Two Chinese nationals have been charged with laundering over $100 million in stolen cryptocurrency hacked by North Koreans in 2018, the Justice Department disclosed.
The funds are part of an estimated $2 billion obtained annually by North Korea covertly through hacking Bitcoin and Ether exchanges.
The funds are used for North Korea’s military buildup, including its missile and nuclear programs, according to Justice Department prosecutors. The two Chinese nationals, Tian Yinyin and Li Jiadong, were charged in an indictment unsealed Monday.
“The hacking of virtual currency exchanges and related money laundering for the benefit of North Korean actors poses a grave threat to the security and integrity of the global financial system,” said U.S. Attorney Timothy J. Shea of the District of Columbia, who led the prosecution.
South Korean authorities assisted in the investigation, as did the Internal Revenue Service and FBI.
“North Korea continues to attack the growing worldwide ecosystem of virtual currency as a means to bypass the sanctions imposed on it by the United States and the UN Security Council,” said Don Fort, director of the IRS’s criminal investigations.
Details about the two Chinese men were not disclosed in court papers other than they had advertised their services. It could not be learned if they are in the United States or outside the country. The two allegedly used nine Chinese banks to launder the cryptocurrency and turn it into U.S. dollars or other currency.
The scheme involved using Bitcoin to purchase Apple iTunes gift cards, described in the two-count indictment as “a known method of money laundering.”
In addition to the indictment, the Justice Department also filed a civil forfeiture complaint to seize 113 virtual currency accounts linked to the case.
Investigators said they were able to electronically trace the funds used by Mr. Tian and Mr. Li and the North Koreans through a process called blockchain analysis.
Much of the information in the court papers was derived from one of the reports produced by a special United Nations panel of experts on North Korea, which have documented illicit North Korean activities under UN sanctions.
“Large-scale attacks against cryptocurrency exchanges allow [North Korea] to generate income in ways that are harder to trace and subject to less government oversight and regulation than the traditional banking sector,” the UN report published in August said.
North Korean “cyber actors … raise money for the country’s weapons of mass destruction programs, with total proceeds to date estimated at up to $2 billion.”
To avoid detection, one financial hack by North Korea in 2018 involved the use of 5,000 separate transactions routed through several countries before its conversion to government-backed currency.
Undisclosed operation
The case is focused on a previously undisclosed North Korean financial hacking operation in late 2018 that netted the North Koreans nearly $250 million in stolen virtual currencies from a cryptocurrency exchange. Four other exchanges in South Korea were also hacked by the North Koreans.
The group behind the financial hacking is known by the names the Lazarus Group, Bluenoroff, and Andariel. All are part of North Korean government operations aimed to generating funds to circumvent international sanctions. The Lazarus group and its two subgroups were sanctioned by the Treasury Department in September.
The Lazarus Group was blamed for the stunning 2014 cyberattack on Sony Pictures Entertainment and the release of internal corporate documents. The attack was a protest against the release of the comedy film The Interview that made fun of North Korean leader Kim Jong Un.
The indictment of Mr. Tian and Mr. Li states that the two used exchanges to conduct money-laundering transactions between July 2018 and April 2019 worth $100,812,842 that were traceable by investigators to the 2018 exchange hack.
Most of the laundered funds were sent to the China Guangfa Bank.
Other banks involved included the Agricultural Bank of China, China Everbright Bank, China CITIC Bank, China Minsheng Bank, Huaxia Bank, Industrial Bank, Pingan Bank, and Shanghai Pudong Development Bank.
Prosecutors stated that some of the laundered funds were used to pay for infrastructure used in North Korean hacking operations against financial institutions.
The Lazarus Group has targeted an array of institutions including government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies, and critical infrastructure. The group was set up by North Korean as early as 2007.
In addition to the Sony hack, the Lazarus Group also carried out the destructive WannaCry 2.0 ransomware attack that hit the United States, Australia, Canada, New Zealand and the United Kingdom and shut down some 300,000 computers in 150 countries, including Britain’s national health care system.
Bluenoroff is a subgroup used for many of the cyber heists “to generate revenue, in part, for [North Korea’s] growing nuclear weapons and ballistic missile programs,” the Treasury Department said in its statement Monday.
Bluenoroff and Lazarus Group were blamed for stealing $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account.
Andariel is a Lazarus subgroup that conducts cyber operations against foreign businesses, government agencies, financial services infrastructure, private corporations and the defense industry. Andariel was also linked by investigators to attempted theft of bank card information through hacking automated teller machines to withdraw cash or steal customer information.
• Bill Gertz can be reached at bgertz@washingtontimes.com.
Please read our comment policy before commenting.