Theft itself is not difficult for hackers from Pyongyang. Another question is how to get real money later.
For many years, the Kim dynasty of North Korea received money through illegal schemes such as drug trafficking and currency counterfeiting. Over the past decade, Pyongyang has increasingly turned to cybercrime - using an army of hackers to rob banks and billions of dollars of cryptocurrency exchanges. For example, in 2018, an attack was carried out, thanks to which it was possible to take away $ 250 million at a time. The UN says that as a result of these actions, the regime receives significant amounts of money , which it spends on the development of nuclear weapons that can guarantee its survival for a long time.
However, there is a big difference between hacking a cryptocurrency exchanger and getting your hands on real money. You need to send the cryptocurrency, launder it so that no one can trace it, exchange it for dollars, euros or yuan, for which you can already buy weapons, luxury goods and essentials.
“I would say money laundering is more challenging than hacking,” says Christopher Yanchevsky, a leading Internal Revenue Service agent who specializes in cryptocurrency cases.
Currently, Janchevski is seeing increased activity in this direction. He has led investigations into a recent hack involving verified Twitter users, as well as the largest child pornography darknet site. Yanchevski recently became the lead investigator in the tracing and seizure of a $ 250 million cryptocurrency stolen in an unprecedented string of hacks allegedly carried out by a North Korean hacker team codenamed "Lazarus Group."
And, according to him, Lazarus' tactics are constantly being improved.
Dirty money laundering clean
Having successfully hacked into his target and gaining control of the funds, Lazarus tries to cover his tracks in order to get away from the investigators. To do this, cryptocurrencies are usually transferred to different wallets and exchanged for other currencies - for example, from Ether to Bitcoin.
However, the instructions of hackers in North Korea have evolved over the years. One of the new tactics, the onion chain, quickly and automatically transfers money from one bitcoin wallet to many other addresses, through hundreds and thousands of transactions. This helps hide the source of the money and reduces the likelihood of alarms being triggered. Another approach, "chain jumping", transfers money through various cryptocurrencies and blockchains, diverting them away from bitcoins - where all transactions are listed in a journal accessible to everyone - into other, more confidential cryptocurrencies. The idea is that the trail has time to cool down, and the investigators have triggered a false alarm.
Lazarus, according to Janchevski, launders money by creating and maintaining hundreds of fake accounts and identities. This high level of complexity and great effort underscore how important this operation is for Pyongyang. It is extremely difficult to give exact numbers, but experts estimate that 15% of North Korea's income comes from illegal activities, and a significant part of it is associated with cyber attacks.
Silent arms race
Stealing cryptocurrency is not a perfect crime. Once, police and regulators had little idea of what was happening, but today they have years of investigations behind them in this area. In addition, exchange offices that are under pressure from the state and want to increase the legitimacy of their activities are increasingly cooperating with the authorities. Investigators are no longer lagging behind and are taking proactive measures. As a result, many exchangers have introduced new rules and control systems that simply did not exist before. Tools for tracking the blockchain can do a lot, there are more and more of them, and cryptocurrencies are no longer as anonymous as is commonly believed. It turns out that the state has enough influence even in this cyberpunk world.
No matter how many layers or jumps the hacker's stolen cryptocurrency travels through, his attempts will inevitably stumble upon an immutable fact: if you are trying to exchange large amounts of cryptocurrency for US dollars, you will almost certainly have to convert it back to bitcoins. No other cryptocurrency is accepted so widely and exchanged so easily. Although new currencies and confidential technologies have been emerging for many years, bitcoin and its publicly accessible transaction log remain “the backbone of the cryptocurrency economy,” says Janchevski.
This means that the final destination of the currency will often be a retail trader - a special agent from somewhere in China who can turn cryptocurrency into money, sometimes without a trace. Such traders often ignore legal requirements such as the need to verify the identity of clients - because of these requirements, it is dangerous to cash out stolen billions at large exchange offices.
“Previously, we only saw bitcoin transactions from the moment they were stolen to being transferred to traders. This process allowed Lazarus to get rid of bitcoins. It was relatively simple, says Jonathan Levin, founder of cryptocurrency investigation company Chainalysis. - Today, much more currencies are involved in this process. They manage to send money through little-known currencies, but in the end they still come to the same thing - converting back to bitcoin and posting through the traders' market. "
This is how Lazarus prefers to cash out millions of dollars in Bitcoin.
The volume of business is huge: the top 100 money laundering traders receive hundreds of millions of dollars a month in bitcoins, which is about 1% of all transactions in this cryptocurrency.
Chainalysis claims that illegal Bitcoin transactions do not account for the majority of blockchain transactions, but the percentage of such transactions remains significant and continues to grow. For example, the cyber ransomware market that emerged thanks to cryptocurrency grew to billions of dollars, and the turnover of anonymous stores on the darknet in 2019 amounted to more than $ 600 million.
“The complexity of transactions has grown compared to the past,” says Levin. "Some of the transactions are going well, but as the US takes more action and exchanges respond to requests to freeze and confiscate funds, these technologies are no longer so effective."