Episode 109 of the Public Key podcast is here and this is our “Live from Links” series, where we showcase our podcasts recorded live at the Chainalysis Links Conference in NYC! The Lazarus Group and North Korean Hackers have plagued the crypto and DeFi world with some of the most profitable hacks in history. We speak to Jessica Peck (Senior Counsel, US Department of Justice) and Chris Wong (Supervisory Special Agent, FBI) to share juicy stories of the origins of these hacks and how law enforcement is attempting to stall these hacker’s efforts.
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 109.
Public Key Episode 109: Unmasking the Lazarus Group: How North Korea is Using Crypto to Fund its Weapons Programs
“We need to think about more creative ways in order to get at the ultimate issue here, which is that they’re generating revenue for their weapons of mass destruction (WMD) and ballistic missile programs.” – Jessica Peck
In this episode, Ian Andrews (CMO, Chainalysis) is lucky enough to grab Jessica Peck (Senior Counsel, US Department of Justice) and Chris Wong (Supervisory Special Agent, FBI) right off of the main stage to their experiences investigating North Korea’s involvement in cryptocurrency and their efforts to track and seize stolen assets.
Chris shares his journey from working on interdicting assets to diving into the world of crypto, while Jessica discusses her transition from prosecuting weapons and narcotics cases to focusing on cybercrime and cryptocurrency-related investigations.
The trio explore the tactics used by North Korea to launder money and the effectiveness of sanctions in combating these activities. They also describe the new trends of North Koreans being unknowingly hired by blockchain companies around the world and the associated risks.
Quote of the episode
“We need to think about more creative ways in order to get at the ultimate issue here, which is that they’re generating revenue for their weapons of mass destruction (WMD) and ballistic missile programs.” – Jessica Peck (Senior Counsel, US Department of Justice)
Minute-by-minute episode breakdown
2 | FBI’s Involvement in intercepting North Korean mineral exports
4 | Jessica and Chris’ background and their first crypto investigation cases
7 | Thwarting North Korean crypto revenue and tracking and recovering stolen cryptocurrency
11 | Tracing North Korea’s cryptocurrency laundering efficacy
17 | Evaluating the effectiveness of sanctions on cryptocurrency mixers
19 | Debating cybersecurity and risk management in crypto
25 | North Koreans being employed by crypto forms to develop smart contracts
27 | Best practices for staying safe in crypto and avoiding costly hacks
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Website: FBI: We protect the American people and uphold the U.S. Constitution
- Website: DOJ: To uphold the rule of law, to keep our country safe, and to protect civil rights
- Article: FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com
- Blog: $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit
- Registration: Digital premiere of Links 2024 (NYC Main Stage Content and more – Register Now!)
- [CHAINALYSIS PODCAST EPISODE 8] The Lazarus Heist: A Peek Inside North Korea’s Global Cyber War
- YouTube: Chainalysis YouTube page
- Twitter: Chainalysis Twitter: Building trust in blockchain
- Tik Tok: Building trust in #blockchains among people, businesses, and governments.
- Telegram: Chainalysis on Telegram
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Jessica Peck (Senior Counsel, US Department of Justice)
- Chris Wong (Supervisory Special Agent, FBI)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
Hi everyone, back with another episode of Public Key, Live from Lynx. I’m your host, Ian Andrews. Today I’m joined by Christopher Wong Supervisory Special Agent at Federal Bureau of Investigation; and Jessica Peck, who’s a senior counsel with the U.S. Department of Justice. Chris, Jessica, welcome to the show.
Christopher:
Thank you.
Jessica:
Thanks for having us.
Ian:
Now, you just got off stage prior to us recording this, Talking Lazarus group. We’re going to get into North Korea, stolen crypto, there’s a lot of good topics. There’s also things falling behind us. I don’t know if the mics picked that up, but could have been worse.
But maybe let’s start, Chris, if you’re willing to go first, talk to us a little bit about, you’ve been involved in some pretty big cases in the history of the cryptocurrency world. Talk about a couple of the things that you’ve had the opportunity to work on over the years.
