US Treasury and DoJ go on the Offensive

For hackers, whether the financially motivated or state-sponsored kind, the question of how to clean and safely use stolen funds is a major hurdle to jump. When banks and other financial institutions adopted know your client (KYC) rules as specified in numerous countries adopting similar pieces of legislation which determined the rules, ways in which hackers could launder their money were once again hamstrung. With the rise of cryptocurrency exchanges, another avenue opened when unscrupulous owners didn’t care too much where the Bitcoin was coming from. Authorities were not blind to this development and several high profile arrests and platform closures were made which helped prevent further laundering.

The problem has not been eradicated, however, and a popular method employed by more organized groups is to hire mules. The mule is often an integral part to ATM jackpotting attacks, where malware is used to turn an ATM into a free cash dispenser, the mule will be the one to collect the cash and in turn, often be the party to face the full extent of the law if caught. Another method is using a mule to convert cryptocurrency to a currency that can be used or to buy products with said cryptocurrency. Both the US Treasury Department and the US Department of Justice (DoJ) have gone on the offensive to stop mules from helping prop up the infamous North Korean state-sponsored group Lazarus from converting their ill-gotten gains into hard cash.

us treasury and doj go on the offensive

In press releases published by both the Treasury Department and the DoJ sanctions and indictments have been placed on two Chinese nationals accused of helping North Korean hackers launder cryptocurrency stolen during hacks of two cryptocurrency exchanges. The two nationals have been named, Tian Yinyin and Li Jiadong, and have been implicated as acting as intermediaries and mules for Lazarus Group. Last year the state-sponsored group was named as one of the three groups helping fund the North Korean missile program that has garnered the hermit state a long list of sanctions which prevent the nation from funding the program via conventional means.

Both of the US departments claim that the two Chinese nationals are important cogs in a scheme North Korea has implemented which helps North Korea skirt international sanctions by raising money through cyber-thefts, such as the use of ransomware and hacks of banks, ATM networks, gambling sites, online casinos, and cryptocurrency exchanges. This could not be done without the assistance of mules as well as Chinese banks willing to turn a blind eye.

According to US officials, the two accused would receive stolen funds and then work to launder the money either by converting it into Chinese fiat currency (yuan) or into Apple gift cards that could be used without being linked back to the stolen cryptocurrency. In return, the two received payments from known accounts linked to North Korea on at least two occasions. The largest sum received was 91 million USD which is believed to have been stolen in April 2018 from an unnamed cryptocurrency exchange. The accused managed to convert 34 million USD of the original 91 million USD into fiat currency which was deposited back into the sender's account. Further, 1.4 million USD was converted in Apple gift cards.

Record-Breaking Hack

In the US Treasury press release it was hinted that the April 2018 hack is the same one described in a Kaspersky report published in August 2018. If this is indeed the case the unnamed cryptocurrency exchange lost approximately 250 million USD as a result of the hack. This was a record-breaking hack at the time and still ranks as one of the largest financial loss hacks experienced by an exchange. The subsequent report published by Kaspersky also detailed another attack that made use of the Mac malware AppleJeus which has been distributed via fake trading apps. At the time researchers concluded,

“First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.”

The above quote from 2018 is still relevant today as many myths still abound when it comes to the perceived invulnerability of macOS products. While security researchers warn the public and enterprises of the dangers they face, the US authorities mentioned above have sent out a stern warning to those assisting cybercriminals launder funds. It was not only two Chinese nationals who were sanctioned by treasury but two Russian entities with the Treasury Department stating,

“In addition to today’s designation, OFAC is delisting two Russian entities, Independent Petroleum Company (IPC) and its subsidiary AO NNK-Primornefteproduct (NNK-P). IPC was originally designated on June 1, 2017 pursuant to E.O. 13722 for operating in the transportation sector in North Korea. IPC shipped over $1 million worth of petroleum products to North Korea. Following this designation, IPC’s parent company, Alliance Oil Company (AOC), ceased all export activities and instituted a global compliance program. Treasury recognizes the actions that IPC, NNK-P, and parent company AOC have taken to ensure they do not engage in activity that may benefit North Korea.”

It is hoped that the sanctions and indictments serve as a warning to Chinese banks known to help assist North Korean goals covered by sanctions. As no banks were listed it can be assumed that Lazarus Group will still launder money with the suspected banks' help but increased pressure may bring a change to the banking sector which prevents further laundering operations.

Click to post a comment

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal