U.S. Charges Chinese Nationals Linked to North Korean Cryptocurrency Hack

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced it sanctioned two Chinese nationals involved in laundering funds allegedly stolen by North Korean hackers from cryptocurrency exchanges.

According to The Washington Post the Chinese nationals, Tian Yinyin (田寅寅) and Li Jiadong (李家东), were charged with laundering over $100 million in cryptocurrency stolen from cyberattacks linked to Pyongyang’s nuclear missile and weapons development program.

The indictment is accompanied by a civil forfeiture complaint seizing 113 cryptocurrency addresses and sanctions. Both Chinese nationals reportedly “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a malicious cyber-enabled activity” associated with the infamous Lazarus Group, according to the OFAC.

The Lazarus Group is a hacking group believed to be controlled by North Korea’s primary intelligence agency, the Reconnaissance General Bureau. Timothy J. Shea, a U.S. attorney for Washington, was quoted as saying:

The hacking of virtual currency exchanges and related money laundering for the benefit of North Korean actors poses a grave threat to the security and integrity of the global financial system.

Authorities explained that the group used malware from a now-defunct fake cryptocurrency trading application called Celas Trade Pro to trick cryptocurrency exchange employees into downloading malware. Once downloaded, it gave them access to the platform’s servers where the private keys to their wallets were, leading to the theft of millions worth of cryptocurrency.

As CrypotGlobe reported, the Lazarus Group is believed to also be behind the hack of DragonEx. To breach the exchange’s security they reportedly set up a fake company, with fake employees who even had fake social media profiles, to pull off a phishing attack.

While the filings don’t specifically mention cryptocurrency exchanges, they do mention the incidents occurred between December 2017 and November 2019. These were connected to known security incidents, including the December 2017 hack of Youbit, which took 17% of its assets, and the $49 million hack of Upbit in November 2019.

Bithumb, South Korea’s leading cryptocurrency exchange, was reportedly hacked twice by North Korean hackers. In one incident $31.5 million worth of cryptocurrency were stolen, while in the other 3 million EOS were transferred out of the exchange’s hot wallet.

Most of the laundered funds came from a previously undisclosed $250 million hack of an unnamed Asian exchange. Tian and Li allegedly helped launder these funds, sending roughly 2,500 deposits with $67.3 million in stolen funds to nine Chinese banks. In total, both Chinese nationals are said to have received nearly $100 million from addresses associated with Lazarus.

"The funds were then laundered through hundreds of automated cryptocurrency transactions aimed at preventing law enforcement from tracing the funds. The North Korean co-conspirators circumvented multiple virtual currency exchanges’ know-your-customer controls by submitting doctored photographs and falsified identification documentation."

Authorities have reportedly managed to seize some of the stolen funds it’s looking to recover, with seized addresses reportedly having $15 million worth of cryptocurrency in them. Tian and Li are not in U.S. custody and are assumed to be in China.

Featured image via Pixabay.