South Korean spies and US special investigators met secretly at South Korea's intelligence agency in January after North Korea fired three ballistic missiles into the sea.
For months, North Korean hackers tracked the theft of $100 million from California-based cryptocurrency firm Harmony, waiting for the stolen cryptocurrency to be converted into dollars or Chinese yuan, hard currencies that could support the country's illicit activities. . . Missile program.
When the time came, spies and detectives working in Pangyo, South Korea's Silicon Valley, had a few minutes to help before the money was safely held in a series of accounts and declared a fraud. - Proofs.
Finally, in late January, the hackers moved some of their mining operations to a dollar-denominated cryptocurrency account and temporarily released their mining operations. Spies and detectives intervened and alerted US law enforcement agencies that they were ready to freeze the money.
The Pangio team helped raise over $1 million that day. Analysts told CNN that most of the $100 million stolen was not in cryptocurrencies and other assets controlled by North Korea, but the United States and its allies must launch such attacks to avoid paying a high price for Pyongyang.
A leak revealed to CNN by private investigators at New York-based blockchain intelligence firm Chainalysis and confirmed by South Korea's National Intelligence Service offers a rare glimpse into the murky world of cryptocurrency espionage and hacking. Billion dollar business for the North Korean dictatorship. .
North Korean hackers have stolen billions of dollars from banks and cryptocurrency companies in the past few years, according to reports from the United Nations and private companies. U.S. officials and private experts told CNN that investigators and regulators have tried to convert digital currency stolen by the North Korean regime into hard currency.
Shutting down North Korea's cryptocurrency pipeline has quickly become a national security imperative for both the US and South Korea. The ability to use stolen digital currency to fund regime weapons programs or North Korean IT experts overseas is part of standard intelligence output. It is sometimes presented to high-ranking officials of the United States, including President Joe Biden. The supreme leader of America. The official said:
The official told CNN that the North Koreans need money, so they will continue to innovate. "I don't think they will stop looking for illegal ways to raise money, because it is a totalitarian regime with high sanctions."
The hack of North Korea's cryptocurrency came at a meeting in Seoul on April 7, where US, Japanese and South Korean diplomats issued a joint statement saying Kim Jong-un's regime was continuing to "pour its scarce resources into massive weapons". : Destroyed. and ballistic missile programs.
"We are also deeply concerned about how the DPRK is supporting these programs through theft and money laundering and information gathering through malicious activities in cyberspace," the trilateral statement said, using an acronym for the North Korean government.
North Korea has previously denied such accusations. CNN has emailed and called the North Korean embassy in London for comment.
North Korea is becoming virtual.
Since the late 2000s, US officials and their allies have found signs in international waters that North Korea is evading sanctions by transporting weapons, coal or other valuable goods, and the practice continues. Today, this debate plays out in a very modern way between Pyongyang's hackers and moneylenders and intelligence and law enforcement agencies from Washington to Seoul.
The FBI and the Secret Service led the effort in the U.S. (both agencies declined to comment when asked by CNN how they monitor money laundering in North Korea. In January, the FBI announced it was freezing an unidentified $100 million stolen from Harmony.
Experts say all members of the Kim family, which has ruled North Korea for the past 70 years, have used state-owned companies to enrich the family and keep the regime alive.
It's a family business that scholar John Park calls "North Korea Incorporated."
Park, who directs the Korea Project at Harvard Kennedy School's Belfer Center, said North Korean dictator Kim Jong-un "doubled as a source of income for the family regime by stealing cyberpower and cryptocurrencies." "North Korea Incorporated has gone virtual."
Compared to coal trading, which North Korea previously relied on for revenue, cryptocurrency theft requires less labor and capital investment, Park said. And the incomes are astronomical.
According to Chinalysis, a record $3.8 billion worth of cryptocurrency was stolen globally last year. About half of that amount, or $1.7 billion, was the work of hackers linked to North Korea, the company said.
