How an Elaborate North Korean Crypto Heist Fell Apart

Credit to Author: Matt Burgess, WIRED UK | Date: Fri, 06 Mar 2020 15:00:00 +0000

At the end of 2018, North Korea carried out a heist. Hackers acting on behalf of the secretive state infiltrated and extracted more than $250 million (£195m) in cryptocurrency. Where the theft took place is a mystery, but the elaborate scheme the hackers used to move the funds back within North Korea has now started to unravel.

This story originally appeared on WIRED UK.

At the center of the heist were two Chinese citizens—Tian Yinyin and Li Jiadong. The pair have been indicted by the US government, following an investigation by the FBI, Homeland Security, and the Internal Revenue Service, for their alleged role in the criminal behavior. They’re unlikely to ever be brought before the courts—they won’t be extradited, freely visit a nation that could extradite them, or visit America—but the charges are the latest in efforts by law enforcement and intelligence agencies to publicly shame hostile nation states for their online behavior.

The pair are accused of running an elaborate money-laundering scheme involving more than $100 million in cryptocurrency between hundreds of accounts, leaving a trail of disruption in their wake. The scheme used North Korean infrastructure to purchase 8,823 Apple iTunes gift cards for $1,448,694, created false identities, and built a sophisticated network of transactions.

The US government charged the pair with conspiracy to launder money and for operating an unlicensed money transmitting business. It has also released details (PDF) of how the $250 million raid was conducted. The crypto exchange hack is one of four that have been blamed on North Korean actors, most recently by the United Nations. One of these, Youbit, filed for bankruptcy following the hack.

And it all started with malware. In mid-2018, a worker at the hacked cryptocurrency exchange was emailing a potential client. During this exchange they downloaded malware that attached itself to the exchange’s infrastructure, allowing remote access to the exchange and access to the private keys controlling crypto wallets. The result was chaos—around $250 million was siphoned from the exchange. US court documents state 10,777.94 bitcoins, known as BTC, were removed (an estimated $94m), 218,790 Ethereum, ETH, equaling $131 million, and various sums of five other cryptocurrencies. These included Dogecoin, Ripple, Litecoin, and Ethereum Classic.

Meanwhile, in North Korea, a co-conspirator searched for information about the hacked crypto exchange. According to court documents they researched “hacking,” “Gmail hacker extension,” “how to conduct phishing campaigns,” and, perhaps crucially, “how to exchange large amounts of ETH to BTC.” The documents state that “North Korean co-conspirators” who are believed to have been involved in the hacking of the crypto exchange also researched the relationship between the US and North Korean military, and Kim Jong Un.

While the movement of cryptocurrency is relatively anonymous—law enforcement agencies use third-party companies that analyze behavioral patterns in an effort to identify individuals—moving 10,000 bitcoin, or hundreds of thousands of other crypto leaves a record. The blockchain, crucially, remembers everything. In an effort to hide their activity, the US alleges, North Korean conspirators used peel chains.

The method is simple in theory, but complex theoretically. It involves one account with a large amount of cryptocurrency which transfers a small amount to another account. The process is repeated until the crypto has been moved through potentially hundreds of accounts and made harder to track. “To obfuscate the BTC trail and decrease scrutiny, the North Korean co-conspirators engaged in hundreds of automated transactions with new BTC addresses as “peel chains” to four different exchanges,” the US government says.

In another effort to mask their activity, it’s claimed North Korean conspirators also spent the stolen crypto on setting up a new company. They purchased 12 months of business email services for the domain and company Celas LLC, which offered a piece of downloadable crypto trading software. However, when cybersecurity companies inspected the files in 2018 they found a different story: it contained malware, which hoovered up personal information. They sent thousands of phishing emails trying to trick people into downloading the software.

“To aid in the phishing campaign, the North Korean co-conspirators used various email plugins,” the indictment says. These included a tool to see read receipts that included IP addresses and browser details; one that allowed professional looking signatures to be made; and finally an editing tool that promised it would turn writing into “perfect English.”

To give Celas LLC a veneer of authenticity, fake Instagram, Twitter, LinkedIn, and Facebook accounts were created for staff members who were allegedly working on the product. Waliy Darwish, one fictional employee, was even listed as having a degree from Rotterdam University.

It isn’t the first time that individuals tied to North Korea have created false crypto companies. Last year we reported details of Marin Chain, a startup that had links to the country. It claimed to offer an alternative cryptocurrency linked to the shipping industry. At the time, security sources said that APT 38, the country’s elite hacking group, had stolen more than $1 billion to help the country’s finances. North Korea is under strict economic and trade sanctions due to its continued development of nuclear weapons. “Security analysts are unanimous in assessing that the funds stolen by APT 38 – a significant percentage of North Korean GDP—are channelled into the DPRK’s missile and nuclear development programs,” a source said at the time.

However, mistakes were made with the hacking and money laundering surrounding the crypto exchanges. And this eventually led to the case unraveling. “In spite of using VPN services to mask their addresses, law enforcement was able to trace back logins to an IP address within North Korea,” officials say.

Of the original 10,777 bitcoin that were stolen, more than 10,500 of these were deposited into four virtual currency exchanges. Individuals with connections to North Korea also tried to circumvent identity checks involved during the sign-up processes for the virtual exchanges. Photos within legal documents show that verification images had been poorly photoshopped: the same body, wearing a white t-shirt (above) had different faces photoshopped onto it before being submitted to the exchanges.

Tian and Li both used aliases in an attempt to disguise their alleged roles in money laundering. The US government says they are both Chinese nationals with “government identification numbers and Chinese phone numbers”.

Two of the usernames adopted were “snowsjohn” and “khaleesi”. Between July 2018 and April 2019, they handled $100,812,842.54 in cryptocurrency transactions which were linked back to the $250m heist on the crypto exchange. “Tian Yinyin and Li Jiadong would convert such virtual currency into fiat currency and transfer it to customers, for a fee,” the US government said in its indictment. The pair would transfer the stolen cryptocurrencies into traditional fiat currency and also purchased iTunes giftcards as one way to disguise the movement of the money. The pair’s identities were revealed when the virtual currency accounts that they’d created were linked to banks in the real-world. They also transferred cryptocurrency between each other.

“The hacking of virtual currency exchanges and related money laundering for the benefit of North Korean actors poses a grave threat to the security and integrity of the global financial system,” US Attorney Timothy Shea said at the time of the indictments. “These charges should serve as a reminder that law enforcement, through its partnerships and collaboration, will uncover illegal activity here and abroad, and charge those responsible for unlawful acts and seize illicit funds even when in the form of virtual currency.”

This story originally appeared on WIRED UK.

https://www.wired.com/category/security/feed/