NORTH KOREA
By Andrés Ochoa
16:58 ET (20:58 GMT) August 26, 2023
(ANFELIA_INVESTMENTV) -- A team of South Korean spies and American private investigators met quietly at South Korea's intelligence service in January, just days after North Korea fired three ballistic missiles into the sea.
They had been tracking US$100 million stolen from a Californian cryptocurrency company called Harmony for months, waiting for North Korean hackers to transfer the stolen cryptocurrencies to accounts that could be converted into dollars or Chinese yuan, hard currency that could finance the program. of the country's illegal missiles.
When the time came, the spies and detectives - working in a government office in a city, Pangyo, known as South Korea's Silicon Valley - had only minutes to help seize the money before it could be laundered through of a series of accounts and become untouchable.
Finally, in late January, the hackers moved a fraction of their loot to a cryptocurrency account pegged to the dollar, temporarily ceding their control. Spies and investigators pounced on the transaction and brought it to the attention of US security forces, who were about to freeze the money.
Pangyo's team helped confiscate just over a million dollars that day. Although analysts tell CNN that most of the stolen $100 million remains out of North Korea's reach in cryptocurrency and other North Korean-controlled assets, it was the kind of seizure the United States and its allies will need to prevent Pyongyang from making big profits.
The sting operation, described to CNN by private investigators at Chainalysis, a New York-based blockchain tracking company, and confirmed by South Korea's National Intelligence Service, offers a rare window into the murky world of cryptocurrency espionage. and the burgeoning effort to shut down what has become a multibillion-dollar business for North Korea's authoritarian regime.
In recent years, North Korean hackers have stolen billions of dollars from banks and cryptocurrency companies, according to reports from the United Nations (UN) and private companies. As researchers and regulators have realized, the North Korean regime has been testing increasingly elaborate ways to launder that stolen digital money and convert it into hard currency, US officials and private experts tell CNN.
Cutting off the flow of cryptocurrencies from North Korea has quickly become a national security imperative for the United States and South Korea. The regime's ability to use stolen digital money - or remittances from North Korean IT workers abroad - to fund its weapons programs is part of the usual suite of intelligence products presented to senior US officials, including, in occasions, President Joe Biden, according to a senior US official.
Kim Jong Un and his daughter attend a military parade to celebrate the anniversary of the founding of the North Korean army, in which the regime's latest weapons were displayed. (Credit: Rodong Sinmun)
The North Koreans "need money, so they are going to continue to be creative," the official told CNN. "I don't think they will stop looking for illicit ways to obtain funds because this is an authoritarian regime subject to strong sanctions."
North Korea's cryptocurrency hacking was one of the main topics at an April 7 meeting in Seoul, where U.S., Japanese and South Korean diplomats issued a joint statement lamenting that the Kim regime Jong Un continues "to pour his scarce resources into his WMD (weapons of mass destruction) and ballistic missile programs."
"We are also deeply concerned about how North Korea supports these programs by stealing and laundering funds, as well as collecting information through malicious cyber activities," the trilateral statement said, using the acronym DPRK for the North Korean government.
North Korea previously denied similar allegations. CNN emailed and called the North Korean embassy in London seeking comment.
"North Korea Inc" goes virtual
Since the late 2000s, U.S. officials and their allies have scoured international waters for signs that North Korea is evading sanctions by trafficking weapons, coal or other valuable cargo, a practice that continues. Now, hackers and money launderers from Pyongyang, on the one hand, and intelligence agencies and law enforcement from Washington to Seoul, on the other, offer a very modern spin on this contest.
The FBI and Secret Service have led that effort in the United States (both agencies declined to comment when asked by CNN how they track North Korean money laundering). The FBI said in January that it froze an unspecified portion of the $100 million stolen from Harmony.
The succession of members of the Kim family that has ruled North Korea for the past 70 years has used all state-owned companies to enrich the family and ensure the survival of the regime, according to experts.
It's a family business that academic John Park calls "North Korea Inc."
Kim Jong Un, North Korea's current dictator, "doubled down on cyber capabilities and cryptocurrency theft as a revenue generator for his family regime," said Park, who directs the Korea Project at the Harvard Kennedy School's Belfer Center. "North Korea Inc went virtual".
Compared to the coal trade that North Korea has relied on for revenue in the past, cryptocurrency theft is much less labor and capital intensive, Park said. And the benefits are astronomical.
Last year, a record $3.8 billion in stolen cryptocurrencies was reported worldwide, according to Chainalysis. Nearly half of that amount, $1.7 billion, was the work of hackers linked to North Korea, the company said.