Christopher:
Been in the FBI almost nine years now I guess.
Ian:
Okay.
Christopher:
And really had been working North Korea the entire time.
Ian:
Yeah.
Christopher:
So I really didn’t start getting into crypto until 2018-ish.
Ian:
Okay.
Christopher:
Before that, it was a lot of interdicting assets going through US correspondent wire systems.
Jessica:
Oil and minerals.
Christopher:
Oil and minerals, North Korean coal, going through Chinese coal trading companies, a lot of that sort of thing.
Ian:
Sorry, why does the FBI get involved in North Korean minerals?
Christopher:
We’re going deep real fast.
Ian:
I couldn’t let that one hang.
Christopher:
So North Korea, let’s just leave crypto aside for now.
Ian:
Yeah, absolutely.
Christopher:
We’re going to spend a lot of time talking about it. But when you talk about the ways that North Korea generates revenue, one of its main or biggest sources of revenue is the export of minerals. So one of the things that the Korean Peninsula has, and North Korea specifically has, coal, iron ore. So if you look at some of the actions that the U.S. Department of Justice and the FBI took back in 2017-ish time frame, you’ll see a lot of actions against Chinese coal trading firms who were doing a lot of business with North Korea exporting their coal, and essentially using some of their bank accounts as offshore accounts for the North Koreans.
Ian:
Got it. Okay. I interrupted you to get that clarity.
Christopher:
So yes, I started getting involved in crypto, working with Chris Janczewski with the IRS, and working with Jessica Peck and Zia Farooqi back in 2018. That’s my learning curve and starting getting into it and seeing some of those earlier hacks from the 2018 timeframe, but also branching out beyond North Korea and starting to look at acts like Bifenex.
Ian:
Yeah, we’ll talk a little bit about Bifenex when that showed up on your radar, if you don’t mind.
Christopher:
I mean, honestly, that was kind of a collaboration with Chris Janczewski leading a lot of the way, Jessica Peck being involved.
Jessica:
For context, Chris Janczewski was a special agent with the IRS. He is now at TRM labs.
Christopher:
Correct, sorry. Thanks for the definition.
Jessica:
Okay.
He’s the head of their global investigations team.
Christopher:
Right.
Jessica:
But he, in September of 2020, asked all of us if we wanted to work on the Bifenex case together, and that’s how it started.
Christopher:
Yep.
Ian:
Well, Jessica, thank you for jumping in there. Maybe share a little bit of your background
Jessica:
I started my legal career at the Manhattan DA’s office. I was originally doing guns, drugs, violent crime. And then in 2017 I transitioned over to cyber, had my first crypto case. And then in 2020 I came to the Department of Justice, in January of 2020, just six weeks before the pandemic.
Ian:
Good timing to make a job change.
Jessica:
I got to meet people in real life, which was lovely. But then six weeks later, we all went home and I didn’t see them again for a year and change. But I was working on some covert related issues, which was obviously very important at that time. Then I slowly transitioned into ransomware cases, and then my docket became mostly cryptocurrency-related investigations. Chris mentioned Zia Farooqi before. Zia was a US attorney in the DC US Attorney’s office. He has been working the North Korea threat for years and years doing cases that Chris was describing before. And then he transitioned into crypto in 2018-ish, 2019 time frame. And I got told that if you want to work on interesting crypto related cases, you need to work with Zia Farooqi. And one of my colleagues in the cyber unit for DOJ, Alvin Palker, was already working on cases with him, so I got added to a bunch of really cool cases and Bifenex was one of the first ones that I got to take charge on with these people from there. It was really interesting.
Ian:
So let’s talk North Korea. Chris, when was the first time you remember North Korea and crypto coming up?
