Inside the international sting operation to catch North Korean crypto hackers

SEOUL (CNN): A team of South Korean spies and American private investigators quietly gathered at the South Korean intelligence service in January, just days after North Korea fired three ballistic missiles into the sea.

For months, they’d been tracking $100 million stolen from a California cryptocurrency firm named Harmony, waiting for North Korean hackers to move the stolen crypto into accounts that could eventually be converted to dollars or Chinese yuan, hard currency that could fund the country’s illegal missile program.

When the moment came, the spies and sleuths — working out of a government office in a city, Pangyo, known as South Korea’s Silicon Valley — would have only a few minutes to help seize the money before it could be laundered to safety through a series of accounts and rendered untouchable.

Finally, in late January, the hackers moved a fraction of their loot to a cryptocurrency account pegged to the dollar, temporarily relinquishing control of it. The spies and investigators pounced, flagging the transaction to US law enforcement officials standing by to freeze the money.

The team in Pangyo helped seize a little more than $1 million that day. Though analysts tell CNN that most of the stolen $100 million remains out of reach in cryptocurrency and other assets controlled by North Korea, it was the type of seizure that the US and its allies will need to prevent big paydays for Pyongyang.

The sting operation, described to CNN by private investigators at Chainalysis, a New York-based blockchain-tracking firm, and confirmed by the South Korean National Intelligence Service, offers a rare window into the murky world of cryptocurrency espionage — and the burgeoning effort to shut down what has become a multibillion-dollar business for North Korea’s authoritarian regime.

Over the last several years, North Korean hackers have stolen billions of dollars from banks and cryptocurrency firms, according to reports from the United Nations and private firms. As investigators and regulators have wised up, the North Korean regime has been trying increasingly elaborate ways to launder that stolen digital money into hard currency, US officials and private experts tell CNN.

Cutting off North Korea’s cryptocurrency pipeline has quickly become a national security imperative for the US and South Korea. The regime’s ability to use the stolen digital money — or remittances from North Korean IT workers abroad — to fund its weapons programs is part of the regular set of intelligence products presented to senior US officials, including, sometimes, President Joe Biden, a senior US official said.

The North Koreans “need money, so they’re going to keep being creative,” the official told CNN. “I don’t think [they] are ever going to stop looking for illicit ways to glean funds because it’s an authoritarian regime under heavy sanctions.”

North Korea’s cryptocurrency hacking was top of mind at an April 7 meeting in Seoul, where US, Japanese and South Korean diplomats released a joint statement lamenting that Kim Jong Un’s regime continues to “pour its scarce resources into its WMD [weapons of mass destruction] and ballistic missile programs.”

“We are also deeply concerned about how the DPRK supports these programs by stealing and laundering funds as well as gathering information through malicious cyber activities,” the trilateral statement said, using an acronym for the North Korean government.

North Korea has previously denied similar allegations. CNN has emailed and called the North Korean Embassy in London seeking comment.

‘North Korea Inc’ goes virtual

Starting in the late 2000s, US officials and their allies scoured international waters for signs that North Korea was evading sanctions by trafficking in weapons, coal or other precious cargo, a practice that continues. Now, a very modern twist on that contest is unfolding between hackers and money launderers in Pyongyang, and intelligence agencies and law enforcement officials from Washington to Seoul.

The FBI and Secret Service have spearheaded that work in the US (both agencies declined to comment when CNN asked how they track North Korean money-laundering.) The FBI announced in January that it had frozen an unspecified portion of the $100 million stolen from Harmony.

The succession of Kim family members who have ruled North Korea for the last 70 years have all used state-owned companies to enrich the family and ensure the regime’s survival, according to experts.

It’s a family business that scholar John Park calls “North Korea Incorporated.”

Kim Jong Un, North Korea’s current dictator, has “doubled down on cyber capabilities and crypto theft as a revenue generator for his family regime,” said Park, who directs the Korea Project at the Harvard Kennedy School’s Belfer Center. “North Korea Incorporated has gone virtual.”

Compared to the coal trade North Korea has relied on for revenue in the past, stealing cryptocurrency is much less labor and capital-intensive, Park said. And the profits are astronomical.

Last year, a record $3.8 billion in cryptocurrency was stolen from around the world, according to Chainalysis. Nearly half of that, or $1.7 billion, was the work of North Korean-linked hackers, the firm said.

