Only days after North Korea launched three ballistic missiles into the sea in January, a group of South Korean spies and US private investigators met in secret at the South Korean intelligence service.

They had been tracking $100 million stolen from Harmony, a cryptocurrency company in California, for months, hoping that North Korean hackers would transfer the stolen cryptocurrency into accounts where it could be later exchanged for dollars or Chinese yuan, hard currencies that could be used to finance the country’s nefarious missile program.

The spies and sleuths, operating out of a government office in Pangyo, South Korea’s Silicon Valley, would only have a short window of time to assist in the seizure of the funds before they could be laundered to safety through a network of accounts and made unreachable.

Finally, in late January, the hackers temporarily gave up control of their windfall by moving a portion of it to a cryptocurrency account tied to the dollar. The spies and detectives pounced, alerting American law enforcement personnel waiting to freeze the funds about the transaction.

That day, the team in Pangyo contributed to the seizure of just over $1 million. That was the kind of seizure that the US and its allies will need to prevent significant payouts for Pyongyang, analysts tell CNN, even though the majority of the $100 million that was stolen is still out of reach in cryptocurrency and other assets that North Korea controls.

The sting operation offers a rare window into the shadowy world of cryptocurrency espionage — and the growing effort to shut down what has developed into a multibillion-dollar industry for North Korea’s authoritarian regime. It was described to CNN by private investigators at Chainalysis, a New York-based blockchain-tracking firm, and confirmed by the South Korean National Intelligence Service.

According to estimates from the United Nations and private companies, North Korean hackers have stolen billions of dollars from banks and cryptocurrency companies over the past few years. According to US authorities and private analysts, the North Korean dictatorship has been seeking more complex methods to convert the stolen digital cash into actual currency as investigators and regulators have become more aware of the situation.

For the US and South Korea, cutting off North Korea’s bitcoin pipeline has swiftly become a matter of vital national security. According to a senior US official, the capacity of the regime to exploit the stolen digital currency—or remittances from North Korean IT employees abroad—to fund its weapons programs is a recurring set of intelligence products delivered to senior American officials, sometimes including President Joe Biden.

The newest weaponry of the dictatorship were on show at a military parade where Kim Jong Un and his daughter were present to commemorate the founding anniversary of the North Korean army.
The newest weaponry of the dictatorship were on show at a military parade where Kim Jong Un and his daughter were present to commemorate the founding anniversary of the North Korean army.
Roger Sinmun
The insider told CNN that the North Koreans “need money, so they’re going to keep being innovative.” Because of the totalitarian government and the severe restrictions imposed on it, “I don’t think [they] will ever stop seeking for criminal ways to harvest revenue.”

At a meeting on April 7 in Seoul, US, Japanese, and South Korean diplomats expressed concern about North Korea’s cryptocurrency hacking and expressed dismay that Kim Jong Un’s government continues to “pour its limited resources into its WMD [weapons of mass destruction] and ballistic missile programs.”

Video Commercial Reaction
According to a hacker, here’s how to keep your credentials secure.
The time is 02:14.
The trilateral statement used the abbreviation for the North Korean government to say, “We are also profoundly worried about how the DPRK supports these programs by stealing and laundering funds as well as as well as acquiring information through hostile cyber activities.”

Similar accusations have already been refuted by North Korea. The North Korean Embassy in London has been contacted via phone and email by CNN for comment.

North Korea Inc. launches a website.
Beginning in the late 2000s, US officials and its partners searched international waterways for evidence that North Korea was continuing to violate sanctions by smuggling in weapons, coal, or other valuable cargo. A very contemporary version of that competition is currently taking place between hackers and money-launderers in Pyongyang and intelligence services and law enforcement authorities from Washington to Seoul.

That effort has been led by the FBI and Secret Service in the US (both agencies declined to comment when CNN asked how they track North Korean money-laundering.) The $100 million that was taken from Harmony was frozen, according to a January FBI announcement.

According to experts, the Kim family members who have ruled North Korea for the past 70 years have all exploited state-owned businesses to enrich the family and maintain the dictatorship.

Scholar John Park refers to it as a family company called “North Korea Incorporated.”

According to Park, the Korea Project’s director at the Harvard Kennedy School’s Belfer Center, Kim Jong Un, the current leader of North Korea, has “doubled down on cyber capabilities and crypto theft as a cash generator for his family rule.” North Korea Corp. now operates entirely online.

Stealing cryptocurrency is significantly less labor- and capital-intensive than the coal trade that North Korea has traditionally relied on for income, according to Park. And the earnings are enormous.

According to Chainalysis, a record $3.8 billion worth of cryptocurrencies were stolen globally last year. According to the company, hackers with ties to North Korea were responsible for over half of it, or $1.7 billion.

