At the end of 2018, North Korea carried out a heist. Hackers acting on behalf of the secretive state infiltrated and extracted more than $250 million (£195m) in cryptocurrency. Where the theft took place is a mystery, but the elaborate scheme the hackers used to move the funds back within North Korea has now started to unravel.
Wired UK
This story originally appeared on WIRED UK.
At the center of the heist were two Chinese citizens—Tian Yinyin and Li Jiadong. The pair have been indicted by the US government, following an investigation by the FBI, Homeland Security and the Internal Revenue Service, for their alleged role in the criminal behavior. They’re unlikely to ever be brought before the courts—they won’t be extradited, freely visit a nation that could extradite them, or visit America—but the charges are the latest in efforts by law enforcement and intelligence agencies to publicly shame hostile nation states for their online behavior.
The pair are accused of running an elaborate money laundering scheme involving more than $100m in cryptocurrency between hundreds of accounts, leaving a trail of disruption in their wake. The scheme used North Korean infrastructure to purchase 8,823 Apple iTunes gift cards for $1,448,694, created false identities, and built a sophisticated network of transactions.
The US government charged the pair with conspiracy to launder money and for operating an unlicensed money transmitting business. It has also released details (PDF) of how the $250m raid was conducted. The crypto exchange hack is one of four that have been blamed on North Korean actors, most recently by the United Nations. One of these, Youbit, filed for bankruptcy following the hack.
And it all started with malware. In mid-2018, a worker at the hacked cryptocurrency exchange was emailing a potential client. During this exchange they downloaded malware that attached itself to the exchange’s infrastructure, allowing remote access to the exchange and access to the private keys controlling crypto wallets. The result was chaos—around $250m was siphoned from the exchange. US court documents state 10,777.94 Bitcoins, known as BTC, were removed (an estimated $94m), 218,790 Ethereum, ETH, equalling $131m, and various sums of five other cryptocurrencies. These included Dogecoin, Ripple, Litecoin and Ethereum Classic.
Meanwhile, in North Korea, a co-conspirator searched for information about the hacked crypto exchange. According to court documents they researched “hacking”, “Gmail hacker extension”, “how to conduct phishing campaigns” and
