Understanding North Korea’s Crypto Laundering Techniques
North Korea has established a notorious reputation for hacking and stealing cryptocurrencies. A notable incident occurred on February 21, when the regime siphoned off a staggering $1.5 billion from the crypto exchange Bybit. However, the real challenge lies not in the theft itself, but in the complex process of laundering these illicit assets and converting them into usable funds.
Challenges of Using Major Exchanges
Directly transferring stolen funds to well-known exchanges such as Binance or Coinbase is not an option for North Korea. These platforms enforce strict Know-Your-Customer (KYC) regulations and cooperate with law enforcement to freeze suspicious transactions almost immediately upon deposit. This creates a significant obstacle for North Korean operatives who aim to convert their digital loot into cash without attracting attention.
Ari Redbord, the global head of policy at blockchain analytics firm TRM Labs, highlights the regime’s reliance on an extensive network of over-the-counter (OTC) brokers to navigate around these hurdles. “They’ll look for global exchanges that lack compliance controls,” he explains, pointing out that North Korea has a long history of utilizing Chinese money laundering organizations, which are also favored by various cartels.
However, the network extends beyond China. Countries like Russia, known for a lack of stringent money laundering controls, and locations such as Macau, where casinos offer avenues for laundering fiat currency, have become integral to North Korea’s financial strategy.
The Off-Ramping Dilemma
Despite the regime’s extensive efforts, converting stolen cryptocurrencies into government-backed currencies like the Chinese renminbi or the U.S. dollar remains a daunting task. Since 2017, North Korea has reportedly pilfered over $5 billion in crypto assets, which translates to an average of approximately $51 million that needs to be off-ramped monthly. This substantial figure exceeds the capabilities of their current money laundering apparatus.
Redbord suggests that the considerable amounts stolen often languish in wallets for extended periods, not due to strategic financial planning but rather a lack of effective off-ramping mechanisms. He likens the situation to that of infamous drug lord Pablo Escobar, who faced challenges in storing vast quantities of cash. “North Korea is grappling with a similar problem regarding its crypto assets,” he notes.
In the aftermath of the Bybit hack, much of the stolen Ethereum (ETH) was converted to Bitcoin through THORswap, a platform facilitating swaps between different blockchain networks. However, the funds are then processed through mixers like Wasabi and CryptoMixer, which can only handle a limited volume of transactions—typically no more than $10 million daily. This creates a bottleneck, complicating North Korea’s ability to efficiently off-ramp its stolen assets.
After the Laundering: What Happens Next?
Once North Korea successfully off-ramps its assets through OTC brokers, the trail often becomes obscured for blockchain analysis firms like TRM Labs. However, government agencies such as the Federal Bureau of Investigation (FBI) and Homeland Security Investigations (HSI) are equipped with a range of intelligence-gathering tools to track illicit activities.
These agencies utilize both human intelligence—through interviews, interrogations, and espionage—and signals intelligence, which involves intercepting communications and gathering electronic data to enhance their investigations. Remarkably, they can sometimes recover stolen funds, as was the case with the Colonial Pipeline ransomware attack in 2021, where the Department of Justice successfully retrieved nearly 85% of the Bitcoin ransom paid to the Russian cybercriminal group Darkside.
The extensive network of Chinese shell companies leveraged by North Korea for laundering purposes is constantly under scrutiny from U.S. agencies, often in collaboration with their counterparts in Japan and South Korea. However, laundering funds through the Chinese banking system does not guarantee success for North Korea.
In 2019, U.S. federal prosecutors issued subpoenas to three Chinese banks involved in a money laundering case connected to North Korea. This maneuver is complicated by the jurisdictional limitations the U.S. faces over foreign banks. However, a provision in the USA PATRIOT Act allows for such actions under specific conditions, enabling the U.S. government to potentially sever a foreign bank’s access to the U.S. banking system.
While this strategy can yield results, it requires considerable political capital and is challenging to replicate, especially with major financial institutions. Redbord notes that any attempt to cut off correspondent banking for a significant Chinese bank could have severe repercussions on the global economy.
The current U.S. administration might be more willing to pursue such measures, particularly against smaller or mid-sized Chinese banks. “Issuing a subpoena in such cases sends a powerful message,” Redbord concludes, indicating the ongoing battle against North Korean financial malfeasance.
