Anti-Money Laundering (AML) , Blockchain & Cryptocurrency , Cybercrime

DOJ Seeks to Recover Stolen Cryptocurrency

Justice Department: North Korean Hackers Laundered Millions Through Chinese Traders
DOJ Seeks to Recover Stolen Cryptocurrency

The U.S. Justice Department has filed a civil forfeiture complaint in an effort to recover millions in cryptocurrency from 280 accounts that allegedly was stolen by North Korean hackers. Prosecutors believe much of the money was laundered through Chinese exchanges.

Prosecutors claim that hackers working on behalf of the North Korean government stole cryptocurrency from two exchanges in 2019 and then laundered the funds through several Chinese over-the-counter exchanges.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge

The cryptocurrency stolen from the two exchanges was later traded for other types of virtual currency, such as bitcoin and tether, to launder the funds and obscure its transaction path, the Justice Department says.

The civil lawsuit relates to a criminal case that the Justice Department brought against two Chinese nationals for their alleged role in laundering $100 million in cryptocurrency stolen from exchanges by North Korean hackers in 2018. The two suspects, Tian Yinyin, and Li Jiadong, are each charged with money laundering conspiracy and operating an unlicensed money transmitting business. The two also face sanctions from the U.S. Treasury Department (see: 2 Chinese Nationals Indicted for Laundering Cryptocurrency).

U.S. law enforcement officials and intelligence agencies, including the Cybersecurity and Infrastructure Security Agency, believe these types of crypto heists are carried out by the Lazarus Group, a hacking group collective also known as Hidden Cobra. Earlier this week, CISA, the FBI and the U.S. Cyber Command warned of an uptick in bank heists and cryptocurrency thefts since February by a subgroup of the Lazarus Group called BeagleBoyz (see: US Agencies Warn of Uptick in North Korean Bank Heists).

Exchange Hacking

In the first incident that the Justice Department describes in its complaint, hackers allegedly working on behalf of North Korea targeted an unnamed virtual currency exchange in July 2019.

During this incident, the hackers took about $272,000 worth of cryptocurrency as well as Proton tokens, PlayGame tokens and IHT Real Estate Protocol tokens. Over the next several months, the cryptocurrency was exchanged for other virtual currencies through a process called "chain hopping," which helps launder and obfuscate the origins of the funds, according to the Justice Department.

In the second case, hackers attacked a cryptocurrency exchange based in the U.S. and stole several virtual wallets as well as crypto funds held by the firm and its business partners. Altogether, about $2.5 million was stolen and then laundered through about 100 accounts, prosecutors say.

In many cases, the cryptocurrency was laundered and exchanged through Chinese exchanges because they do not collect “know your customer” data and do not ask questions about the source of the funds, according to the complaint.

"Many owners of illicit funds seek out these [over-the-counter] traders because they are otherwise unable to obtain accounts at law-abiding virtual currency exchanges or risk having their funds frozen," the complaint states.

Once the cryptocurrency is exchanged, it’s transferred to accounts controlled by the North Korean hackers, according to the Justice Department. Federal prosecutors used blockchain-tracing software to reconstruct the transaction path of the stolen virtual currency.

"Despite the highly sophisticated laundering techniques used, IRS-CI's Cybercrimes Unit was able to successfully trace stolen funds directly back to North Korean actors," said Don Fort, chief of IRS Criminal Investigation, or IRS-CI.

Other Legal Actions

Over the last year, a number of U.S. agencies have taken legal action against North Korean threat groups.

In September 2019, for example, the Treasury Department announced sanctions against three alleged North Korean state-sponsored hacking groups that have been blamed for the WannaCry ransomware outbreak, online bank heists and the destructive malware attack against Sony Pictures Entertainment (see: US Sanctions 3 North Korean Hacking Groups).

A 2019 United Nation's report estimated the Lazarus Group had stolen about $571 million in cryptocurrency between 2017 and 2018 by targeting five exchanges in Asia (see: UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks).


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.