The joint analytical area of the National Intelligence Service of South Korea’s National Cyber Security Coordination Center.
The joint analytical area of the National Intelligence Service of South Korea’s National Cyber Security Coordination Center.
from the National Intelligence Service of South Korea
Unknown amounts of North Korea’s billions in stolen cryptocurrencies have apparently been converted into actual currency. A US Treasury representative with expertise on North Korea declined to provide an estimate in an interview. According to the Treasury official, the public record of blockchain transactions aids US agents in following the movements of cryptocurrencies by alleged North Korean operatives.

Yet, it is “extremely disturbing” when North Korea receives assistance from other nations in the money-laundering process, the official added. They choose not to specify which nation, but the US charged two Chinese individuals in 2020 for allegedly laundering more than $100 million for North Korea.

According to a February confidential United Nations study examined by CNN, Pyongyang’s hackers have also searched the networks of numerous international governments and corporations for crucial technical data that would be beneficial for its nuclear program.
The purging
According to a spokesperson for South Korea’s National Intelligence Service, the agency is searching for innovative ways to prevent stolen bitcoin from being transported into North Korea and has devised a “quick intelligence sharing” plan with allies and private businesses to address the danger.

Current efforts have concentrated on North Korea’s use of mixing services, which are readily accessible instruments used to conceal the origins of bitcoin.

On March 15, the Justice Department and European law enforcement organizations announced the closure of a mixing service called ChipMixer, which the North Koreans are alleged to have used to conceal a sum of money from the approximately $700 million in cryptocurrency that hackers have stolen in three separate hacks, including the $100 million theft from the California cryptocurrency company Harmony.

To determine when stolen money leaves North Korean hands and may be recovered, private detectives employ blockchain tracking software and, when the program notifies them, their own eyes. Nevertheless, in order to act quickly enough to seize the assets, those investigators need to have solid ties with law enforcement and cryptocurrency companies.

In August, the Treasury Department sanctioned Tornado Cash, a cryptocurrency “mixing” business that was reportedly used to launder $455 million for North Korean hackers. This was one of the greatest US countermoves to yet.

Because Tornado Cash had more liquidity than other services, North Korean money could be hidden among other sources of funding more easily, making it particularly desirable. As a result of the Treasury sanctions forcing the North Koreans to seek out alternative mixing providers, Tornado Cash is currently completing fewer transactions.

According to Chainalysis, suspected North Korean agents sent $24 million in December and January using the new mixing service Sinbad, although there are currently no indications that Sinbad will be as successful at moving money as Tornado Cash.

Roman Semenov, the creator of Tornado Cash, and other mixing service creators frequently identify as privacy advocates and maintain that the tools they create for cryptocurrencies can be used for good or bad just like any other technology. Yet, that hasn’t stopped law enforcement organizations from taking harsh action. The unnamed Tornado Cash creator was detained by Dutch authorities in August on suspicion of money laundering.

Former US and European law enforcement officers are increasingly working for private crypto-tracking companies like Chainalysis, using the skills they developed in the secret sector to follow Pyongyang’s money laundering.

Elliptic, a company with ex-police officers on staff based in London, claims to have assisted in the seizure of $1.4 million in North Korean currency taken in the Harmony hack. CNN has learned that elliptic experts were able to track the money in real-time in February as it briefly transferred to Huobi and Binance, two well-known cryptocurrency exchanges. The exchanges, according to the analysts, immediately froze the money after being told.

Tom Robinson, a co-founder of Elliptic, told CNN that it “resembles large-scale drug importations.” “[The North Koreans] are prepared to lose part of it, but a majority of it probably passes through just by virtue of the volume, speed, and sophistication of what they do.”

The North Koreans are attempting to steal directly from other bitcoin thieves as well as cryptocurrency companies.

Video Commercial Reaction
Should you make a crypto investment? After FTX’s collapse, one expert offers their opinion.
01:13 – Information from CNN Business
Elliptic reports that after an unidentified hacker stole $200 million from the British company Euler Finance in March, suspected North Korean agents attempted to set a trap by sending the hacker a message on the blockchain that was laced with a vulnerability and may have been an attempt to access the money. (The ruse was unsuccessful.)

According to Nicholas Carlsen, a former FBI intelligence analyst who worked on North Korea until 2021, the country may only have a few hundred people dedicated to using cryptocurrencies to get around sanctions.

Carlsen concerns that North Korea would resort to less obvious forms of fraud in the face of an international drive to penalize rogue cryptocurrency exchanges and retrieve stolen money. He proposed that Pyongyang’s agents set up a Ponzi scam instead of robbing a cryptocurrency exchange of $500 million, as it would draw less attention.

According to Carlsen, who currently works for the fraud-investigating company TRM Labs, bitcoin theft is still “wildly profitable” even with smaller profit margins. Thus, they are powerless to halt.