Authorities track the theft and laundering of cryptocurrencies related to North Korea. The OXT firm performs an analysis of the transactions involved and reveals the laundering methods.
A new report delves into the methods that hackers affiliated with North Korea use to launder cryptocurrencies stolen from their victims, mainly exchanges.
Based on the analysis of civil lawsuit number 20-606, filed with US court authorities on March 2nd, the OXT firm analyzed the movements and transactions of Bitcoin and other networks, discovering the methods that cybercriminals use to obfuscate their illegitimate transactions in cryptocurrencies.
In this US legal process, two Chinese citizens (Tian Yinyin and Li Jiadong) are accused of laundering money stemming from the hacking of South Korean exchanges and other cyberattacks.
According to the OXT report, the criminals managed to withdraw a total of USD 67.3 million by depositing them in Chinese banks, in addition to US 1.5 million worth of iTunes gift cards, using the Paxful p2p exchange service to acquire them.
Even though the complaint does not link these two hackers to the Lazarus group, the infamous cybercriminal organization linked to the North Korean government, a recent provision by OFAC (Office for Foreign Asset Control) includes the addresses of the case on their list of sanctioned entities.
Although the court document does not state the name of the exchange, OXT mentions these companies. OXT contrasts the publicly known information with the data included in the lawsuit to find the victims’ possible names.
The two subjects are accused of laundering thousands of BTC and ETH in three phases. In the first of these, they implemented a Peeling structure, a money- laundering method that, in combination with CoinJoin, makes it difficult to track the perpetrators. However, it is necessary to conduct certain precautionary measures to make it successful.
Peeling is a process of concealment of transactions that starts from a main address. Each transaction of the cycle has two outputs: one of a smaller size towards a third address (property of the initial issuer) and another of a large size (almost all of the amount) as change to the issuer of the transaction, explains OXT, who has noted this transaction pattern after the Mt. Gox case.
In the second phase, the cybercriminals deposited their funds at exchanges that do not implement KYC (Know-Your-Customer) policies. Retaining the funds for a certain time under the custody of these exchanges helps camouflage the funds with those of other users, making it difficult to track them.
In 2018, the criminals that hacked Bithumb exchange deposited nearly 2,000 BTC stolen from YoBit, a Russia-based exchange that is also listed in the OXT report.
In the third phase, they withdrew funds to sites that offer the exchange of cryptocurrencies for national fiat currencies. However, most of these require user identity authentication. At this point, the funds would have been clean to withdraw permanently, since in the second phase the points of the relationship with the stolen funds would break.
In mid-2019, the UN stated that hackers affiliated with North Korea have obtained up to USD 2 billion in cyberattacks against financial institutions and cryptocurrency exchanges, in a report that at the time accounted for 35 cases worldwide.
In 2019, there were up to USD 282 million worth of cryptocurrencies lost to cyberattacks. The firm Chainalysis also highlights that hackers have improved their methods to mislead the tracking of transactions. However, it is not impossible if there is significant computational power.
By Willmen Blanco
