119: Hot Wallets
57:32 Share

Ocean's Eleven was a cool movie. An elaborately planned casino heist where the thieves were trying to steal millions of dollars in cash by bypassing all kinds of physical security and tricking the guards. It was a thrill to watch.

But I wonder if the great heist films are coming to an end. Because the largest robberies are all done over computers now. And it's just not visually stimulating to watch someone sit at a computer pushing buttons, transferring money from one account to another.

But even if it was, does it sound interesting if Fast and the Furious 27 was all about who could pull off the best NFT scam? Or what if Reservoir Dogs was remade and instead of stealing jewelry, they tried to steal the private key to someone's Dogecoin wallet? Reservoir Doge. Or what if there was lock stock and two smoking ICO scams? I don't know. Maybe this is the future of heist films. Because art imitates life.

And cryptocurrency heists are where the biggest thieves are playing today. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.

This episode is sponsored by Delete.me. I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money. And our personal information is all over the place online. Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless. And it's not a fair fight. But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.

and continuously works to keep it off. Data brokers hate them because DeleteMe makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things. It was great to have someone on my team when it comes to my privacy.

Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout. That's

Join deleteme.com slash darknetdiaries and use code darknet. All right, so who are you and what do you do? So I'm Jeff White, and I'm an author and investigative journalist. Jeff is a fantastic investigative journalist doing a lot of work for the BBC, and he's been tracking a particular story for a while now, and I'm fascinated with it. So I wanted to bring him in here to talk about what he's been looking into. The story starts with Nicehash.

NiceHash is a cryptocurrency business. I've actually used this service before. It's a Bitcoin mining pool and it's based out of Slovenia. Mining Bitcoin by yourself is hard to get any rewards, but if you pool your resources with other miners, you get a much bigger chance of making some money from it. So with NiceHash, all these Bitcoin miners pool their resources together to make more money from mining.

And the service was one of the most popular Bitcoin mining pools in 2017, which means it made a lot of money. And it would just keep a small fee and then issue the payouts to all the miners. So it's December 4th, 2017. Employees at NiceHash start to get phishing emails sent to them, which is the classic way in, of course. And around this time,

Lots of phishing emails were targeting lots of people at lots of cryptocurrency businesses. And sooner or later, because it's a numbers game, it seems somebody at NiceHash inadvertently clicked on the email, opened the link, opened the attachment, and got themselves infected.

The attackers used the malware to get into the employee's computer. And from there, they burrowed their way deeper into the NiceHash network, pivoting and escalating their privileges. And this particular attacker was looking for a very specific thing. NiceHash's Bitcoin wallet private keys. If they could manage to get their hands on the private key, they could empty NiceHash's wallet entirely.

And maybe some of the customers' wallets too. Because when NiceHash paid out the people in the mining pool, some people just kept their money at NiceHash, accumulating Bitcoin, but not cashing it out. And there were a lot of users who were not cashing out their Bitcoin that they earned. Maybe they'd come in once a month and transfer their coins out of there.

But this attacker got into NiceHash's systems and found where the private keys were for the Bitcoin wallets and just drained everything they could out of it, stealing a lot of money from NiceHash.

Do we know how much they took? Yes and no, which sounds like a peculiar answer to give. We know that at the point it was hacked, this was in December 2017, they transferred out Bitcoins worth about $75 million.

So the reason I'm saying no, we don't know how much it was worth was because at this time, you'll remember Bitcoin's value was swinging absolutely massively. So this was the year when it was peaking, I think, at about $20,000 per Bitcoin. So at the time of the hack, it was about $75 million. Subsequently, it might have been less. But in the intervening years, it will have been more. All we can do is a snapshot of time at the time, $75 million. $75 million in Bitcoin stolen. Gone just like that.

That's a lot of money. I mean, that's bigger than any bank robbery ever in the US. Largest theft in the history of Slovenia, according to somebody who worked for NiceHash at the time. So certainly in Slovenian terms, an absolute mega haul. And the thing about cryptocurrency is once it's stolen, it's gone. There's no way to reverse the charge or call the bank and say, hey, this was stolen. Please freeze the account that stole it. No.

No, Bitcoin is a type of currency that's decentralized, meaning there's no central controlling entity or place or person that you can call for help. So NiceHash starts investigating. They're obviously trying to trace down the money. Obviously, NiceHash is full of very clever people who do cryptocurrency all the time. So part of their effort is to try and trace where the cryptocurrency is going to try and keep track of it.

