The US Treasury Department and the Department of Justice have imposed sanctions and indicted today two Chinese nationals on accusations of helping North Korean hackers launder cryptocurrency stolen during hacks of two cryptocurrency exchanges. The Department of Justice followed suite with
According to US officials, Tian Yinyin ( 田寅寅) and Li Jiadong (李家东) acted as intermediaries and money mules for Lazarus Group, a codename used by the cyber-security industry to describe hackers working on behalf of the North Korean government.
The Lazarus Group is one of the three North Korean hacking units that the US accused last year of helping the Pyongyang regime raise funds for its weapons and missile programs.
The Treasury and DOJ claimed the hackers were helping North Korea skirt international sanctions by raising money through cyber-thefts, such as the use of ransomware and hacks of banks, ATM networks, gambling sites, online casinos, and cryptocurrency exchanges.
Money stolen from these cyber-intrusions made its way back into North Korea with the help of cryptocurrency, money mules, and Chinese banks.
Tian and Li laundered funds from two Lazarus hacks
The two would receive stolen funds and then work to launder the money either by converting it into Chinese fiat currency (yuan) or into Apple gift cards that could be used without being linked back to the stolen cryptocurrency.
According to the Treasury and DOJ, Tian and Li received funds from DPRK-controlled accounts on two separate occasions.
The largest sum of money they received was a batch of $91 million that was stolen in an April 2018 hack of an unnamed cryptocurrency exchange. They also received $9.5 million stolen from a second exchange.
US officials said Tian and Li helped convert more than $34 million of the $91 million they received back into Chinese yuan, which they deposited into a Chinese bank account.
Additionally, they also converted $1.4 million worth of Bitcoin into Apple gift cards.
Neither the DOJ or the Treasury name any of the two hacked exchanges, but they said the first exchange (involved in the April 2018 hack) lost $250 million in the attack, making it one of the biggest cryptocurrency hacks of all time.
Hints in the US Treasury press release suggest the April 2018 hack is the same one described in a Kaspersky report published in August 2018. The report also mentioned a mysterious hack of a major cryptocurrency exchange that took place earlier in the year and involved the use of novel Mac malware named AppleJeus.
A warning shot
"As a result of today's action, all property and interests in property of these individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC [Office of Foreign Assets Control]," the Treasury said.
The sanctions do not apply to Chinese banks and is very likely that North Korean hackers will continue to launder money via this route undisturbed.
However, today's Treasury press release might well serve as a warning shot fired by US authorities against the Chinese banking sector.
The Treasury imposed similar sanctions on a small Macao-based bank in 2005 for helping North Korea avoid international sanctions. While the bank was a minor player, the Treasury designation led to many larger Chinese banks to cut ties with the Pyongyang regime.
The video below holds more background information on the events preceding and following the Banco Delta Asia designation as a money-laundering entity back in 2005.