How North Korea Launders Billions in Stolen Crypto
The Hermit Kingdom, which intelligence agencies say was behind the $1.5 billion Bybit hack, faces “offramping” challenges due to the size of its hauls.
How does North Korea launder its crypto loot?
Each time the Hermit Kingdom successfully hacks a company or protocol — like when it pillaged $1.5 billion from crypto exchange Bybit on Feb. 21 — it faces the significant challenge of offramping its assets.
It cannot simply send the funds to a major exchange like Binance or Coinbase, because such firms implement Know-Your-Customer (KYC) checks and work in conjunction with law enforcement agencies to freeze illegally-obtained funds as soon as they’re deposited on their platforms.
Instead, North Korea uses a well-developed network of over-the-counter (OTC) brokers to launder the stolen funds, according to Ari Redbord, global head of policy at blockchain analytics firm TRM Labs.
“They'll look to exchanges globally that don't have compliance controls in place,” Redbord, a former senior advisor to the Deputy Secretary and the Undersecretary for Terrorism and Financial Intelligence at the U.S. Treasury, told CoinDesk in an interview. “Everyone uses Chinese money laundering organizations. The cartels use them to move funds. There’s a network there that North Koreans have used for years.”
“But it’s not just China. Look around the world at places where you have no regulation or a lack of money laundering controls. Russia has been like a money laundering state for a very long time. There's tons of dark net market activity and ransomware actors that are related to Russia. North Korea has also used casinos in Macau to launder fiat.”
Off-ramping billions
To the best of our knowledge, North Korea has never used crypto to pay for things on the international scene. Instead, it tries to convert the tokens into government-issued currencies like the Chinese renminbi or the U.S. dollar, Redbord said.
But off-ramping billions in value isn’t easy. North Korea has stolen more than $5 billion since 2017, according to TRM. Broken down on a per-month basis, that means that North Korea has needed to offramp at least $51 million per month on average — which is way too much for its money laundering network’s capabilities.
“You're inevitably seeing these funds sit in wallets over long periods of time. I don't think that's them setting up a strategic reserve of some kind; they’re just not being able to off-ramp the funds,” Redbord said. “In every world, North Korea wants to get those funds off-chain as fast as they can.”
“It’s so much money. Think about Pablo Escobar — he had this huge problem with storing cash. He didn’t know where to put it all,” Redbord added. “That's what North Korea has with crypto right now.”
In the Bybit hack’s case, the vast majority of the stolen ETH has already been bridged to Bitcoin via THORswap, a protocol that enables permissionless swaps between the Ethereum and Bitcoin networks.
The haul is now being fed through mixers (protocols that allow users to obfuscate their transactions on the blockchain) like Wasabi and CryptoMixer. These platforms typically process no more than $10 million a day, meaning that North Korea faces potential bottlenecks even before trying to offramp its stolen funds through OTC brokers. “Whether these mixers can continue to absorb the amount of money at play is an open question,” TRM said in a recent report.
What happens afterwards?
Once funds are offramped through OTC brokers, the trail goes cold for blockchain analysis firms like TRM, but not necessarily for governmental agencies like the Federal Bureau of Investigation (FBI), Homeland Security Investigations (HSI) or IRS Criminal Investigation (IRS-CI), which each have a broad panoply of intelligence-gathering tools at their disposal.
Such agencies may use human intelligence (interviews, interrogations and espionage) and signals intelligence (intercepting communications or gathering information from electronic devices) to boost their investigations.
These agencies are sometimes able to retrieve stolen funds. In the case of the Colonial Pipeline ransomware attack in 2021, the Department of Justice (DOJ) was eventually able to recover almost 85% of the bitcoin (BTC) ransom paid to Russian cybercriminal group Darkside. It’s unclear how investigators obtained the hacking group’s private keys.
The network of Chinese shell companies that North Korea uses to launder funds — whether from crypto or other sources — is constantly being monitored by U.S. agencies in collaboration with Japanese and South Korean authorities, Redbord said. And getting funds laundered through the Chinese banking system doesn’t necessarily mean the game is won for North Korea.
Back in 2019, U.S. federal prosecutors served subpoenas to three Chinese banks in a North Korea money-laundering case. That would ordinarily be impossible because the U.S. government doesn’t have jurisdiction over the Chinese banking system, Redbord, who worked on the case, explained.
But a provision under the USA PATRIOT Act enables the practice under specific circumstances. If the foreign bank does not respond, the U.S. government is allowed to cut off the bank’s correspondent banking — essentially disconnecting the foreign bank from the U.S. banking system.
In that particular case, the Chinese banks eventually complied with the subpoena, Redbord said. But the strategy is hard to replicate because it requires serious political capital. “We’re talking about some of the biggest banks in the world. If you were to actually cut off correspondent banking from one of the major Chinese banks, it would not be good for the economy,” Redbord said. That’s why the Treasury Secretary and Attorney General need to sign off on this kind of strategy.
“If any administration would be willing to lean in a little bit, it would probably be this one,” Redbord said. “Issuing a subpoena to a small or mid-sized Chinese bank is probably something that would be worth doing. It does send a really strong message.”