And as a lot of your listeners will be very familiar with, there's now a game of cat and mouse. So the hackers start to move the transactions through, move the money through.

through different cryptocurrency wallets, possibly into different types of cryptocurrencies, so swapping it from Bitcoin into other cryptocurrencies. And the investigators at NiceHash initially are pursuing it and trying to keep track of it and trying to keep track of where this money goes, which gets increasingly more complicated the more efforts the hackers make to move it around. Sooner or later, this crosses the radar, it seems, of US investigators, almost certainly the FBI, who get involved and start trying to do that tracing effort as well, because pretty

pretty soon the US government and the FBI have a sense of who's behind this hack and how serious it might actually be. Do you have any understanding of why the FBI would be investigating a Slovenia company? Yes, the FBI are constantly on the lookout for leads on investigations that they're running. So the FBI have, for a long period of time, been tracking various sort of cybercrime gangs. And they're quite canny across the world whenever there's a

a computer hack, particularly if it's a cryptocurrency exchange attack, and the FBI have been tracking a cryptocurrency exchange gang, they will start to look at that and think, hang on, does this have any of the indicators, if any of the likely fingerprints connecting it to an investigation we're already running? And we've seen this before in the case of the attack on Sony Pictures Entertainment back in 2015. Subsequent to that, another attack by the same gang on Bangladesh Bank, the central bank of Bangladesh,

The FBI start looking at that and thinking, hang on, we're seeing some commonality. So the FBI are constantly scanning around the world, aware that the hackers that they're chasing can be operating in almost any country around the world, and trying to connect the dots between fresh attacks, fresh cyber attacks, and ones that the FBI has already got on its radar to see if it can lump in that attack with another attack and potentially charge the same gang with both. Mm-hmm.

And so with this, and now the FBI is investigating, did they ever discover who stole this 75 million? Well, according to the FBI, this was the work of the Lazarus Group, who are believed to be working on behalf of the North Korean government. This is North Korean state hackers who are going around the world and in a lot of cases trying to get their hands on as much cash, as much foreign currency certainly as possible, so they can transfer it back.

either to North Korea directly or for the use of North Korea in other foreign countries. So these are the kind of jigsaw pieces that the FBI is starting to put together. Oh, whoa. This is somehow surprising and not surprising at the same time. It's surprising that a nation state actor, a government organization would be in the business of cybercrime.

But it's not surprising because the North Korean government is just weird. I mean, they're really, really weird. But this is also surprising because this is the first time North Korea has ever stolen cryptocurrency before. And specifically, they broke in and stole Bitcoin from a company in Slovenia. Where the heck did they learn how to do this from?

They'd been experimenting with cryptocurrency. So you've got to think back slightly earlier than this attack. This is December 2017. May 2017, of course, was the WannaCry cyber attack, the ransomware attack that hit multiple countries around the world, hundreds of thousands of devices infected and so on. Classic ransomware attack, but spread through this era.

incredible sort of auto-spreading and auto-detonating technology. And what's interesting about that from a cryptocurrency point of view, because the WannaCry attack was also attributed to Lazarus Group, was that in the wake of the WannaCry attack, there was obviously this question around how the ransom payments, which were obviously in cryptocurrency and in Bitcoin in this case, how those ransomware payments would be sort of gathered together and distributed and laundered.

They didn't make a huge amount of money out of WannaCry. I think they barely, at the time, I think it barely topped a million dollars, which is sort of almost laughable among ransomware gangs today.

profit margins. But the interesting thing about WannaCry was the efforts that the hackers made to launder the money. You could see, because obviously cryptocurrency transactions are transparent and available on the blockchain, you could see in the months after WannaCry, the money being moved around, moved through different wallets, tumbled, as the terminology says, into different wallets, and eventually disappearing into one cryptocurrency exchange, never to be seen, or at least never to be traced again. So

You're right, North Korea hadn't really done a huge amount of cryptocurrency theft, bear cryptocurrency theft, but they definitely experimented with moving cryptocurrency around and laundering it. And in hindsight, maybe the WannaCry cyber attack, part of the motivation was to get the hang of, if indeed it was North Korea behind it, getting the hang of laundering cryptocurrency so that they could then go on to do hacks like the one on NiceHash in December.

