DOJ indicts 2 Chinese men for laundering stolen South Korean Bitcoin for North Korean hackers
Today, the U.S. Attorney’s Office for the District of Columbia unsealed an indictment of two Chinese nationals, Tian Yinyin and Li Jiadong, charging them with money laundering and running an unlicensed money transmitting business, for laundering $100 million in stolen Bitcoin and Ether for North Korean hackers between July 2018 and April 2019. The indictment alleges that the $100 million was part of a $250 million take the Lazarus Group stole from four cryptocurrency exchanges, three of them in South Korea, in 2018.
Lazarus, designated by OFAC last September, is suspected of hacking Sony Pictures, and robbing multiple cryptocurrency exchanges and several banks. It is controlled by the Reconnaissance General Bureau, which did the ROKS Cheonan and Yeonpyeong-do attacks, and multiple assassination attempts in China and South Korea.
In April 2018, an employee of the exchange unwittingly downloaded DPRK-attributed malware through an email, which gave malicious cyber actors remote access to the exchange and unauthorized access to customers’ personal information, such as private keys used to access virtual currency wallets stored on the exchange’s servers. [OFAC Press Release]
Who says inter-Korean economic engagement never works?
The funds were then laundered through hundreds of automated cryptocurrency transactions aimed at preventing law enforcement from tracing the funds. . . . A portion of the laundered funds was used to pay for infrastructure used in North Korean hacking campaigns against the financial industry. [DOJ Press Release]
Now here’s something that may shock the Twitter libertarians among you. Did you know that cryptocurrency exchanges also have to follow Know-Your-Customer rules, and that people who exchange crypto for real money have to register as money service businesses? To comply with these rules, Tian and Li made themselves some really bad fake ID photos that my low-life high school friends would have been ashamed to bring into a 7-11 to buy a keg of Old Style. But Tian and Li also designed a long, automated series of cryptocurrency transfers through 113 of those crypto accounts, siphoning off a small amount to a recipient dollar account each time, to obscure the ownership and origin of the money. It sounds vaguely like the plot of “Office Space,” but apparently this is called a “peel chain.” The defendants poured these small amounts into dollar accounts at nine different Chinese banks.
US v 113 virtual currency accounts
The Treasury Department also froze Tian and Li’s crypto accounts, as well as their other property in the United States.
Virtual asset service providers and traditional institutions should remain vigilant and alert to substantial changes in customers’ activities, as their business may be used to facilitate the transfer of stolen proceeds. The United States is particularly concerned about platforms that provide anonymous payment and storage functionality without transaction monitoring, suspicious activity reporting, or customer due diligence, among other obligations. [OFAC Press Release]
So, is this a big deal? Yes, for a few reasons it could be. The Justice Department says it recovered some of the money. It doesn’t specify how much, but if it was in the tens of millions of dollars, that’s more than the other forfeiture cases we’ve seen since the passage of the NKSPEA’s forfeiture provisions. As the UN Panel of Experts has informed us, cryptocurrency has been a growing source of illicit income for Pyongyang, and this is the first time Justice and Treasury have shown that they have ways of dealing with that. Great things have small beginnings.
Does this mean that Donald Trump’s sanctions pause–now nearing the two-year mark–is finally over? For that answer, see Trump’s Twitter feed, and let me know what you find out. Of course, the Justice Department never really paused at all. Three districts (the Southern District of New York, the Eastern District of New York, and especially the D.C. District) have used the NKSPEA’s civil forfeiture authorities just as I’d hoped they would from the time we first drafted them nearly seven years ago now. But DOJ is rightly protective of its independence from the White House, policy, and politics. Treasury’s participation in this case suggests a greater degree of administration buy-in than we’ve seen since May of 2018.
And is this finally maximum pressure? Still no. As I’ve said and said and said again, you’ll know it’s maximum pressure when you start to see nine-digit civil penalties against the Chinese banks that continue to launder North Korea’s money. The evidence that Chinese banks were turning a blind eye to North Korean money laundering was already considerable before today, and had already placed three major Chinese banks in serious legal peril. Now, to that evidence, we add this:
8. Tian Yinyin linked a bank account at China Guangfa Bank (‘CGB”) to his VCE-A account less than a week after the intrusion and theft at The Exchange. This CGB account received approximately 491 deposits from VCE-A for 233,889,970 CYN (approximately $34,504,173.43) and represents proceeds from Tian Yinyin’s money laundering activities.
. . . .
17 . Li Jiadong linked bank accounts at nine Chinese banks-Agricultural Bank of China, China Everbright Bank, China CITIC Bank, CGB, China Minsheng Bank, Huaxia Bank, Industrial Bank, Pingan Bank, and Shanghai Pudong Development Bank-to his VCE-A account. These bank accounts received approximately 2,000 deposits from VCE-A for 229,282,960.97 CYN (approximately $32,848,567.00) and represent proceeds from his money laundering activities.
The first rule of Anti-Money Laundering is that you’re supposed to know where your customer’s money is coming from and ask obvious questions about large, unexplained deposits. How can any responsible bank take in 491 deposits in less than a year, for a total amount of more than $34 million, without telling the Treasury Department that there’s some suspicious activity going on?
Of course, it’s possible that some of these banks did just that. Suspicious activity reporting for cryptocurrency transactions has skyrocketed in recent years, and if the banks had filed reports, they couldn’t say that publicly, even in defense of their own reputations. The unauthorized disclosure of a SAR is a very big deal ”“ people go to jail for it. On the other hand, it’s interesting that this indictment, contrary to typical DOJ practice, actually names the banks, despite the fact that the banks aren’t indicted. That’s not something you’d expect to see if the feds were going out of their way to protect the reputations of banks that were cooperating. Also missing from both press releases is any statement that the banks are not suspected of any wrongdoing, such as what we saw in the Dandong Hongxiang case in 2016.
That’s entirely speculative on my part, of course. I could be making something of nothing. But if these signals send a message through the financial industry to take “enhanced due diligence” seriously at last, two of the widest loopholes in financial sanctions enforcement will narrow. But if there’s no follow-up action against the banks, Tian and Li could easily be just two more expendable cut-outs, and Pyongyang can always find more where those two came from.
Still, we’ve learned today that cryptocurrency is not a magic carpet that glides smoothly over the sanctions minefield after all. The vulnerability of cryptocurrencies as a sanctions dodge is their lack of intrinsic value. As RUSI explained in this excellent strategy paper, to recoup their value, you have to exchange them for fiat currency. A criminal does this as his jurisdictional peril. None should applaud today’s action more than those who want cryptocurrencies to gain acceptance in the mainstream economy. Theft, fraud, and laundering the proceeds of theft and fraud don’t advance the cause of acceptance. Nor, for that matter, does helping the world’s worst government acquire and spread the world’s most destructive weapons.
~ ~ ~
Update: Some evidence that this may not be the last indictment we see this year for helping Pyongyang to launder cryptocurrency.
U.S. officials engaged in intense behind-the-scenes campaign with allies to cripple North Korea’s cyberhacking and fundraising capabilities, as consensus grows in Trump administration that nuclear talks with Pyongyang will remain stalled for coming year https://t.co/PtbFRYnFRV
– Dr. Mark P. Barry (@DrMarkPBarry) March 2, 2020