Breaking down DOJ's Complaint Charging Chinese Nationals for Laundering Bitcoin for North Korea
On March 23, 2020, the Department of Justice (DOJ) filed a Forfeiture Complaint targeting 113 digital currency accounts connected to Chinese nationals Tian Yinyin and Li Jiadong.
This in rem forfeiture action arises out of an investigation by the Internal Revenue Service – Criminal Investigation’s Cyber Crimes Unit (“IRS-CI”), Homeland Security Investigations (“HSI”), and the Federal Bureau of Investigation (“FBI”) into the laundering of Case 1:20-cv-00606 Document 1 Filed 03/02/20 Page 1 of 38 monetary instruments, in violation of 18 U.S.C. §1956, and operation of an unlicensed money service business in violation of 18 U.S.C. § 1960.
Investigators determined Chinese nationals Yinyin and Jiadong utilized tactics to defeat automated Know Your Customer (KYC) verification at multiple exchanges that ultimately aided in laundering hundreds of millions of stolen digital currency from exchanges. Despite significant tech upgrades from the verification industry, the DOJ forfeiture complaint identified it’s possible to provide altered documents in support of the verification process at certain exchanges.
TL;DR: Attackers used social engineering and successfully delivered malware through a large scale phishing campaign. Results of the campaign ultimately led to the successful theft of $234 million from at least one digital currency exchange.
“In spite of using Virtual Private Network (VPN) services to mask their addresses, law enforcement was able to trace logins to an IP address within North Korea.”
The Attack Vector?
One of the most crucial pieces for a successful payload delivery is identifying the method to gain access to your target. The initial preparation may involve setting up dummy social media accounts, VPNs, servers, and public facing websites to “label” the story as legit. According to DOJ’s complaint, digital currency stolen from “The Exchange 1” was used to purchase infrastructure such as domain registration, bullet proof hosting and VPNs.
Sean Lyngaas aka @snlyngaas just last week released an article with @CyberScoopNews that demonstrated nation states are utilizing Linkedin to identify targets. To no surprise, the article links North Korea and attackers feeling more comfortable moving to email campaigns.
Reviewing DOJ’s complaint, we see the attack cycle play out using fake Linkedin accounts and email communications that eventually led to the successful delivery of malware. Consistent with previous North Korean attack campaigns, in mid 2018, an employee identified as “The Exchange 1” communicated with a potential client via email.
The attackers utilized email-plugins that enabled email tracking, task management, IP collection and the capability to write emails in almost “perfect English.”
For companies that may deploy software to detect possible phishing campaigns, this tactic may have prevented the emails from initially being flagged. The employee at The Exchange 1 unwittingly downloaded malware allowing the potential client to “open” the doors to The Exchange 1. As a result, The Exchange 1 suffered a significant loss of over $234 million in cryptocurrency.
Security researchers connected the malware to North Korea by one line of code and to software officially referred to as Fallchill. A joint technical alert was issued by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) in late 2017 regarding the seriousness of Fallchill. The technical alert captured below identifies that Fallchill utilizes fake Transport Layer Security (TLS) communications and collects basic information sending the data to a Command and Control (C2) server (C2s are servers controlled by attackers and used to send commands to compromised infrastructure).
In addition to compromising The Exchange 1 with malware, the attackers successfully executed elaborate account take over schemes and used the infrastructure of an engineering firm based in South Korea in furtherance of the crime. The attackers using these stolen business email accounts received 600 Ethereum (ETH) , 99,998,987 DODGE, 1,500 Z Cash (ZEC) and 3,043,200 Ripple (XRP) from The Exchange 1.
This successful email attack highlights the importance for businesses to implement Two Factor Authentication layers and consider using physical devices to authenticate email logins. You can read more about securing your online foot print here.
Peel Chains and Money Laundering
Jiadong and Yinyin utilized approximately nine Chinese banks to launder stolen digital currency proceeds from “The Exchange 1.” Seven of these banks have publicly been discussed for possible sanctions or under investigation by the U.S. Government for nefarious connections to North Korea. The banks referenced in DOJ’s complaint enabled Jiadon and Yinyin to successfully launder hundreds of millions of stolen digital currency. Ultimately, these proceeds were a result of a successful phishing campaign that drained funds from The Exchange 1 on behalf of the North Korean government.
One of the many mistakes Jiadon and Yinyin made was in the handling of the stolen Litecoin (LTC). LTC is not one of the digital currency products that you hear much about when it comes to hacking and money laundering. When compared to Bitcoin (BTC), the options to enable some type of mixing or anonymity are very slim. Jiadon and Yinyin for some reason sent all of the stolen 11,000 LTC only one address utilizing making it easier for investigators to identify the destination.
When a mixing type service is not available, peel chains are typically the next tactic attackers will implement to launder stolen funds. Other methods not demonstrated in this complaint are certainly more effective and have higher success rates in laundering stolen digital currency. For obvious reasons, we will not discuss in detail these best tactics.
So what is a peel chain?
A peel chain is a method that involves breaking down transactions from an initial large amount to a smaller amount. The transactions for instance, may “peel” off literally counting down each transaction 50,49,48,46, etc until it reaches 1. This tactic makes tracking stolen digital currency more trivial for law enforcement to detect and why peels chains are most often utilized to evade detection by law enforcement.
During the “peel” process, criminals may have pre-designated “cash out” points. These cash out points are planned by attackers to collect profit from the elaborate heists. In traditional money laundering cases, teams may be set up across the globe that have one job, cash out as much money as fast as possible. Once the money is cashed out, teams will take a cut and wire the remaining money back via a Western Union type service or deposit the cash via Bitcoin ATMs and initiate the transfer eventually back to the attackers.
DOJ demonstrated in the complaint that attackers may have utilized at least two services that offer the capability to convert Bitcoin to i-Tunes gift cards. Open source research on the monikers provided in the complaint revealed two exchanges that may have been used by the attackers to execute quick cash outs. Interestingly enough, the monikers received good reviews and ratings.
Despite an elaborate money laundering scheme utilizing at least nine banks and infrastructure across the globe, investigators were able to collect enough data points from multiple sources to identify two suspects working on behalf of the North Korean regime. Furthermore, DOJ’s complaint sheds light on how phishing is still the most popular tactic for attacking infrastructure in furtherance of cybercrime. BTC to plastic is still used as an effective method in cashing out proceeds quickly.