Oh boy, this does not bode well. If North Korea learned how to launder Bitcoin from WannaCry and they're already equipped to carry out hacking campaigns and they use these offensive techniques to get in and steal $75 million from NiceHash, this win for them could mean North Korea is going to go full throttle and start attacking all cryptocurrency companies looking for big licks.

Because North Korea has been robbing banks for years at this point. In fact, Jeff came on the show before to tell us about the time when North Korea robbed the Bangladesh Bank. That's episode 72. But when you rob a bank, it's a lot harder to launder the money versus when you steal some crypto.

Crypto is private and anonymous by design. It's much easier to move the crypto around and hide behind the wallets. Like for instance, if this money was stolen from a bank, there would be an immediate sense of urgency to get that money out. It might have been transferred to another bank and then they'd have to deploy a whole network of money mules to try to quickly cash out all the money they stole. But when you steal Bitcoin, there's no sense of urgency. You can just let it sit there until you're ready to cash it out. Nobody can touch it or freeze it on you.

And the scary thing is that North Korea needs money badly and isn't afraid to commit heists and robberies to just steal as much as they can. So as they learned about crypto, this must have been seen as a great opportunity for them. Absolutely. Yes. The trajectory, really, of the North Korean Lazarus Group, according to

both US investigators and the United Nations who keep an eye on North Korea and its activities, the direction of travel for its hackers, I think, really has been cryptocurrency. In the years following the NiceHash attack and the WannaCry ransomware attack, there was just this sort of proliferation of loads and loads of different tactics of targeting people and loads and loads of different methodologies for doing it. Many crypto companies reported they received phishing attacks since 2018 onward that seemed to be coming from the Lazarus Group.

These are almost always emails that employees would receive to try to trick the employee to read the email, download the attachment, and open it. And these phishing emails weren't some spray-and-pray kind of attack where they're sending out millions of emails a day. No, these phishing emails were often very well-crafted to target a specific person at a specific company, and they were well-designed.

One of these phishing emails targeted an employee who worked at a crypto company. And what the attackers did was they looked on LinkedIn to see who worked at that company and found an employee that they think would have access to what they wanted and would be susceptible to a phishing attack.

So they crafted an email which was trying to recruit that person to come work at a different company. That just looked like the dream job, just absolute dream job. All the things you want, loads of money. Unfortunately, of course, the dream job doesn't exist. It's been made up by the computer hackers to appeal to exactly this individual because they've managed to research that person on LinkedIn and said, oh, they work for this company, work for that company. They'd probably be interested in this job.

So the employee thinks, well, I'll open this job ad and see what happens and what it looks like. He read the email and was curious to learn more. It said there was more information in the attached document. He was interested and downloaded the attachment. It was a Word doc. And when he opened the Word doc, a pop-up showed up, which said, this document is protected by GDPR regulations. Please click to accept the GDPR terms.

Well, as you can imagine, this button had nothing to do with GDPR. And when he clicked OK is when the Word doc executed a script which infected that employee's machine. And with that, the North Korean hackers were in his computer hunting for the crypto wallets that that company controlled.

And I find this fascinating because time and time again, I've heard penetration testers do this exact same thing. They want to target a company, so they go to LinkedIn, find some people to target, and craft some phishing emails, and they get into the company that way. Social media just makes this kind of attack so much easier.

The thing is, we don't know how many crypto companies were robbed by North Korea. Companies feel embarrassed when they get hacked like this. They'd lose customers if they publicly announced they've been hacked. So even when a company reports this to the authorities, those companies can still remain nameless.

But what we do know is that North Korea has steadily and persistently attacked and stole cryptocurrency from companies for years. So yes, you start off with, you know, 75 million or thereabouts at NiceHash. And this sort of develops and gets bigger and bigger. At one stage, the FBI are talking about the stealing of $230 million. This is from an unnamed cryptocurrency exchange.

