North Korean hackers who last month carried out one of the largest cryptocurrency thefts ever are still laundering their haul more than a week after they were identified as the thieves.
The gang, which the Treasury Department identified as the Lazarus Group, also known for the 2014 hacking of Sony Pictures, so far has laundered nearly $100 million — about 17 percent — of the stolen crypto, according to blockchain analytics firm Elliptic. They moved their haul beyond the immediate reach of U.S. authorities by converting it into the cryptocurrency Ethereum, which unlike the cryptocurrency they stole cannot be hobbled remotely. Since then, the gang has worked to obscure the crypto’s origins primarily by sending installments of it through a program called Tornado Cash, a service known as a mixer that pools digital assets to hide their owners.
Authorities and major crypto industry players are scrambling to keep up. Treasury sanctioned three more addresses associated with the gang on Friday, as Binance, a large international crypto exchange, announced it had frozen $5.8 million worth of crypto the hackers had transferred onto its platform.
The cat-and-mouse game unfolding between law enforcement and the North Korean hackers is another example of how criminals have learned to target the growing crypto economy’s weak points. They exploit faulty code in decentralized crypto platforms, use tools that help them hide their tracks such as converting assets to privacy-enhancing cryptocurrencies like Monero, and take advantage of spotty law enforcement coordination across international borders.
The North Korean case also trains a spotlight on a crypto industry eager to demonstrate its trustworthiness to regulators, investors and customers, while retaining crypto’s freewheeling ethos. Some of the largest companies in the sector say they welcome government oversight and tout their investments in internal compliance programs.
Yet a review by The Washington Post of crypto accounts sanctioned by the Treasury Department over the last year-and-a-half found four wallets that remained free to transact months after being placed on the administration’s blacklist. The apparent lapses are owed to flawed or incomplete compliance programs by Tether and Centre Consortium, a pair of companies involved in issuing so-called stablecoins, a type of cryptocurrency whose value is pegged to an external asset, typically the dollar.
“We’re at a particularly important moment: Everyone is still learning what’s possible and how attacks might occur, and the borderless nature of crypto makes it difficult to enforce standards globally,” said Chris DePow, a compliance official at Elliptic. “These are people acting all over the world. Even if you enforce very well in one jurisdiction, if there are other jurisdictions with weaker enforcement, you're still going to end up with a problem.”
Digital thieves are on track for a record-breaking year. They stole $1.3 billion worth of cryptocurrency in the first three months of the year, after seizing $3.2 billion in 2021, according to blockchain data firm Chainalysis. Hackers pulled off another major heist last Sunday, stealing about $76 million worth of digital assets from a crypto project called Beanstalk, according to Etherscan data.
As cybercriminals’ successes mount, so does the urgency for U.S. authorities, who have come to view the attacks as threats to national security. The Lazarus Group, for one, is an important funding source for North Korea’s nuclear and ballistic missile programs, according to United Nations investigators. And Russian hackers last spring temporarily hobbled the operations of a critical American fuel pipeline and the world’s largest meat supplier, relenting only after collecting multimillion-dollar ransoms in cryptocurrency. (Much of the Colonial Pipeline ransom was later recovered.)
The Russian invasion of Ukraine has sharpened policymakers’ focus on the issue. Some lawmakers have worried that Russian government and oligarchs could use crypto to evade the international sanctions choking off their access to traditional financial channels.
So far, they haven’t. “It’s hard to imagine that occurring using crypto,” Treasury Secretary Janet Yellen said on Thursday. But the department is also signaling it is not taking chances. It leveled sanctions against Russian crypto mining firm Bitriver and 10 of its subsidiaries on Wednesday, explaining in a statement the Biden administration “is committed to ensuring that no asset, no matter how complex, becomes a mechanism for the Putin regime to offset the impact of sanctions.”
U.S. authorities are also continuing to target Russian cybercriminals and the crypto platforms they rely on to enable their attacks. Earlier this month, U.S. law enforcement announced the shutdown of Russia-based Hydra Market, a dark net marketplace allegedly selling hacked personal info, drugs and hacking services.
As part of the crackdown, Treasury also sanctioned Garantex, a Russian crypto exchange that the department said had processed more than $100 million in illegal transactions, including $2.6 million associated with Hydra. Treasury said the move built on sanctions it enacted last year against two other Russian crypto exchanges, Suex and Chatex, which all operated out of the same office tower in Moscow’s financial district.
The designations mean any crypto company interacting with the U.S. financial system should block transactions with the sanctioned entities, Elliptic’s DePow said. Yet The Post’s review found that neither Tether nor Centre Consortium have blocked all transactions involving sanctioned addresses.
Tether continues to allow transactions with crypto accounts that allegedly belong to Chatex, over half of whose business was tied to illicit or high-risk activities including ransomware attacks, according to Treasury. One Tether address received and then sent about $15,000 as recently as April 19, according to a Post review of blockchain data from Etherscan. Another received, then sent, nearly $42,000 in the past six months.
In a statement, Tether said that it “conducts constant market monitoring to ensure that there are no irregular movements or measures that might be in contravention of applicable international sanctions.” Chatex didn’t respond to requests for comment.
Not all transactions involving sanctioned addresses are nefarious: Sometimes mainstream exchanges consolidate funds held in sanctioned accounts that no longer benefit the accused hackers who formerly owned them. And sometimes Treasury approves individual transactions with sanctioned accounts
Separately, Centre Consortium — a joint venture between U.S. crypto companies Coinbase and Circle that issues USD Coin, the second-largest stablecoin — failed to freeze three wallets belonging to Russian hackers until months after Treasury sanctioned them. Two of the accounts, blacklisted in September 2020, belong to Artem Lifshits and Anton Andreyev, employees of the Russian hacking group that spearheaded the country’s interference in the 2016 U.S. presidential election. A third was associated with Yevgeniy Polyanin, whom Treasury sanctioned in November for conducting ransomware attacks as part of the REvil cybercriminal gang.
Centre did not freeze those wallets until March 29, when a spokesman said the company conducted a review of sanctioned accounts and discovered it “just hadn’t caught those addresses.” The wallets didn’t transact during that time.
“We’re constantly reviewing what we’re doing to ensure we’re state of the art in our compliance,” the Centre spokesperson said. “Through that review we identified three addresses that had been missed, and we acted immediately.”
Treasury requires U.S. companies to freeze sanctioned accounts as soon as it blacklists them and report they have done so within 10 days, said John Smith, a former director of the department’s Office of Foreign Assets Control and now a partner at Morrison & Foerster. The department can apply stiff penalties to violators even if they didn’t know they were out of compliance, he said, though it tends to focus on more egregious cases.
“They go after entities or individuals they think intentionally or recklessly violated sanctions,” Smith said.
A Treasury spokesperson did not respond to a request for comment.
Neither did Tornado, when approached through a founder. That mixer is how whoever stole $75 million from the Beanstalk project also laundered their proceeds. That has upset investor A.J. Pikul, who says he lost about $150,000 in the hack. “I’m not super happy about the ability to launder funds through crypto at all, to be honest,” he told The Post by email.
“I feel like we’re in a digital arms race between the good guys and the bad guys,” he said.