By The Washington Post · Spencer S. Hsu, Ellen Nakashima · NATIONAL, WORLD, COURTSLAW, ASIA-PACIFIC
The new indictment, accompanied by sanctions and a civil forfeiture complaint seizing 113 cryptocurrency accounts filed in federal court in Washington, marks the first and largest enforcement action of its kind by the United States to deter North Korea's cryptocurrency financing.
"The hacking of virtual currency exchanges and related money laundering for the benefit of North Korean actors poses a grave threat to the security and integrity of the global financial system," said Timothy Shea, U.S. attorney for Washington.
The charges come after a U.N. sanctions monitoring panel reported last summer that North Korea has raised up to $2 billion for its weapons development program through cyberattacks, including "increasingly sophisticated" raids against financial institutions and cryptocurrency exchanges to steal, launder and generate funds.
Large-scale attacks by North Korea on cryptocurrency exchanges that deal in virtual money such as bitcoin and Ethereum and rely on blockchain technology "generate income in ways that are harder to trace and subject to less government oversight and regulation than the traditional banking sector," the U.N. expert panel reported in August.
"The United States will continue to protect the global financial system by holding accountable those who help North Korea engage in cybercrime," Treasury Secretary Steven Mnuchin said.
The charges and enforcement actions Monday are linked to an estimated $250 million in stolen funds. About $68 million of the funds laundered by the two defendants flowed to nine named Chinese banks, the government said. The case underscores the role played by China's banking system that has agitated relations between Beijing and Washington, people familiar with the case said.
The U.S. Treasury Department's Office of Foreign Assets Control alleged that Tian Yinyin and Li Jiadong provided material support for "a malicious, cyber-enabled activity" and assisted an attack by Lazarus Group, a North Korean government cyber group that has carried out the bulk of North Korea's malicious hacks against U.S. and foreign banks, corporations and other targets.
The Trump administration in September sanctioned the group, whose accused exploits include an attempted ransomware attack on hundreds of thousands of WannaCry users in 2017, and the 2014 hack of Sony Pictures after it backed a satirical movie depicting the assassination of North Korean leader Kim Jong Un.
The Treasury Department at that time sanctioned the Lazarus Group and two subgroups dubbed Bluenoroff and Andariel, saying all three are controlled by North Korea's primary intelligence agency, the Reconnaissance General Bureau.
North Korea has resorted to hacks against financial institutions to obtain income in the face of global sanctions imposed over its nuclear program that have starved its access to foreign currency and the world banking system, experts say.
The U.S. indictment, handed up Thursday and unsealed Monday, comes amid a renewed rise in tensions over North Korea's missile threat. North Korea on Monday launched two short-range projectiles off its east coast in its first weapons test in three months. The test came a year after Kim's failed summit meeting with President Donald Trump and amid allegations that nuclear talks have broken down.
Pyongyang has pledged never to give up its nuclear weapons, which the United States and its allies say must be the goal of any negotiations. North Korea has separately denied allegations of orchestrating cyberattacks and cyberheists.
The U.S. actions will be seen by North Korea as part of the administration's "hostile policy," said Jung Pak, a senior fellow at the Brookings Institution and a former CIA analyst. "It highlights that the two countries are on parallel tracks. . . . They're going to lob missiles. We're going to do what we're doing, which is designate, investigate," Pak said.
The U.S. charges appear to bolster the U.N. panel's accusations on Pyongyang's "deceptive practices" and exploitation of weak enforcement by cryptocurrency exchanges and foreign banks.
U.S. criminal filings allege that Tian and Li received funds from North Korean co-conspirators who had attacked four cryptocurrency exchanges since 2017. Court documents do not name the exchanges, but the details link them to publicly reported hacks that the U.N. panel tied to North Korea's revenue generation efforts. They include a December 2017 hack on Youbit that took 17% of its assets and sent it into bankruptcy, a $49 million hack on Upbit in November 2019, and $30 million stolen in June 2018 from Bithumb — all three of South Korea.
Much of the laundered money came from a nearly $250 million, previously undisclosed hack in 2018 of another Asian exchange, court documents said. The intrusion came after an employee unwittingly downloaded malware while communicating with a potential client, the documents said.
U.S. court documents allege that Tian and Li sent roughly 2,500 deposits with $67.3 million in stolen funds to nine Chinese banks: China Guangfa Bank, Agricultural Bank of China, China Everbright Bank, China CITIC Bank, China Minsheng Bank, Huaxia Bank, Industrial Bank, Pingan Bank and Shanghai Pudong Development Bank.
Tian and Li are not in U.S. custody and are assumed by U.S. authorities to be in China.
U.S. court filings did not accuse the banks of any wrongdoing. Regulators said banks are typically required under "know your customer" regulations to question clients and identify the source of such large deposits, and to report suspicious transactions, several people familiar with the process said.
Commercial blockchain analysis firms helped U.S. investigators trace hacked funds, knowing that although cryptocurrencies are known to attract criminals seeking anonymity, all transactions to individual accounts are recorded in public ledgers that can be amassed into large data sets.
One such firm, Chainalysis, profiled Lazarus in a January report on the state of crypto-crime that said the North Korean-linked entity had conducted one of the "most elaborate phishing schemes" the industry has ever seen.
Monday's actions are likely to be "just the first" of U.S. government actions to follow the money from its Lazarus revelations, Chainalysis spokeswoman Maddie Kennedy said. The firm estimated that seized cryptocurrency accounts still hold about $15 million, and it is advising clients of any exposure to accounts named by the U.S. government.
"A not insubstantial part of North Korea's gross domestic product is based on stealing cryptocurrency funds," Kennedy said. U.S. authorities are "showing that . . . anyone who helps facilitate those who are stealing illicit funds are going to be held responsible."
The investigation was a massive and complex undertaking. After identifying accounts that received tens of thousands of related transactions, U.S. investigators followed up with requests for associated customer financial account and communications records under domestic and foreign legal authorities from more than 100 private entities.
"These are not the only two individuals we're aware of that are involved in this type of activities," IRS Criminal Investigation Special Agent Christopher Janczewski said.
The case was cracked when unidentified North Korean co-conspirators made a key error covering their tracks, according to court documents.
Court filings said attackers layered — or "peeled" — transfers through more than 5,000 transactions, including by using one-time use cryptocurrency wallets, through multiple countries before converting proceeds to government-backed currencies.
But they failed to "peel" one bulk transfer worth about $1.6 million, which investigators traced to a North Korean-linked source, the charges said. Separately investigators traced North Korean co-conspirators logging in from Pyongyang and using North Korean cellphone infrastructure, according to court documents.
The same North Korean co-conspirators involved, the U.S. alleged, were also engaged at that time in a massive phishing campaign posing as advertisers for a Los Angeles firm or prospective clients or developers for cryptocurrency exchanges. The co-conspirators, court documents said, had a fake Twitter and LinkedIn page created with the name "Waliy Darwish" and Celas LLC, which produced a malicious software code that gave direct access to the downloader's system.
Celas shared a server and IP address with known malware named Fallchill that the FBI and Homeland Security Department have associated with the government of North Korea, and the Celas application used a language code associated with North Korea, court documents said.
The phishing campaign targeted thousands of work and personal email accounts at exchanges around the world, including of prominent executives in the industry, court documents said.
Ken Gause, a North Korean expert and director of the adversary analytics program at C.N.A., a think tank, cautioned against assuming that all hacked funds go to North Korea's nuclear program saying the Kim family, a wider elite, and civilian economy all likely benefit.
Gause warned that enforcement actions may not disrupt evolving attacks, which he called "an unending game of whack-a-mole."