Christopher:
Again, working with the same crew and starting to look at instances of North Korean theft. And I would say maybe at the time we’re looking at hacks and wanting to get to attribution, identifying who did it. But crypto is a bit different of a landscape, and part of what you can do is actually follow the money. So part of what we do within the FBI and DOJ is not just try and identify who did it, but also if we look from a higher perspective what our objectives are, it’s really denying North Korea revenue. So at the time with the skill sets that Chris had them learning as I went along, it’s looking for those opportunities and identifying new ways that we can deny North Korea revenue as the North Koreans are identifying new ways to generate revenue.
Ian:
Yeah.
Jessica:
We were talking about this earlier, but North Korea is an interesting case, because we can’t usually bring North Koreans or their laundering co-conspirators to justice in the US because they’re mostly in North Korea. Or they’re in jurisdictions where we can’t extradite them. So we can’t do the usual, we’re going to indict, have a complaint against someone, and then bring them here so that they can be brought to trial. Instead, we need to think about more creative ways in order to get at the ultimate issue here, which is that they’re generating revenue for their WMD and ballistic missile programs. So I’m sorry, I’m going to keep talking about Zia Farooqi. He is the mastermind behind freezing, seizing, and forfeiting assets to try and make victims whole.
Christopher:
He is.
Jessica:
It is a lengthy process, but like Chris was saying, with blockchain it’s much easier to follow the money and try to do that as quickly as possible in each of these cases.
Ian:
Talk more about the process of freezing and seizing. What does that actually entail? North Korea steals some crypto from somebody, then what happens?
Jessica:
Do you want to talk about how the FBI, IRS, and others find out about these hacks first, and then we can go into freezing and seizing?
Christopher:
Sure, we can do that. Give you the question list.
Ian:
I think I have a co-host this episode.
Christopher:
Yeah, I was just going to say that. She does it to me all the time. I mean maybe it’s new for you.
Ian:
Yeah.
Chris, why don’t you take us through, so someone’s been hacked, they’ve lost tens, maybe hundreds of millions of dollars. How do they get in touch with you?
Christopher:
There’s a number of ways this could potentially happen. A lot of times we’ll have the victims themselves reach out. And at this stage I would say in our careers, we know a lot of people in the industry and a lot of people know other people. So sometimes we’ll just get that direct communication from the victim saying, “Hey, we have a problem. We lost assets.” Or they might be the client of Chainalysis and Chainalysis knows who we are, and they might contact us if they have or they suspect who did it.
In other instances where the victim doesn’t come to anybody, but if the theft is large scale enough, the way crypto operates these days, there are companies out there that will notice that there’s tens of billions, hundreds of billions of dollars leaving some exchanges hot. While if that doesn’t look normal and it gets blasted out on crypto Twitter, sometimes that’s the source of your first realization that an event has occurred.
Ian:
Okay, so you got a call or a referral from a friend of a friend who says, “Unfortunately all my crypto has been stolen.”
Christopher:
Yeah.
Ian:
What’s the first thing you do when you get that call?
Christopher:
Generally speaking, one of the first things that we will do, and maybe it’s good to peel it back a little bit, there are probably two ways you can look at these cases as they come through. One is like we talked about attribution, who did it?
Ian:
Yeah.
Christopher:
And then two is follow the money.
Ian:
Right.
Christopher:
Historically with other cases you might say, “Well, I need to focus on forensic artifacts. I need to focus on getting this item, this data, that could be temporary transitory in nature. I need to make sure I get that, and I have to talk to the victim.” But in the crypto case, because crypto can move so fast, cross-border transfers, swaps, all of these things that are going to make our life much, much more difficult the longer, we let this go; a lot of the times it’s like follow the money and follow it immediately, and look for those opportunities to interdict. So we find that we’re most successful within the first 24 hours of learning of an event to be able to identify putting those addresses in whatever tool we choose to use, identifying where there’s assets, where we can interdict, are there essentially managed stable coins that are stolen and at issue that haven’t been swapped to something else? Are the assets going through a provider or a VASP, a virtual asset service provider, that we have a relationship with that is responsive?
So those are some of the first things that we’re going to do; in essence triage. What can we do now?
Ian:
Yeah.
Jessica:
That’s Chris’ pitch for people reaching out as soon as possible, when they’re the victims.
