Probe into the $100 Million Laundering Over in Cryptocurrency From Exchange Hack
On March 2, 2020, Two Chinese nationals were charged with laundering over $100 million worth of cryptocurrency from a hack of a cryptocurrency exchange by U.S. Department of Justice. The funds were stolen by North Korean actors in 2018, as detailed in the civil forfeiture complaint also unsealed today.
Figuring out the source of the stolen cryptocurrency, the specific path of money laundering by hackers and the process that the two Chinese participate in is urged as the U.S. Department of Justice did not disclose the specific source of the stolen funds and the transaction path of cryptocurrency involving money laundering, even the accused Li Jiadong claimed that he was a victim.
Blockchain security company PeckShield has lost no time in intervening in tracking and analyzing the 20 addresses published by the U.S. Department of justice to restore the whole case in a visual way.
Prosecution documents of the U.S. Department of Justice
As shown in the figure above, Lazarus group, a North Korean hacker organization first attacks four crypto exchanges by fishing trick to obtain the private key of the exchange; then the hacker transfers the stolen assets to four other exchanges by using Peel Chain; then the hacker transfers the assets to the two exchanges responsible for money laundering by using Peel Chain to complete the whole process.
Generally, after hackers succeed, the money laundering process is generally divided into three steps: “Placement”, ‘Layering’, ‘Integration’.
The security team of PeckShield traced 20 related bitcoin addresses of the accused on the chain. According to the behavior characteristics on the chain and the data of the database of exchanges obtained, the following four exchanges were finally locked:
Note: after the Shutdown of Bter exchange in 2017, its assets were taken over by another exchange. Here we still use the name of Bter.
After figuring out the source of stolen cryptocurrency, let’s take a look at the money laundering path and flow of stolen assets. Here are the three steps of money laundering:
Within a few months after the Bter, Bithumb, Upbit and youbit were attacked, attackers began to dispose of their illegal profits by various means, like transferring the stolen assets into the controllable account to prepare for the next laundering.
During the layering, the attacker tried to use the technical means of Peel Chain to continuously split the assets in his hands into small ones and deposit them in the exchange. In the figure below, we select a typical splitting process. The flow of the first 2000 BTC is detailed as follows:
Step 1: one of the attacker’s addresses previously made a profit of 1999 BTC, first splitting this large asset into 1500 + 500 BTC;
Step 2: these 1500 BTC is further divided into three addresses of 500 BTC each. it can be seen that the original 2000 BTC has been split into four new addresses, and the balance in the original address has been reset to zero;
Step 3: then the hackers transferred 500 BTC to the size of 20-50 BTC and recharge them to Yobit exchange, change the remaining assets to a new address;
Step 4: Repeated step 3 with the new address until the original 500 BTC is fully deposited in the exchange. During this process, attackers also recharge records to other exchanges, such as Bittrex, Kucoin and HitBTC.
We further analyzed and found that after the initial money laundering operation, the crafty attacker did not directly transfer into his wallet, but again used the Peel Chain technique to transfer the original BTC into OTC exchange in batches for cash. The attacker only separateS dozens of BTCs from the primary account and deposit them into the OTC account for cash each time. After dozens or hundreds of operations, thousands of BTCs are successfully confused and laundered.
After completing the above operation of laundering, the attacker began to carry out OTC selling and cash out of the illegal income.
In the process described above, the attacker deposited 3951 BTCs into the accused Tian Yinyin’s three OTC accounts of Huobi and Coincola for cash over 100 times from November 28 to December 20, 2018. The last 9.8 BTCs are still stored in the attacker’s transit address.
The victim exchanges are Bter, Bithumb, Upbit and Youbit. According to incomplete statistics, the loss worth over 300 million dollars at least. After the attack succeeded, the hackers have implemented professional, thorough and complex money-laundering operations in three steps to realize partial cash out.
PeckShield believes that no matter how sophisticated the process is, hackers usually use the exchange as a part of the cash flow channel when laundering stolen cryptocurrency. This undoubtedly urges the requirements for KYC and KYT businesses of major crypto exchanges. The crypto exchanges should strengthen the review of AML and fund compliance.
Based on the machine learning algorithm, threat intelligence, and darknet information, the security team of PeckShield has accumulated over 60 million address tag information, mastered a large number of related addresses and transaction information of hacker gangs and stolen money, and provided 7×24-hour on-chain change warning service. Typical security events PeckShield has dealt with include: Plustoken, stolen assets of Binance and Upbit.