Absolutely astonishing amount of money. $230 million stolen from one exchange? Unbelievable. And with little to no punishment, of course North Korea is going to continue on this robbery spree. Who's going to stop them? Well, the FBI investigated this $230 million heist...

and tried to figure out who cashed this money out. And obviously, one of the things you can do when somebody steals cryptocurrency is you can trace it because cryptocurrency transactions are recorded on the blockchain and you can, anybody can go to the blockchain and look at where they go. And this is the game now. Investigators, law enforcement and private companies are constantly on the case when these hacks happen, trying to work out where the money goes. And what they're hoping is they can chase it to somewhere that's

that's legitimate, or at least they can chase the money into a cryptocurrency exchange that will answer the phone to law enforcement. So law enforcement see these transactions through the blockchain, they go, aha, they're now putting it into this cryptocurrency exchange. We've got a number for them. Let's give them a bell and see if we can get them to stop the money.

Now, obviously, not all cryptocurrency exchanges are going to do that. But some of them, quite a lot of them actually, do want to answer the phone to law enforcement. They don't want to be part of criminality. So you can call them up. And they managed to trace the money to a particular cryptocurrency exchange. And what was good about this exchange was they'd implemented cryptocurrency.

what are called know your customer controls. So this is, you'll have been through it. I'm sure lots of your listeners have been through it. You try and set up a bank account, they want you to hand over ID. Increasingly with cryptocurrency exchanges, the legitimate ones, they're doing the same thing. You know, if you set up an account at one of these places, you'll probably have had to send your ID, your passport or whatever. And so one of the exchanges into which this $230 million of stolen cryptocurrency vanishes is one of these legitimate exchanges that asks for ID for customers.

So the FBI think, right, we can phone these guys up, this cryptocurrency exchange, and we can ask for the ID for the customers that set up the accounts that the stolen money went into. That's a pretty good, you know, that's going to be a good lead. So sure enough, they do. They make contact with the exchange and say, look, here's the accounts. Please give us the IDs.

of the people who set up these accounts. And the cryptocurrency exchange obliges and sends the FBI a screen grab, an image of the ID of the person who set this thing up. And what the cryptocurrency exchange has is a photo, a webcam photo, someone sitting in a chair, you know, he's got quaffed hair. He's holding up a South Korean driver's license, I think it was. He's wearing a little white T-shirt.

And the driver's license has got this guy's name and his address and his ID and everything on it. So I imagine the FBI at this point are thinking, great, this seems to be the guy who's helping launder the stolen $230 million. But there's a bit of a snag because there's two accounts that are being used and the FBI has asked for the IDs for both of the account holders. So the first ID comes, it's this South Korean guy holding up a South Korean driver's license, badaboo.

Second picture arrives for the second account holder. And this time it's a German guy and he's holding up a different type of ID and he's bald head and looks completely different. But then as you compare the two photographs, which the FBI must have done, things start to look a bit skewy because they're both wearing the same T-shirt.

That's weird. That's a coincidence. And then their fingers are in exactly the same positions around the ID. And they're sort of sitting in exactly the same chair. And as you look closer, you realize the pictures have just been photoshopped or at least manipulated somehow. They've basically taken the heads off the two different pictures and put them onto the IDs. It's basically a picture that's been ripped off the Internet.

And the hackers have effectively faked the pictures on the ID, faked the pictures on the photograph, convinced the cryptocurrency exchange these are real people who want to set up an account, used that to set up the account, and washed the $230 million through it. So the FBI's dream of knocking down the door with these two chaps with their IDs on display vanished into thin air, unfortunately. Interesting. They've got fake IDs and have figured out how to cash out their stolen money without getting caught. Right.

And you might wonder, hey, there are banks in North Korea, right? Why isn't there a crypto exchange in North Korea where the Lazarus Group can just send their Bitcoin there and cash it out without having to use any fake IDs?

Well, for a few reasons. First, it would be obvious if you saw the stolen Bitcoin wallet go to an exchange in North Korea that it's going to be the North Koreans who did this. And North Korea doesn't want to take credit for any of this. They are already in trouble and getting sanctioned and just don't want to make things worse. So they always deny that they had anything to do with these heists. But second, we're talking $230 million cash outs here. It kind of breaks my brain to think this through, but...

Where would a North Korean crypto exchange get $230 million to give to someone who wants to cash that much out? They would have to have that kind of cash on hand to pay it out. And it's not like you can just start an exchange and only do payouts. The reason why exchanges work is because the exchange has enough people buying crypto with the cash and they can pay out what's needed.

Like I said, that kind of breaks my brain to fully understand that. But suffice to say, there's no crypto exchange in North Korea. So they have to use exchanges in other countries to get their money out. And they don't actually cash it all out at once. North Korea has this technique they use called peel chaining.