Christopher:
That’s right.
Ian:
I mean, if there’s one takeaway for people listening, if you ever find yourself in this situation, don’t sleep on it. Immediately get in contact. The faster you do, the better the chance that there’s some recovery at the other side, right?
Christopher:
Sure. I think back to some of the thefts that I saw previously. If you think back to, I don’t know, 2018, a lot of the times the way the crypto exchanges were handling theft is that they didn’t really want to talk about it.
Ian:
Right.
Christopher:
They didn’t want to let out how much was lost, where it went, all these things. But at some point in time, I think those exchanges potentially started to realize that maybe it’s better if they were really, really public about this.
Ian:
Yeah.
Christopher:
Because now those assets are tainted in a sense. When people are looking in React or whatever other tool, maybe their mark is stolen. But unless people are aware of it and it’s public about it, they don’t know. So if you look at, I think when the KuCoin theft happened in 2020, they had a whole webpage up, all the addresses that were up there. And as an investigator, that’s great, because if KuCoin doesn’t talk to me, I can still plop all those addresses in whatever tool I’m using and follow the money.
Ian:
Yeah, absolutely.
Christopher:
It’s one of these weird things with blockchain, the public nature of it, it changes the game. If it was a bank robbery…
Ian:
Yeah.
Jessica:
Much harder to follow.
Christopher:
Yeah.
Ian:
Definitely.
So Jessica, back to you. So now Chris and the team, a victim has come to them, reported stolen funds. They’ve been able to trace some of the funds, potentially gotten in touch with an exchange where they’re holding the funds. Is that the point at which you get involved, in terms of the…
Jessica:
I’m usually involved from the very beginning.
Ian:
Well, even better.
Christopher:
I try to keep her involved and up to date.
Jessica:
It makes things easier in the long run.
Christopher:
Yeah.
Jessica:
So at that point, we’re making sure that we have probable cause to believe that the proceeds are proceeds of a crime, so they’re criminal proceeds. And at that point we make a voluntary request of the exchange in the U.S. or in exchange abroad potentially, that they please voluntarily get a freeze in place while we work toward getting a seizure warrant, which is a court-authorized document that will tell them you need to transfer these assets to government control.
Now there’s a lot of nuance there because, like Chris was saying, everything is so cross-border in nature. So if you had a case where a U.S.-based exchange is involved, it’s amazing for us. We send them a quick note, we get a warrant very quickly, we send it over and they have to comply. And they have top cover for having frozen and then transferred someone’s funds to us, because they have a warrant in their hand.
When we’re talking about exchanges and other platforms that are outside of the United States, it gets way more complicated. Some of these entities are in four different locations or they don’t say where they’re located. So we’re still asking for a voluntary freeze, maybe not knowing exactly where they’re located yet. We’re just trying to find them as quickly as possible. So there’s a lot of back and forth in this industry, and I feel like we’re still in these stages of figuring out how to get people all moving at the same speed, so that we can freeze and seize and stop criminal actors from using the space at all. I think that’s where we’re all trying to go.
But there are some jurisdictions where we need to go through the mutual legal assistance process, for example. So we might have initial outreach with an exchange based abroad; they’re willing to do a voluntary freeze, and then we get our seizure warrant transmitted to them via the mutual legal assistance process. That is a very time-consuming process in most instances. You’re going through the central authorities for both countries, and then eventually they’ll transfer the asset. That can take anywhere from three months to five years. So if that’s what we have, that’s what we have, and that’s the legal process we need to go through.
But there’s other circumstances where companies in the industry are willing to move money on a voluntary basis to get it back to victims and things like that. So we’re basically just trying to figure out how we can freeze quickly, and how we can seize it as quickly as possible, so we can eventually go through the forfeiter process.
Christopher:
Now, I would imagine in the case of North Korea, sophisticated actor, as far as criminals go, we heard on stage Aaron Plant in the panel that you all participated in, talked extensively about how the laundering techniques and tactics have increased; the complexity of how they try and avoid detection, evade your tracing of them, and stay ahead of the seizure requests.
