News

Multiple cryptocurrency exchanges in the past year rejected and restrained bitcoins, ethers and other digital tokens after linking them to cyberthefts and other illicit schemes directed by North Korea, according to U.S. prosecutors who now intend to permanently seize the funds.

The exchanges, whose efforts prosecutors described in a civil forfeiture complaint last week without identifying the firms by name, allegedly handled proceeds from nearly a dozen hacks by groups affiliated with Pyongyang. The complaint, filed by the U.S. Attorney’s Office for the District of Columbia, targets 280 wallets at the exchanges for forfeiture.

One platform, dubbed “Exchange 9” in the Aug. 27 complaint, refused to convert ethers into bitcoins in December 2019 after linking the funds to the cybertheft of $48.5 million worth of digital tokens the month prior from “Exchange 2” in South Korea, unnamed in court documents but identified in news reports as Upbit.

The individual who sought to launder the stolen cryptocurrency then asked a different wallet provider to intercede on his behalf, according to the 30-page complaint, but Exchange 9 notified the firm that the transaction was “currently frozen” and “would not be processed because it contained funds related to the hack of Exchange 2.”

Five months earlier, on July 1, 2019, the same person allegedly tried to withdraw $106,000 in bitcoins from “Exchange 4,” where he opened an account with a fake Russian passport and U.S. email address “hours” before depositing more than $130,000 in PlayGame, IHT Real Estate Protocol and Tether tokens that had reportedly just been stolen from Singapore-based CoinTiger.

The individual managed to withdraw 0.46 bitcoins, roughly $4,600, after converting them from other cryptocurrencies, but Exchange 4 blocked a fourth attempt to wire out the remaining 9.5 bitcoins.

Last week’s civil forfeiture follows a related, March 2 complaint targeting 146 cryptocurrency accounts for permanent seizure, and a criminal complaint accusing two Chinese “money transmitters,” Tian Yinyin and Li Jiadong, of laundering at least $100 million for North Korea.

The North Korean hackers who perpetrated the cyberthefts described by both complaints relied on those and other unlicensed brokers to funnel the stolen digital coins through multiple wallets, convert them into cryptocurrencies tied to different blockchains in a process known as “chain hopping,” and ultimately exchange them for hard cash, according to the Aug. 27 filing.

“These OTC [over-the-counter] traders fail to collect … KYC [know-your-customer] information about their clients and the source of the virtual currency being converted,” prosecutors wrote. “Many owners of illicit funds seek out these OTC traders because they are otherwise unable to obtain accounts at law-abiding virtual currency exchanges or risk having their funds frozen.”

On Sep. 30, a third cryptocurrency trading platform, “Exchange 11,” canceled the outgoing transfer of nearly 2 bitcoins, roughly $16,000, that the alleged hackers bought with ALGO tokens they had stolen earlier from an unnamed U.S. exchange, according to prosecutors.

Cryptocurrency firms’ compliance efforts have steadily improved under public and market pressure to outperform an ever-expanding number of competitors, as well as amid greater scrutiny from law enforcement, regulatory agencies and intergovernmental groups, said Yaya Fanusie, a former CIA analyst.

“But this activity shows how compliance is undermined if it is not paired with strong cybersecurity hygiene,” Fanusie wrote in an email. “It appears as if North Korean actors were having a field day in 2018 and 2019, penetrating exchanges which held not just Bitcoin and Ethereum, but more obscure tokens that most people never would have heard of.”

In June 2019, FATF issued guidance asking the group’s member states to require that cryptocurrency firms register with a national supervisor and vet clients, report suspicious activity and generally comply with “the full range” of anti-financial crime rules.

The actions targeting North Korea also come amid a broader push by the U.S. Attorney’s Office in Washington, D.C., to interdict and seize digital assets that sanctions evaders, terrorist groups and other criminals stash domestically and overseas.

On Aug. 13, prosecutors in D.C. sought to forfeit some 300 cryptocurrency wallets through which U.S.-blacklisted terrorist groups, like the Islamic State group, al-Qaida and al-Qassam Brigades, a Palestinian militia, allegedly raised funds from supporters around the world.

The regulated exchanges through which some of the illicit cryptocurrency transited cooperated with law enforcement and handed the funds over pursuant to their anti-money laundering obligations, a senior Justice Department official told ACAMS moneylaundering.com at the time.

Contact Valentina Pasquali at vpasquali@acams.org