Case Sheds Light on Latest Methods to Evade Detection: “Peeling” Chains
On March 2, the U.S. government sanctioned and indicted two Chinese nationals for helping North Korea launder nearly $100 million in stolen cryptocurrency. The indictment, filed in the District of Columbia, charges the defendants with conspiring to commit money laundering transactions designed to both “promote” and “conceal” the underlying crimes of wire fraud (the theft of the cryptocurrency via hacking) and operating as an unlicensed money transmitter — the latter of which is also charged in the indictment as an additional count.
According to the related and detailed civil forfeiture complaint, these funds were only a portion of those stolen in 2018 by state-sponsored hackers for North Korea from a South Korean exchange. These actions, notable in several respects, provide a glimpse at the latest methods of laundering cryptocurrency.
Anyone attempting to launder illicit cryptocurrency faces at least two big challenges. First, due to rigid know-your-customer rules, one cannot simply deposit large amounts of funds at an exchange without raising red flags. Second, because all cryptocurrency transactions are recorded on a blockchain, they can be traced.
To clear these hurdles, the complaint alleges that North Korean hackers used “peeling chains.” In a peeling chain, a single address begins with a relatively large amount of cryptocurrency. A smaller amount is then “peeled” off this larger amount, creating a transaction in which a small amount is transferred to one address, and the remainder is transferred to a one-time change address. This process is repeated – potentially hundreds or thousands of times – until the larger amount is pared down, at which point the amount remaining in the address might be aggregated with other such addresses to again yield a large amount in a single address, and the peeling process goes on.
In this case, the government alleges that the two defendants peeled transfers through more than 5,000 transactions, including by using one-time use cryptocurrency wallets, through various exchanges before converting proceeds to fiat currency through nine separate Chinese banks. The peeling transactions had been automated by a computer script that rapidly transmitted the funds to and from addresses and exchanges (many of the transactions occurred during the same minute). But these efforts failed when, according to the complaint, the defendants failed to peel one bulk transfer worth about $1.6 million. That transfer was traced by U.S. investigators to a North Korean-linked source.
The civil complaint provides the below chart regarding a simple peel chain example; the complaint contains other charts regarding more elaborate examples:
Meanwhile, co-conspirators in North Korea evidently searched for information about the exchange. According to the complaint, these individuals researched “hacking,” “Gmail hacker extension,” “how to conduct phishing campaigns,” and “how to exchange large amounts of ETH to BTC.” In another effort to mask their activity, the co-conspirators allegedly opened exchange accounts with doctored photographs and other falsified identification, including the use of an email account from a South Korean engineering company. But the photographs had been shoddily edited: investigators located images of the same body, wearing a white t-shirt, but with different faces elsewhere on the internet.
The use of exchanges to launder stolen cryptocurrency appears to be a growing problem. According to Chainalysis, criminal entities moved $2.8 billion in Bitcoin to exchanges in 2019—up from around $1 billion the year before. Its report concludes that a small subset of “rogue” over-the-counter (“OTC”) brokers facilitated the bulk of this criminal activity (OTC brokers are typically associated with, but operate independently from, an exchange, and are used to facilitate trades between buyers and sellers who either cannot or wish not to transact on an open exchange).
The government’s latest actions against the two Chinese nationals reinforces Chainalysis’ conclusion about such “rogue” brokers, and serve as a reminder of the need to carry out more extensive due diligence on OTC brokers more generally.