According to a civil forfeiture complaint filed by the U.S. Department of Justice (DoJ), North Korean hackers allegedly stole around $28.7 million worth of cryptocurrencies in two separate hacking attacks, first on July 1st of 2019, and second on September 25th of 2019.
The DoJ was able to trace the hacked funds back to the Lazarus Group, a notorious cybercrime group linked to North Korea, through various blockchain investigation tools, and in response filed its civil forfeiture complaint against 280 cryptocurrency addresses linked to both attacks.
In a blog post, blockchain analytics firm Chainalysis shared that it had equipped the U.S. government with blockchain analysis tools to help the authorities track down the funds of cybercriminals.
The Hackers Used Two Main Techniques
According to researchers at Chainalysis, the Lazarus Group hackers employed several new money laundering techniques, which both Chainalysis and the DoJ have not disclosed in-depth. However, the hackers primarily relied on two known methods: chain-hopping and over-the-counter (OTC) trading.
The term chain-hopping refers to the technique of moving funds across various blockchains in an attempt to blur the traces of transactions. As the Chainalysis Reactor graph shows, chain-hopping makes it significantly harder for the authorities to track down a hacker’s funds.
The Chainalysis Reactor graph tracing the hackers' funds. Source: Chainalysis
Referring to the Reactor graph, Chainalysis explained that the liquidation through OTC brokers allowed the hackers to cash out their funds. Unlike exchanges, which operate as centralized platforms that facilitate trades, OTC brokers arrange trades off-exchange, directly between two parties.
Chainalysis explained the hackers’ utilization of the two obfuscation methods as follows:
“However, while the Lazarus Group hackers did employ some new money laundering methods, they also relied on a key old one: Liquidating funds with OTC brokers. […] [H]ackers moved substantial portions of the stolen funds to OTC brokers nested at an exchange — labeled ‘Exchange 6’ — to be converted into cash.”
Despite the hackers’ attempts to move across multiple blockchains and use OTC brokers, the authorities successfully traced the transactions.
The Funds Are Traced, But Can They Be Seized?
Chainalysis develops tools that leverage the Bitcoin blockchain’s transparent nature to trace transactions - solutions that, according to the firm, may prove useful for law enforcement in their quest to track down hackers.
“This case shows yet again that the cryptocurrency industry and government can work together to prevent bad actors from exploiting cryptocurrencies for their own gain, despite their constantly advancing techniques.”
Among Bitcoin users, however, the ability to trace Bitcoin transactions is widely considered a bug rather than a feature. At the Bitcoin 2019 conference in San Francisco, cybersecurity expert Edward Snowden called its lack of privacy an “existential threat to bitcoin.” Similarly, developer Matt Odell stated on his Twitter account:
“I think Bitcoin becomes more valuable, becomes more resilient and robust long term if individual users practice financial privacy because that is the single biggest vulnerability that Bitcoin has today.”
Nonetheless, the U.S. government’s success in tracing the hackers’ funds does not yet guarantee their recovery: the civil forfeiture complaint the DOJ filed addresses 280 cryptocurrency addresses rather than specific individuals or organizations. The DOJ last announced the successful seizure of 300 cryptocurrency accounts allegedly linked to terrorist organizations on August 13th.