(CNN) A team of South Korean spies and American private investigators quietly rallied at South Korean intelligence in January, just days after North Korea fired three ballistic missiles into the sea.
For months, they tracked $100 million stolen from a California cryptocurrency firm called Harmony, waiting for North Korean hackers to move the stolen crypto to accounts that could eventually be converted into dollars or Chinese yuan, a hard currency used by the illicit trades could fund the country’s missile program.
When the moment came, the spies and sleuths – who worked out of a government office in a town known as Pangyo, known as South Korea’s Silicon Valley – had just minutes to seize the money before serializing it to safety could be brought out of accounts and made untouchable.
Finally, in late January, the hackers moved a fraction of their loot to a cryptocurrency account pegged to the dollar, temporarily relinquishing control. The spies and investigators pounced and reported the transaction to US law enforcement officials, who stood by to freeze the money.
The Pangyo team helped confiscate just over $1 million that day. Although analysts tell CNN that most of the stolen $100 million in cryptocurrency and other assets controlled by North Korea remain unreachable, it was the kind of seizure the US and its allies will need to prevent big paydays for Pyongyang.
The stinging operation, described to CNN by private investigators from Chainalysis, a New York-based blockchain tracking firm, and corroborated by South Korea’s National Intelligence Service, offers a rare glimpse into the murky world of cryptocurrency espionage — and burgeoning efforts to conclude what has become a multi-billion dollar deal for North Korea’s authoritarian regime.
In recent years, North Korean hackers have stolen billions of dollars from banks and cryptocurrency firms, according to reports from the United Nations and private firms. As investigators and regulators have found, the North Korean regime has tried increasingly sophisticated ways to launder the stolen digital money into hard currency, US officials and private experts tell CNN.
The cutting off of North Korea’s cryptocurrency pipeline has quickly become a national security imperative for the US and South Korea. The regime’s ability to use the stolen digital money — or remittances from North Korean IT workers abroad — to fund its weapons programs is part of the regular array of intelligence products presented to senior US officials, including sometimes President Joe Biden, a senior US official said.
Kim Jong Un and his daughter at a military parade to mark the anniversary of the founding of the North Korean army, which showcased the regime’s latest weapons.
The North Koreans “need money, so they will keep being creative,” the official told CNN. “I do not think so [they] will ever stop looking for illegal ways to get money because it is an authoritarian regime with heavy sanctions.”
Cryptocurrency hacking in North Korea was the focus of an April 7 meeting in Seoul, where U.S., Japanese and South Korean diplomats released a joint statement lamenting that Kim Jong Un’s regime continues to “extend its scarce resources into its weapons of mass destruction”. [weapons of mass destruction] and ballistic missile programs.”
“We are also deeply concerned at how the DPRK supports these programs by stealing and laundering funds and gathering information through malicious cyber activities,” the trilateral statement said, using an acronym for the North Korean government.
North Korea has previously denied similar allegations. CNN has emailed and called the North Korean embassy in London for comment.
“North Korea Inc” goes virtual
Beginning in the late 2000s, US officials and their allies scoured international waters for signs that North Korea was evading sanctions by trading in arms, coal or other valuable cargo, a practice that continues to this day. Now a very modern twist on this competition is unfolding between hackers and money launderers in Pyongyang and intelligence and law enforcement officials from Washington to Seoul.
The FBI and the Secret Service have spearheaded this work in the US (both agencies declined to comment when CNN asked how they track North Korean money laundering.) The FBI announced in January that it had found an unspecified portion of the $100 million had frozen which were stolen from Harmony.
Successors to Kim’s family members, who have ruled North Korea for the past 70 years, have all used state-owned companies to enrich the family and ensure the regime’s survival, experts say.
It’s a family business that scholar John Park calls “North Korea Incorporated.”
Kim Jong Un, North Korea’s current dictator, has “doubled down on cyber skills and crypto theft as a source of income for his family regime,” said Park, who directs the Korea Project at Harvard Kennedy School’s Belfer Center. “North Korea Incorporated has gone virtual.”
Compared to the coal trade, which North Korea has historically relied on for its revenue, stealing cryptocurrency is much less labor and capital intensive, Park said. And the gains are astronomical.
According to Chainalysis, a record $3.8 billion in cryptocurrency was stolen from around the world last year. Almost half of that, or $1.7 billion, was the work of hackers linked to North Korea, the firm said.
The joint analysis room at the National Intelligence Service’s National CyberSecurity Cooperation Center in South Korea.