It’s unclear how much of its billions in stolen cryptocurrency North Korea has been able to convert to hard cash. In an interview, a US Treasury official focused on North Korea declined to give an estimate. The public record of blockchain transactions helps US officials track suspected North Korean operatives’ efforts to move cryptocurrency, the Treasury official said.

But when North Korea gets help from other countries in laundering that money it is “incredibly concerning,” the official said. (They declined to name a particular country, but the US in 2020 indicted two Chinese men for allegedly laundering over $100 million for North Korea.)

Pyongyang’s hackers have also combed the networks of various foreign governments and companies for key technical information that might be useful for its nuclear program, according to a private United Nations report in February reviewed by CNN.

The crackdown

A spokesperson for South Korea’s National Intelligence Service told CNN it has developed a “rapid intelligence sharing” scheme with allies and private companies to respond to the threat and is looking for new ways to stop stolen cryptocurrency from being smuggled into North Korea.

Recent efforts have focused on North Korea’s use of what are known as mixing services, publicly available tools used to obscure the source of cryptocurrency.

On March 15, the Justice Department and European law enforcement agencies announced the shutdown of a mixing service known as ChipMixer, which the North Koreans allegedly used to launder an unspecified amount of the roughly $700 million stolen by hackers in three different crypto heists — including the $100 million robbery of Harmony, the California cryptocurrency firm.

Private investigators use blockchain-tracking software — and their own eyes when the software alerts them — to pinpoint the moment when stolen funds leave the hands of the North Koreans and can be seized. But those investigators need trusted relationships with law enforcement and crypto firms to move quickly enough to snatch back the funds.

One of the biggest US counter moves to date came in August when the Treasury Department sanctioned a cryptocurrency “mixing” service known as Tornado Cash that allegedly laundered $455 million for North Korean hackers.

Tornado Cash was particularly valuable because it had more liquidity than other services, allowing North Korean money to hide more easily among other sources of funds. Tornado Cash is now processing fewer transactions after the Treasury sanctions forced the North Koreans to look to other mixing services.

Suspected North Korean operatives sent $24 million in December and January through a new mixing service, Sinbad, according to Chainalysis, but there are no signs yet that Sinbad will be as effective at moving money as Tornado Cash.

The people behind mixing services, like Tornado Cash developer Roman Semenov, often describe themselves as privacy advocates who argue that their cryptocurrency tools can be used for good or ill like any technology. But that hasn’t stopped law enforcement agencies from cracking down. Dutch police in August arrested another suspected developer of Tornado Cash, whom they did not name, for alleged money laundering.

Private crypto-tracking firms like Chainalysis are increasingly staffed with former US and European law enforcement agents who are applying what they learned in the classified world to track Pyongyang’s money laundering.

Elliptic, a London-based firm with ex-law enforcement agents on staff, claims it helped seize $1.4 million in North Korean money stolen in the Harmony hack. Elliptic analysts tell CNN they were able to follow the money in real-time in February as it briefly moved to two popular cryptocurrency exchanges, Huobi and Binance. The analysts say they quickly notified the exchanges, which froze the money.

“It’s a bit like large-scale drug importations,” Tom Robinson, Elliptic’s co-founder, told CNN. “[The North Koreans] are prepared to lose some of it, but a majority of it probably goes through just by virtue of volume and the speed at which they do it and they’re quite sophisticated at it.”

The North Koreans are not just trying to steal from cryptocurrency firms, but also directly from other crypto thieves.

After an unknown hacker stole $200 million from British firm Euler Finance in March, suspected North Korean operatives tried to set a trap: They sent the hacker a message on the blockchain laced with a vulnerability that may have been an attempt to gain access to the funds, according to Elliptic. (The ruse didn’t work.)

Nick Carlsen, who was an FBI intelligence analyst focused on North Korea until 2021, estimates that North Korea may only have a couple hundred people focused on the task of exploiting cryptocurrency to evade sanctions.

With an international effort to sanction rogue cryptocurrency exchanges and seize stolen money, Carlsen worries that North Korea could turn to less conspicuous forms of fraud. Rather than steal half a billion dollars from a cryptocurrency exchange, he suggested, Pyongyang’s operatives could set up a Ponzi scheme that attracts much less attention.

Yet even at reduced profit margins, cryptocurrency theft is still “wildly profitable,” said Carlsen, who now works at fraud-investigating firm TRM Labs. “So, they have no reason to stop.”