryptocurrency was stolen from around the world, according to Chainalysis. Almost half of that, or $1.7 billion, was the work of North Korean-linked hackers, the firm said.
It is unclear how much of its billions in stolen cryptocurrency North Korea has been able to convert into hard cash. In an interview, a US Treasury secretary focused on North Korea declined to give an estimate. The public record of blockchain transactions helps US officials track suspected North Korean operators’ attempts to move cryptocurrency, the Treasury secretary said.
But when North Korea gets help from other countries to launder the money it is “incredibly worrying”, the official said. (They declined to name a specific country, but the United States in 2020 indicted two Chinese men for allegedly laundering more than $100 million for North Korea.)
Pyongyang’s hackers have also combed the networks of various foreign governments and companies for key technical information that could be useful to the nuclear program, according to a private UN report in February reviewed by CNN.
The impact
A spokesperson for South Korea’s National Intelligence Service told CNN that it has developed a “rapid intelligence sharing” arrangement with allies and private companies to respond to the threat and is looking for new ways to stop stolen cryptocurrency from being smuggled into North Korea .
Recent efforts have focused on North Korea’s use of what are known as mixing services, publicly available tools used to hide the source of cryptocurrency.
On March 15, the Justice Department and European law enforcement agencies announced the shutdown of a mixing service known as ChipMixer, which the North Koreans allegedly used to launder an unspecified amount of the roughly $700 million stolen by hackers in three separate crypto heists — including the $100 million heist by Harmony, the California-based cryptocurrency firm.
Private investigators use blockchain tracking software—and their own eyes when the software alerts them—to pinpoint the moment when stolen funds leave the hands of the North Koreans and can be seized. But these investigators need trusted relationships with law enforcement and crypto firms to move quickly enough to recover the money.
One of the biggest U.S. countermoves to date came in August when the Treasury Department sanctioned a cryptocurrency “mixing service” known as Tornado Cash that allegedly laundered $455 million for North Korean hackers.
Tornado Cash was particularly valuable because it had more liquidity than other services, making it easier for North Korean money to hide among other sources of money. Tornado Cash is now processing fewer transactions after Treasury Department sanctions forced the North Koreans to look to other blending services.
Suspected North Korean operators sent $24 million in December and January through a new mixing service, Sinbad, according to Chainalysis, but there are no signs yet that Sinbad will be as effective at moving money as Tornado Cash.
The people behind mixing services, such as Tornado Cash developer Roman Semenov, often describe themselves as privacy advocates who argue that their cryptocurrency tools can be used for good or bad like any technology. But that hasn’t stopped law enforcement agencies from cracking down. In August, Dutch police arrested another suspected developer of Tornado Cash, whom they did not name, for alleged money laundering.
Private crypto-tracking firms like Chainalysis are increasingly staffed with former US and European law enforcement agents who use what they’ve learned in the classified world to track Pyongyang’s money laundering.
Elliptic, a London-based firm staffed by former law enforcement agents, claims it helped seize $1.4 million in North Korean money stolen in the Harmony hack. Elliptical analysts tell CNN they were able to follow the money in real time in February when they briefly moved to two popular cryptocurrency exchanges, Huobi and Binance. The analysts say they quickly alerted the exchanges, which froze the money.
“It’s kind of like large-scale drug importation,” Tom Robinson, Elliptic’s co-founder, told CNN. “[The North Koreans] are prepared to lose some of it, but a majority of it probably goes through just because of the volume and the speed at which they’re doing it, and they’re pretty sophisticated about it.”
The North Koreans are not only trying to steal from cryptocurrency companies, but also directly from other crypto thieves.
After an unknown hacker stole $200 million from the British firm Euler Finance in March, suspected North Korean operatives tried to set a trap: They sent the hacker a message on the blockchain with a vulnerability that may have been an attempt to access the funds. according to Elliptic. (The drug didn’t work.)
Nick Carlsen, who was an FBI intelligence analyst focused on North Korea until 2021, estimates that North Korea may only have a few hundred people focused on the task of exploiting cryptocurrency to avoid sanctions.
With an international effort to sanction rogue cryptocurrency exchanges and seize stolen money, Carlsen worries that North Korea may turn to less conspicuous forms of fraud. Instead of stealing half a billion dollars from a cryptocurrency exchange, he suggested, Pyongyang’s operators could set up a Ponzi scheme that attracts much less attention.
Even with reduced profit margins, cryptocurrency theft is still “wildly profitable,” said Carlsen, who now works at fraud-investigating firm TRM Labs. “So, they have no reason to stop.”
The-CNN-Wire
™ & © 2023 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.
CNN’s Gawon Bae in Seoul and Richard Roth in New York contributed to this report.