Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

2 Chinese Nationals Indicted for Laundering Cryptocurrency

Prosecutors: Stolen Virtual Currency Tied to North Korean Hacking Group
2 Chinese Nationals Indicted for Laundering Cryptocurrency

Two Chinese nationals have been indicted by the U.S. Justice Department for allegedly laundering $100 million in cryptocurrency stolen from exchanges by North Korean hackers in 2018, according to a federal indictment unsealed Monday.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The two suspects, Tian Yinyin, and Li Jiadong, are each charged with money laundering conspiracy and operating an unlicensed money transmitting business. In addition, the U.S. Treasury Department Monday issued sanctions against Tian and Li, adding that they have connections to a North Korean-linked hacking group known as Lazarus.

Tian and Li are not in U.S. custody, and it’s unlikely they’ll ever face the charges in the U.S.

Over the last five years, U.S. government officials have linked the Lazarus Group to cyber incidents around world, including the malware attack against Sony Pictures in 2014 and the WannaCry ransomware attacks of 2017. The North Korean-linked group also apparently has been involved in numerous banking thefts, including the 2016 Bangladesh Bank heist, and it has recently begun targeting cryptocurrency exchanges to help illegally fund the government, U.S. authorities say (see: UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks).

In September 2019, the Treasury Department issued sanctions against the Lazarus Group and two subgroups, Bluenoroff and Andariel, for their alleged roles in cyber incidents (see: US Sanctions 3 North Korean Hacking Groups).

"The North Korean regime has continued its widespread campaign of extensive cyberattacks on financial institutions to steal funds," Treasury Secretary Steven T. Mnuchin noted Monday. "The United States will continue to protect the global financial system by holding accountable those who help North Korea engage in cybercrime."

Hacking Exchanges

The charges and sanctions against Tian and Li stem mainly from a large-scale attack that targeted an unnamed cryptocurrency exchange in 2018, U.S. officials say. The Lazarus Group allegedly targeted this exchange with malware hidden within a phishing email, according to the Treasury Department.

When an employee of the exchange opened the phishing email, the malware downloaded and gave the North Korean hackers access to the company's network, according to the Treasury Department. This allowed the hackers to map the network and then allegedly steal the private keys to access the virtual wallets stored in the exchange's servers, U.S. officials say.

The Lazarus Group hackers allegedly stole approximately $250 million in cryptocurrency from the exchange in 2018, according to the Treasury Department. This represented about half of all virtual currency thefts tied to North Korea hacking groups in 2018.

Tian and Li, working with the North Korean hackers, allegedly laundered about $100 million worth of virtual currency from the 2018 theft as well as other hacking incidents, the Justice Department says. Of that total, about $91 million in virtual currency came from the 2018 cryptocurrency exchange attack, and another $9 million came from a second attack that targeted another exchange, according to the Treasury Department.

"The defendants operated through independent as well as linked accounts and provided virtual currency transmission services for a fee for customers," the Justice Department states. "The defendants conducted business in the United States but at no time registered with the Financial Crimes Enforcement Network (FinCEN)."

Virtual Money Laundering

The Justice Department alleges that Tian and Li, along with some of the North Korean hackers, used over 100 virtual currency accounts to help launder the money. Tian and Li also deployed false IDs, documents and photographs to help conceal their identities as well as their alleged money laundering schemes, according to the federal prosecutors.

(Source: U.S. Treasury Department)

Using a series of bank accounts, automated withdrawals and by circumventing multiple virtual currency exchanges' know-your-customer controls, Tian and Li were able to convert about $34 million in the virtual currency into Chinse yuan, which was then delivered back to the North Korean hackers, according to the Treasury Department. "Tian also transferred nearly $1.4 million dollars' worth of bitcoin into prepaid Apple iTunes gift cards, which at certain exchanges can be used for the purchase of additional bitcoin," Treasury officials say.


As a result of the sanctions imposed, Tian and Li have been blocked from accessing any property within the United States, and U.S. citizens are banned from doing any type of business with the two Chinese nationals.

In addition, any U.S. person or company conducting business with Tian and Li must be reported to the Treasury Department's Office of Foreign Assets Control.

Monday's announcement is the second time within the last month that the Justice Department has called out Chinese nationals involved in hacking activities. In February, U.S. Attorney General William Barr announced an indictment charging three members of China's People's Liberation Army with allegedly carrying out the attack against Equifax in 2017, which resulted in the theft of data related to 145 million American citizens (see: 4 in Chinese Army Charged With Breaching Equifax).

Managing Editor Scott Ferguson contributed to this report.

About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.