It is unclear how much of the billions of cryptocurrencies stolen by North Korea have been converted into cash. In an interview, a senior North Korean Treasury official declined to comment. A public record of blockchain transactions could help US authorities track efforts by suspected North Korean agents to transfer cryptocurrency, a Treasury official said.
But it is "incredibly worrying" that North Korea is receiving help from other countries to legalize its currency, the official said. (They declined to name the country, but in 2020 the United States indicted two Chinese men for defrauding North Korea of more than $100 million.)
According to a private U.N. report reviewed by CNN in February, Pyongyang's hackers probed the networks of various foreign governments and companies to find key technical information that could be critical to its nuclear program.
overpopulation
A spokesman for South Korea's National Intelligence Service told CNN that it has developed a "rapid information sharing" program with partners and private companies to respond to threats and is looking for new ways to prevent stolen cryptocurrencies from entering North Korea.
Recent efforts have focused on North Korea's use of public tools called hashing services, which are used to hide the source of encryption.
On March 15, the Department of Justice and European law enforcement agencies announced the shutdown of a mixing service known as ChipMixer, which was used by hackers to steal nearly $700 million from North Koreans, including $100. million. California-based cryptocurrency company Harmony. .
Private investigators use blockchain tracking software and their own eyes when the software alerts them to determine when stolen funds may leave North Korean hands and be seized. But these investigators need trusted relationships with law enforcement and crypto companies to move quickly to recover the money.
In one of the most significant U.S. countermeasures to date, the Treasury Department in August authorized a cryptocurrency mixing service known as Tornado Cash that paid $455 million in legal bribes to North Korean hackers.
Tornado Cash was particularly valuable because it was more liquid than other services, making it easier to hide North Korean money from other financial sources. Tornado Cash now processes fewer transactions after Treasury Department sanctions forced North Koreans to switch to other hybrid services.
According to Chainalysis, North Korean agents sent $24 million through Sinbad's new mixing service in December and January, but there's no sign yet that Sinbad will be as good at transferring cash as Tornado.
The people behind hybrid services like Tornado Cash developer Roman Semyonov often describe themselves as privacy advocates, and like any technology, encryption tools can be used for good or bad. However, this did not prevent the law enforcement agencies from taking strict measures. In August, Dutch police arrested another unnamed Tornado Cash developer on suspicion of money laundering.
Private cryptocurrency research firms such as Chainalysis have been set up by former law enforcement agencies in the US and Europe to track Pyongyang's money flows.
London-based Elliptic, a former law enforcement firm, says it has seized $1.4 million stolen from North Korea in the Harmony hack. Elliptical analysts told CNN in February that they were able to track funds in real time when they moved to two popular cryptocurrency exchanges, Huobi and Binance. Analysts said they rushed to inform exchanges that blocked the funds.
Elliptic co-founder Tom Robinson told CNN. "It's like importing drugs on a large scale." [The North Koreans] are willing to destroy some of them, but that's probably because of the scale and speed of what they're doing, and they're very good at it."
North Koreans are trying to rob not only cryptocurrency companies, but also crypto-thieves.
After an unknown hacker stole $200 million from the British financial firm Euler in March, suspected North Korean agents tried to set up a trap. the hacker sent a message containing a hole in the blockchain that could be an attempt to access the money. As an elliptical expression. (This trick didn't work.)
In 2021, FBI intelligence analyst Nick Carlson, who focuses on North Korea in 2021, estimates that only a few hundred people in North Korea are focused on using cryptocurrency to evade sanctions.
Carlson worries that North Korea may resort to less visible means of fraud in an attempt to block fake cryptocurrency exchanges and confiscate looted funds. Instead of stealing half a billion dollars from a cryptocurrency exchange, he suggests Pyongyang's agents may be running a less obvious pyramid scheme.
But despite the low rate of return, cryptocurrency theft is still "extremely profitable," said Carlson, who now works at fraud investigation firm TRM Labs. So there is no reason to stop.
CNN's Gavon Bae in Seoul and Richard Roth in New York contributed to this report.
For more CNN news and announcements, create an account at CNN.com.