Ian:
How did they ultimately get any of that money? Where do they go? I mean, I assume they’re not dumb enough to try and route through an American based exchange, but it seems like more and more exchanges are compliant.
Christopher:
They’ll respond to your voluntary seizure requests, at least put a temporary hold on it.
Ian:
Where are the cash-out points where they’re actually able to profit from some of the attacks?
Christopher:
Like you said, they want to get cash. North Korea can’t buy ballistic missiles with bitcoin. It’s not happening yet, we’re not there. So we’re starting at point A, which is, you have stolen crypto and they need to get to point B, which is, “I have fiat currency, I have cash that I can use to buy stuff.” It’s not just ballistic missiles or WMD, but everything really.
Ian:
You’ve got to pay rent.
Christopher:
You’ve got to pay rent, got to feed the people sometimes.
Jessica:
You need flour.
Christopher:
Yeah.
Jessica:
Flour, sugar, rice.
Christopher:
Flour, sugar, rice, all those things. So generally speaking, what we’ve seen in a series of investigations is that one of the primary mechanisms for North Korea to convert their ill-gotten gains is to go through OTC traders. So if we look back to some indictments and concurrent OPEC designations in 2020 for Tiananli, who were two over-the-counter traders in China who were working with North Korea, and then even as far as recent as April of ’23.
Jessica:
Sorry, I’m going to have to stop you.
Christopher:
Sorry.
Jessica:
We love our acronyms and initialisms in the government.
Christopher:
Sorry.
Jessica:
OTC traders are over-the-counter.
Christopher:
Yeah.
So let’s think about the currency Arbitrageurs.
Ian:
Sure.
Christopher:
Buying and selling, trying to earn profit based upon the trade.
Ian:
Yep.
Christopher:
So in these cases, they might be buying crypto, they may or may not know it’s stolen from the North Koreans, and then taking a percentage. So if we rewind back to 2020 and earlier than that, they might be taking a 10% cut. But I would say that percentage has probably gone a lot lower than it used to be.
Ian:
Okay.
Christopher:
But going to April ’23, again, an indictment, concurrent designation of two additional over-the-counter traders, [inaudible 00:18:08] and Chung Hang Lam, who were working with a foreign trade bank representative. And when they’re going through these OTC desks; because I think usually an OTC desk in the crypto world is supplying liquidity to exchanges, they’re often doing off-book transfers, maybe real-world exchange of cash for digital assets.
So it makes the on-chain tracing more difficult. It looks different, it trying to identify, and this is the same with just about any tracing in the crypto world, is where is the change of control? Where is the change of control? Because you’re not going to see the off-chain activity, which is, “I just sent you a half a million Chinese yuan,” or, “I just made a payment in US dollars for you out of my Hong Kong based bank account.” What we do see is the on-chain transaction, so that maybe it’s the transfer of Tether or some other stable coin, or maybe it’s the transfer of Bitcoin. But whatever it is, it’s trying to identify. And there are some indicators that might be there, that that change has occurred, but it’s sometimes difficult to see where it actually happens.
Ian:
Yeah.
Roughly how successful has North Korea been at laundering? Because I think the Chainalysis research says last year, roughly a billion dollars, we’re pretty certain, was stolen by North Korea. The number could potentially be higher than that because we’re always learning more about what happened in the past. Of that billion do we have an estimate of how much they’ve actually been able to convert successfully to fiat?
Christopher:
Sure. So it’s difficult to tell what the actual success rate is in terms of the billion dollars that’s stolen. Because we start thinking about, in terms of billion, and at the same time, you have the value of cryptocurrency fluctuating.
Ian:
Absolutely.