The joint analysis room of the National Cybersecurity Cooperation Center of the National Intelligence Service of South Korea. (Credit: National Intelligence Service of South Korea)
It is unknown how much of the billions in stolen cryptocurrency North Korea has been able to convert into cash. In an interview, a U.S. Treasury Department official focused on North Korea declined to give an estimate. The public record of blockchain transactions helps US officials track the efforts of suspected North Korean operatives to move cryptocurrency, the Treasury official said.
But when North Korea receives help from other countries to launder that money it is "incredibly worrying," the official said. (They declined to name a particular country, but the United States in 2020 charged two Chinese men for allegedly laundering more than $100 million for North Korea.)
Pyongyang hackers have also raided the networks of several foreign governments and companies in search of key technical information that could be useful for its nuclear program, according to a private February UN report reviewed by CNN.
Strong measures
A spokesperson for South Korea's National Intelligence Service told CNN that the agency has developed a "rapid intelligence sharing" system with allies and private companies to respond to the threat, and is looking for new ways to prevent the smuggling of stolen cryptocurrency. to North Korea.
Recent efforts have focused on North Korea's use of what are known as mixing services, publicly available tools used to conceal the origin of cryptocurrencies.
On March 15, the Justice Department and European law enforcement announced the closure of a mixing service known as ChipMixer, which the North Koreans allegedly used to launder an unspecified amount of the approximately $700 million stolen by hackers in three different cryptocurrency thefts, including the theft of $100 million from Harmony, the California cryptocurrency company.
Private investigators use blockchain tracking software – and their own eyes when the software alerts them – to determine precisely when stolen funds leave the hands of the North Koreans and can be seized. But those investigators need trusted relationships with law enforcement and cryptocurrency companies to act quickly enough to recover funds.
One of the biggest U.S. counterattacks to date came in August, when the Treasury Department sanctioned a cryptocurrency "mixing" service known as Tornado Cash, which allegedly laundered $455 million for North Korean hackers.
Tornado Cash was especially valuable because it was more liquid than other services, allowing North Korean money to be hidden more easily among other sources of funds. Tornado Cash now processes fewer transactions after Treasury sanctions forced North Koreans to seek other mixing services.
According to Chainalysis, suspected North Korean operatives sent $24 million in December and January through a new mixing service, Sinbad, but there is no indication yet that Sinbad is as effective at moving money as Tornado Cash.
The people behind mixing services, like Roman Semenov, developer of Tornado Cash, often describe themselves as privacy advocates who argue that their cryptocurrency tools can be used for good or evil, like any technology. But that hasn't stopped security forces from cracking down. In August, Dutch police arrested another alleged creator of Tornado Cash, whose name was not released, for alleged money laundering.
Private cryptocurrency tracking companies like Chainalysis increasingly rely on former American and European law enforcement officials who apply what they learn in the secret world to track Pyongyang money laundering.
Elliptic, a London-based company that employs former law enforcement officers, says it helped seize $1.4 million in North Korean money stolen in the Harmony hack. Elliptic analysts tell CNN they were able to follow the money in real time in February when it briefly moved to two popular cryptocurrency exchanges, Huobi and Binance. Analysts say they quickly notified the markets, which froze the money.
"It's a bit like large-scale drug imports," Tom Robinson, co-founder of Elliptic, told CNN. "The North Koreans are willing to lose some of the money, but most of it is probably lost because of the volume and speed at which they do it, and they are quite sophisticated."
The North Koreans are not only trying to steal from cryptocurrency companies, but also directly from other cryptocurrency thieves.
After an unknown hacker stole $200 million from British company Euler Finance in March, suspected North Korean operatives attempted to set a trap: They sent the hacker a message on the blockchain laced with a vulnerability that could have been an attempt to access the funds, according to Elliptic. (The ruse didn't work.)
Nick Carlsen, who was an FBI intelligence analyst focused on North Korea until 2021, estimates that this country may have only a couple hundred people focused on the task of exploiting cryptocurrency to evade sanctions.
With an international effort to sanction dishonest cryptocurrency exchanges and seize stolen money, Carlsen worries that North Korea may resort to less conspicuous forms of fraud. Instead of stealing $500 million from a cryptocurrency exchange, he suggested, Pyongyang's agents could set up a Ponzi scheme that would attract much less attention.
However, even with slim profit margins, cryptocurrency theft is still "tremendously profitable," said Carlsen, who now works at fraud investigation firm TRM Labs. "So they have no reason to stop."