It’s unclear how much of its billions in stolen cryptocurrency North Korea has been able to turn into hard cash. In an interview, a US Treasury Department official focused on North Korea refused to give an estimate. Public recording of blockchain transactions helps U.S. officials track efforts by suspected North Korean agents to move cryptocurrency, the Treasury Department official said.
But if North Korea gets help from other countries in laundering that money, that’s “incredibly worrying,” the official said. (They declined to name a specific country, but the US indicted two Chinese men in 2020 for allegedly laundering over $100 million for North Korea.)
Pyongyang’s hackers have also been scouring the networks of various foreign governments and companies for key technical information that could be useful for its nuclear program, according to a February private United Nations report verified by CNN.
The crackdown
A spokesman for South Korea’s National Intelligence Agency told CNN it has developed a “rapid intelligence sharing” program with allies and private companies to respond to the threat and is looking at new ways to prevent stolen cryptocurrency from being smuggled into North Korea .
Recent efforts have focused on North Korea’s use of so-called mixing services, publicly available tools used to obfuscate the source of the cryptocurrency.
On March 15, the Justice Department and European law enforcement agencies announced the shutdown of a mixing service called ChipMixer, which the North Koreans allegedly used to launder an unspecified amount of the roughly $700 million stolen by hackers in three separate crypto heists. including the $100 million heist on Harmony, the California cryptocurrency firm.
Private investigators use blockchain tracking software – and their own eyes when the software alerts them – to pinpoint the moment when stolen funds can leave the hands of North Koreans and be confiscated. But these investigators need trusted relationships with law enforcement and crypto firms to move fast enough to get the funds back.
One of the biggest U.S. backlashes to date came in August, when the Treasury Department sanctioned a cryptocurrency “mixing” service called Tornado Cash for allegedly laundering $455 million for North Korean hackers.
Tornado Cash was particularly valuable because it had more liquidity than other services, making it easier for North Korean money to hide among other sources of money. Tornado Cash is now processing fewer transactions after Treasury sanctions forced North Koreans to look to other blending services.
According to Chainalysis, suspected North Korean agents sent $24 million through a new merging service, Sinbad, in December and January, but there’s no sign yet that Sinbad will be as effective at transferring money as Tornado Cash.
The folks behind blending services, like Tornado Cash developer Roman Semenov, often describe themselves as privacy advocates, arguing that like any technology, their cryptocurrency tools can be used for good or evil. But that hasn’t stopped law enforcement from cracking down. Dutch police arrested another suspected Tornado Cash developer in August, whose name they did not name, on alleged money laundering charges.
Private crypto-tracking firms like Chainalysis are increasingly staffed by former US and European law enforcement officials who are applying what they’ve learned in the secret world to track down money laundering in Pyongyang.
Elliptic, a London-based firm staffed by former law enforcement officials, claims it helped seize $1.4 million in North Korean money stolen in the Harmony hack. Elliptic analysts tell CNN they were able to track the money in real time in February when it briefly switched to two popular cryptocurrency exchanges, Huobi and Binance. Analysts said they were quick to notify exchanges, which froze the money.
“It’s a bit like large-scale drug importation,” Elliptic co-founder Tom Robinson told CNN. “[The North Koreans] are willing to give up some of it, but a lot of it probably just gets through because of the volume and the speed at which they do it, and they’re pretty sophisticated at it.”
The North Koreans not only try to steal from cryptocurrency firms, but also directly from other crypto thieves.
After an unknown hacker stole $200 million from British firm Euler Finance in March, suspected North Korean agents attempted to set a trap: they sent the hacker a message on the blockchain that was tainted with a vulnerability that may have been an attempt to gain access to the funds, according to Elliptic. (The trick didn’t work.)
Nick Carlsen, who was an FBI intelligence analyst focused on North Korea until 2021, estimates that North Korea may only have a few hundred people focused on the task of exploiting cryptocurrencies to circumvent sanctions.
Carlsen worries North Korea may turn to less visible forms of fraud amid international efforts to sanction rogue cryptocurrency exchanges and seize stolen funds. Instead of stealing half a billion dollars from a cryptocurrency exchange, he suggested Pyongyang’s agents could set up a Ponzi scheme that draws much less attention.
But even with reduced profit margins, cryptocurrency theft is still “wildly profitable,” said Carlsen, who now works at fraud investigation firm TRM Labs. “So you have no reason to stop.”
CNN’s Gawon Bae in Seoul and Richard Roth in New York contributed to this report.