Christopher:
And at the same time they might be swapping from ETH to Bitcoin to BTCB or any other token five different times during this entire laundering process. And all of those transactions are costing money or costing crypto, so throughout this process there is friction. And then where we’re coming in freezing and seizing assets, we’re applying more friction to the process. Or if we are successful at steering them away from a bridge protocol or a virtual asset service provider that they relied on and that has a lot of flow, then they have to move through another process that’s not as fast, so we start stove piping their ability to move crypto off. So a lot of times we don’t necessarily measure the metric of, here’s how much they got of the 1 billion. It’s more like, what is their throughput? What is their volume through at any point in time?
Ian:
Yeah.
Jessica:
And a lot of it is still on chain, which everyone can see.
Ian:
Yeah. Right, They haven’t even gotten to the ultimate laundering step of converting back to fiat for much of what they’ve stolen. Which seems like that’s happening because you all have gotten very good at tracing it. So it’s sort of too hot to process. They know that if they move it to an exchange, it’s likely to be seized. Or do you think they’re just waiting?
Christopher:
It’s difficult to tell without being in the minds of the North Koreans. I think I want to…
Ian:
You need to be in the minds. Come on, Chris.
Christopher:
Well, what I can see is that the speed with which they’re able to go through that final step in the pipeline is reduced.
Ian:
Yeah.
Christopher:
So to us, that’s a win. So if we’re bottle-necking assets on chain and those aren’t assets that can be used to purchase goods by North Korea, that’s a win.
Ian:
That’s a win.
Jessica:
We do try to do that in a variety of ways. One of the first ways we try to do it, in addition to OFAC sanctions, was actually through the seizure and forfeiture process.
Christopher:
Yep.
Jessica:
Zia Farooqi, genius that he is, he said, “Why don’t we use the stolen art model?” So even if we can’t get the private keys for all of these addresses that we know are holding North Korean criminal proceeds, why don’t we tell the world these are criminal proceeds? So if they do business with these addresses, they’re effectively doing business with North Korea.
Ian:
Right.
Jessica:
So we unsealed court authorized documents, and then went through the forfeiture process against these addresses that we didn’t have the keys for, but that we know are holding criminal proceeds. Effectively, making them worth less or much, much, much less lucrative than they otherwise would would’ve been trading for.
Christopher:
Yeah. And if people are aware of that, then they’ll probably charge a premium to take on board the risk.
Ian:
Yeah, it’s great. Let’s make it very expensive for the North Koreans to do anything.
Jessica:
Yes.
Ian:
You mentioned sanctions, Jessica. So sort of famously, I think tornado cash was sanctioned because it became a favorite mode of laundering, or attempting to at least obscure source of funds for DPRK last year. Should we expect more sanctions? Do you think that’s a tactic that was effective?
Jessica:
I think my friend from Office of Foreign Assets Control is here, if you want to grab him.
Christopher:
He might be out there.
Jessica:
Do you want to have a conversation?
Ian:
He could bring his book out and read to us for minute.
Jessica:
Yeah.
Christopher:
Oh, I think that was [inaudible 00:23:31] though.
Ian:
Oh, you’re right, you’re right. Wrong part of treasury.
Christopher:
Yeah.
Jessica:
Oh, the binder.
Christopher:
The binder, yeah.
Jessica:
Goals.
I will say about sanctions and tornado cash in particular, I think they did a lot at the time to shine a light on mixing as a money laundering concern.
Ian:
Yeah.
Jessica:
Chris can talk ad nauseum about the difference between Bitcoin mixers and Ethereum mixers, and just how useful sanctions can be in either context is slightly different. Because in the tornado cash context, for example, could just stand another tornado cash right up again, which is a little bit harder to do that in the Bitcoin mixing context.
Christopher:
Yeah. I would say, and here’s the issue with smart contracts, they’re still out there and they’re still operating. So while it might be sanctioned, I think at its heyday it had a balance of something like over 200,000 ETH. And then immediately after the sanctions, you saw that balance, within the pool, dropped to 80,000 ETH. But if we look at what the trend is now, it’s trending back upwards.
Ian:
Yeah.
Jessica:
Yeah. I think we looked the other day. Wasn’t it similar, like 135?
Christopher:
Yeah, 135,000.
