Two Chinese nationals working for North Korean hackers Lazarus have been charged with laundering $100 million obtained through hacks on two crypto exchanges in 2018. Tian Yinyin and Li Jiadong were indicted Monday by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) on multiple counts, including assisting in and providing support for a cyber attack and supporting the notorious North Korean hacking group Lazarus.
Pair Withdrew Money to Their Own Accounts
According to the sanctions, US authorities believe that Tian and Li received funds stolen from two crypto exchanges in 2018 totaling around $100 million and laundering the proceeds on behalf of Lazarus. Tian and Li transferred the funds to their own accounts, which was how OFAC was able to identify them.
The biggest hack, which took place in April 2018, occurred when an employee of the unnamed exchange unwittingly downloaded malware originating from North Korea onto the company’s servers. This malware granted Lazarus hackers remote access to the system, which they exploited to access the private keys of all the wallets owned by the exchange.
These wallets were then emptied and liquidated by the likes of Tian and Li, with the cash eventually funneled back to Lazarus:
Image courtesy of U.S. Department of The Treasury
Tian moved the equivalent of more than $34 million through a bank account linked to his exchange account and also bought almost $1.4 million dollars’ worth of prepaid Apple iTunes gift cards, which can at some locations be used to buy Bitcoin.
Tian and Li May Provide Useful Information
North Korea is known to train and deploy cyber attackers as it seeks to overcome financial sanctions imposed by the likes of the US in response to their burgeoning nuclear weapons program. In September 2019 the US Treasury Department imposed sanctions specifically on three groups associated with these types of activities, including Lazarus, although the effect of these sanctions is debatable.
Officials may find extracting information from Tian and Li far more valuable as they try to deconstruct the operations and identities behind Lazarus and other North Korean hacking groups.