OFAC Charges Lift the Lid on North Korea Crypto Hacking Methods

Reading Time: 2 minutes

North Korean hackers are using a technique known as “peel chains” to effectively launder money stolen from crypto exchanges, according to legal documents concerned with the recent indictment of two Chinese nationals. The document reveals the lengths that hacking groups are going to in order to cash out their stolen crypto and how hard it is for authorities to keep up.

Lazarus Using Peel Chains

Tian Yinyin and Li Jiadong were indicted last week by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) after cryptocurrency accounts in their names were used to launder money stolen from unnamed South Korean cryptocurrency exchanges in 2017 2018.

The pair are accused of working for the notorious state-sponsored North Korean hacking group Lazarus, and a deeper look into the allegations made by OFAC reveal how Lazarus manages to conceal its hacking proceeds. This is done via the use of peel chains, which the document describes as follows:

A “peel chain” occurs when a large amount of BTC sitting at one address is sent through a series of transactions in which a slightly smaller amount of BTC is transferred to a new address each time. In each transaction, some quantity of BTC “peel off” the chain to another address – frequently to be deposited into a virtual currency exchange – and the remaining balance is transferred to the next address in the chain.

A visual included in the indictment document illustrates this in practice:

Screenshot 2020-03-08 at 07.36.54

Mountain of Work for Investigators

In theory it should be possible to track the stolen proceeds through the blockchain, and it is, but the hackers have developed scripts that automate the entire process and allow the BTC to be ‘peeled off’ hundreds of times in quick succession.

This creates a mountain of work for investigators, who have to trace each single transaction, including the peeled off ones, to their ultimate destination. Hackers know that every transaction leaves a permanent record, so they simply try their best to confuse investigators and throw them off the scent by creating hundreds if not thousands of them.

In the case of Tian and Li this didn’t work, as investigators were able to identify their personal accounts within the transactions, but given that North Korea has managed to pilfer some $2 billion in stolen crypto assets over the past three years, it’s clear that their methods are generally working very well indeed.