So it’s not like people can’t use it. They are using it. It maybe requires a little bit more technical sophistication to be able to access it, because you have to have your own RPC node to be able to do it, or at least one that’s willing to interface.
Ian:
But what we saw there, in the analysis that we did, was prior to the sanctions designation, you definitely had a lot of criminal activity transiting tornado cash, but you also had a lot of people that they weren’t obviously criminal. So people who said, “Oh, I’m using it for privacy reasons. I don’t want this transaction to be associated with me personally and I have a known address.” Vitalik I think famously said, “Oh, I was donating money to Ukraine and I didn’t really want to be tied to that publicly, so I ran it through tornado cash.”
So we saw all that non-illicit, or at least not obviously illicit activity dropped off fully when the sanctions happened. And all the transfers that were going to legitimate exchanges with compliance programs, the activity where they were receiving funds from tornado or transiting to, that all went away. But the criminal activity largely maintained itself. And this is why I was sort of asking the question about, well, is the sanctioning of a mixer like that necessarily helpful when you can’t do a technical takedown?
Jessica:
I think it can be, and I think it’s a tool in the toolbox of both the US government but also the private sector, just like all whole of nation working together is important in this space to get anything done. So I don’t think sanctions are going to go away. I think we will see a lot of them in parallel with other types of actions. But again, we can grab my OFAC friend and bring him in here to talk more about that.
Christopher:
But that’s a good point though. I think you all actually put out a report on sanctions, and I think there were three use cases within the report, Garantex, Hydra and Tornado Cash. And each of them having a different impact depending on maybe the overall effort against and the circumstances with the smart contract being able to operate it, there’s a different outcome than potentially with Hydra where you have a combined law enforcement and OFAC designation where you have a complete drop-off.
Ian:
That’s right. It went to zero.
Christopher:
It went to zero. So there’s definitely use cases for sanctions and there’s different impacts depending on the circumstances of the target.
Ian:
Garantex is still, they’re…
Jessica:
A lack of will.
Ian:
Yeah, absolutely. It hasn’t slowed them down a bit. If anything, maybe it encouraged the Arrhenians to start doing business with. We’ve seen some growth in their business over the last year, actually. That’s pretty substantial.
It was an interesting debate that we had and I’m curious on your perspective on this. When we were publishing this year’s Crypto Crime Report about the number of DeFi hacks was roughly similar year to year, but the dollar value was down quite a bit. A little bit of that was just the asset price volatility, I think. But the debate was, are we getting better at security as an industry, meaning the criminals were working as hard as ever, but they just were less successful. Or was it something else? They took a vacation and therefore there weren’t as many hacks.
Christopher:
But there were though, right?
Ian:
Yeah, yeah, exactly.
So anyway, we were debating, are we getting better at security or is this just a fluke in the numbers for last year? I’m curious of the perspective.
Christopher:
Do you want to go first?
Jessica:
No, go ahead.
Christopher:
No, you want me [inaudible 00:28:39]. All right.
Jessica:
You want to talk about liquidity?
Christopher:
Liquidity, so much liquidity.
Yeah, so the data suggests that, according to y’all’s paper, the data suggests that half of the value of assets were stolen compared to the previous year. But I think it said that there were slightly more hacks that had occurred in the same timeframe. So with that, basically what we know is that each theft is less lucrative. Now without talking to all the victims and talking to the ecosystem writ large to see what controls you’re putting in place and what security practices are you using, but just looking at the data, it would suggest that maybe cybersecurity, the security part isn’t getting better, but potentially, and we are not sure, but potentially maybe risk management is getting better. So with risk management, maybe what we’re having is like, do we need 600 million in the liquidity pool or can we leave it at 40? What is our throughput? Really, what is our exposure to loss? You are taking on board risk anytime you have these things connected to the internet. And look, North Korea is persistent. They’re out there, they’re targeting people constantly. And so the question becomes…
Jessica:
For years sometimes.
