North Korean hackers steal billions in cryptocurrency. How do they turn it into real cash?
But the North Korean playbook has evolved in the last few years. One tactic, known as a “peel chain,” moves money in rapid and automated transactions from one Bitcoin wallet to new addresses through hundreds or thousands of transactions in a way that both hides the source of the money and lessens the risk of setting off red flags. Another approach, called “chain hopping,” moves the money through different cryptocurrencies and blockchains to get it away from Bitcoin—where every transaction is posted to a public ledger—and into other, more private currencies. The idea is to make the trail go cold or, better yet, raise false alarms for investigators.
The Lazarus laundering operation, says Janczewski, involves creating and maintaining hundreds of false accounts and identities, a consistent level of sophistication and effort that underlines just how important the operation is for Pyongyang. It’s extremely difficult to name a precise amount, but experts have estimated that North Korea relies on criminal activity for up to 15% of its income, with a significant portion of that driven by cyberattacks.
A quiet arms race
Stealing cryptocurrency is far from the perfect crime, however. Police and regulators were once almost clueless, but they now have years of cryptocurrency investigation experience under their belts. In addition, they are gaining increasing levels of cooperation from exchanges, which face government pressure and want greater legitimacy. Investigators have moved from being perpetually on the back foot to being more proactive, with the result that many exchanges have responded with new rules and controls that simply did not exist before. Blockchain surveillance tools are powerful and increasingly widespread, proving that cryptocurrency is not as anonymous as popular myth might have it. It turns out the state still has plenty of power even in this cypherpunk world.
No matter how many peels and hops a hacker might throw the stolen cryptocurrency through, the effort usually comes up against an undeniable fact: if you’re trying to exchange a huge amount of cryptocurrency for US dollars, you’ll almost inevitably have to bring it all back to Bitcoin. No other cryptocurrency is so widely accepted or so easily converted to cash. Though new coins and privacy technologies have been emerging for years, Bitcoin and its public ledger remain “the backbone of the cryptocurrency economy,” says Janczewski.
That means the ultimate destination of the coin is often an over-the-counter trader—a bespoke operation in a country like China that can turn coin into cash, sometimes with no strings attached. These traders often ignore legal requirements, like the know-your-customer laws that make many bigger cryptocurrency exchanges risky places to launder stolen billions.
“What we used to see was just Bitcoin transactions between a theft and the movement toward over-the-counter traders that enable Lazarus to get out of Bitcoin. That’s relatively straightforward,” says Jonathan Levin, the founder of the cryptocurrency investigation firm Chainalysis. “Now there are a lot more currencies involved. They are able to move through obscure currencies, but eventually they end in the same spot, which is moving it back to Bitcoin and through the over-the-counter market.”
Over-the-counter operations are the preferred way for Lazarus to move millions in Bitcoin into cash.
And the business is enormous: the top 100 over-the-counter traders engaging in money laundering receive hundreds of millions of dollars in Bitcoin every month, accounting for around 1% of all Bitcoin activity.
Bitcoin-fueled illegal activity does not account for most use of blockchains, but it does remain significant and continues to grow, according to Chainalysis. Ransomware, for example, is a billion-dollar business made possible by cryptocurrency, while anonymous darknet markets moved over $600 million in Bitcoin in 2019.
“There is a sophistication higher than we’ve seen in the past,” Levin says. “Some of that has been successful, but with the US increasingly taking action and exchanges responding to requests to freeze funds and seize assets, these techniques may not be that effective moving forward.”