Christopher:
For years, sometimes yes. And so the question becomes, are we better at cyber security if the number of thefts continues? And granted, maybe if there’s more targets out there and they’d have the same number of thefts, then they’re not getting any better. But let’s just try and make it equal, that the targets are still there, still being compromised, but they’re just less lucrative.
Ian:
Yep. Yep.
Christopher:
And to me that’s more risk management versus cyber security.
Ian:
That’s a good point.
I’m also interested in tactics. So if we rewind back two years ago, three years ago, a lot of these big hacks were technical compromise. Private keys were stolen, node validators were compromised, CloudFlare accounts were hacked, and front-end websites were redirected. You were authorizing contracts that were different than what you thought you were authorizing.
Christopher:
Mm-hmm.
Ian:
More recently, it seems like there’s a lot of social engineering. Some of these cases involve individuals impersonating a legitimate job applicant, who then are gaining access to systems and opening up back doors.
Jessica:
Aaron was talking on the panel earlier about, they’ve always been fishing and they also spearfished. So I think that’s always been going on in the background. But the $600 million hacks and the $100 million dollars hacks really took the media attention away from the smaller hacks that we are now all talking about this year, because there are less of the large-scale hacks.
Christopher:
But one of the things is North Korea, at least in the crypto space, [inaudible 00:31:54] revenue in a few different ways: large-scale or hacks and thefts, IT workers, and ransomware. So in some contexts, one of the indictments against Shim was that he was receiving assets from North Korean IT workers who had gained employment with crypto firms. And that employment was them writing with smart contracts that these different DeFi platforms are running. So now you have a North Korean and potentially it’s not like, and depending on how secure their deployment of the contract process is, all they have to do is change the address. And it’s not like they had to compromise the private keys or anything, you’ve already given them access.
Ian:
Yep.
Jessica:
And to be clear, these companies were unwitting, they don’t know they’re hiring North Koreans. And so not only are they being victimized because they’ve now given someone a legal employment, but then potentially these IT workers are going to exploit the fact of their employment and steal money from them.
Ian:
Nobody’s going for ultra cheap labor by recruiting in North Korean.
Jessica:
Right.
Ian:
This has been a fantastic conversation. Maybe to wrap up here, we’ve got a diverse listener base, many who are in law enforcement or work in prosecutors offices, but also a lot of people that are in crypto. What advice would you give to maybe not have to make that call to say, “Chris, help. I’ve been relieved of a large amount of digital assets.”
Christopher:
Oof. Good cybersecurity practices in the first place. And it’s always very, very hard to fortify the human when you have contract developers who are also looking for their other job, and so kind of prime targets maybe for people who are offering a job or, “Hey, look at this code,” what have you. Being aware of those things, limiting access to what is absolutely needed, protecting your keys, separating those out, having multi-sigs or some other mechanism that’ll require multiple signatures to actually send any transactions out. All of those things, all the normal practices that we would do to mitigate risk and harden the environment.
Ian:
Yeah.
Jessica:
This is coming from a lawyer, but I would say hire lawyers early.
Ian:
[inaudible 00:34:25].
Jessica:
Get a risk mitigation workflow in place, be in contact with the FBI and IRS early. You know that you have a point of contact at each of these agencies in case you need it in the future, to steel yourself against potentially being the victim of a hack, so just getting your ducks in a row. We talked to a lot of people who never thought that their platform would be used by North Koreans or criminal actors. It just did not even cross their minds. And so thinking, and fortunately, this is a bummer, but just thinking through all of the terrible things that can happen, which is what we in law enforcement are constantly doing.
Christopher:
I mean, yes, the barrier to entry in the space is relatively low, and a lot of the people who enter are developers and innovators, and they’re not necessarily thinking about AML or risk mitigation plans or any of those things. 600 lines of code. You’ve got a working smart contract. It’s pretty easy to get started.
Ian:
Fantastic advice. Thank you so much both for attending the conference, speaking on the panel, and joining us here on the podcast. It’s been great.
Jessica:
Thanks for having us.
Christopher:
Thank you very much.
Ian:
Thank you, Jessica. Thank you.