See, once money gets stolen, the wallet it went to actually gets flagged, so exchanges know not to do business with that wallet. So, like, if you stole $75 million and transferred it to your wallet, the FBI might flag your wallet and tell exchanges, hey, don't do business with this. And so if you then send your money to Coinbase, Coinbase might freeze your funds and turn it over to the FBI.

So what North Korea does, since they know their wallets are being watched, is they transfer all their money to a brand new wallet and quickly, before it can be flagged as a stolen wallet, they take a small chunk of money, maybe 5 grand or 50 grand, send that to an exchange to quickly get it cashed out using one of these phony IDs they have.

And then they continue doing this until they've cashed out all of what they want. Transfer all the money to a new wallet, peel off a little, send it to an exchange, and do it again. Transfer money to a new wallet, peel a little off, send it to an exchange, and just keep repeating. This is the peel chain laundering technique that they use.

And by the way, I learned all about this peel-chaining technique from Jeff's book that he just published called The Lazarus Heist, which goes into great detail about this and so much more. Exactly. And this is the interesting thing about North Korea's efforts to steal money generally is...

I think when I started out with season one of The Lazarus Heist, the podcast that we did that led to the book, my sort of assumption was, well, all this money sort of, you know, washes back to North Korea, all these allegations of stolen money, you know, if that's what's happening, it must end up back in North Korea. And I had this image, I think, I don't know, maybe Kim Jong-un, you know, writhing around in a pit of money. But that's not necessarily how it works, because

As you say, once you get your stolen Bitcoin or whatever it is back to Pyongyang, if it is indeed then behind it, you've got to sort of take that cryptocurrency and swap it into something. And obviously in North Korea, that's just North Korean won. It's just a local currency. What often happens instead is this cryptocurrency is just left in wallets around the world, you know, in China.

while it's connected to the internet, that can then be used for things North Korea would want to buy. So if North Korea wants to purchase something in, I don't know, Kazakhstan or Russia or Brazil,

they can use the money sort of locally, if you like. They don't keep the money back in North Korea. They have the money stashed out in other places so that they can buy things they need because they can't dispatch the money from North Korea to go and buy them. It's much better to have, you know, if you like, local credits that you can spend in different countries that you need. And that's why cryptocurrency is really useful is if you've got your money stashed in Russia and you want to buy something in Russia, fair enough. But if you want to buy something in Brazil, you've got to move the money from Russia to Brazil. Or

Whereas with cryptocurrency, it's accessible sort of anywhere in the world. It's, you know, that's one of the joys of it. So for people like North Korea, who are seemingly stashing this money around the world, it's really useful because they can make purchases in different countries with it. Oh, that's very interesting. I never thought of that.

But okay, so still, can you give us any kind of idea on how they might be laundering it? Because like you said, it is becoming more regulated and it's more difficult to get it out because then it's tied to a real bank account somewhere in the world. And maybe there are just places in the world that is not regulated, like you can find some backstreet exchange in some third world country or something, I don't know. Yeah, yeah, exactly. It's a really interesting picture, this one, and there

There have been instances of hacks where, particularly recently, because the investigators, both law enforcement and also private industry investigators on cryptocurrency, are getting so quick and so fast and so thorough at chasing the stolen money, stolen cryptocurrency, that it's really difficult for those who've stolen it to launder it because all eyes are then on those hot wallets, if you like. I say hot wallets, I mean hot as in stolen money wallets.

And so there's instances in which the hackers are sort of caught out because they've got the money in a wallet. But as soon as they try and move it somewhere, as soon as they try and cash it out, the investigators are going to try and get one step ahead of them, contact the company that's doing the cashing out and say, hang on, that's stolen money. You can't transfer that. You can't transfer that into fiat currency, pounds, dollars, and so on. So the hackers face this really interesting challenge of trying to sort of

Find those, as you say, those back streets, if you like, in the cryptocurrency market. So the exchanges that aren't doing know your customer, the exchanges that don't care that they're handling stolen money. The other thing they're going to is is is tumblers, is Bitcoin mixers and cryptocurrency mixers.

who will take your cryptocurrency, mix it with other people's. If you imagine a whole bunch of banknotes on the table, you stick your stolen banknotes in the middle, you wash them all around with the other notes, and then you get some notes back, but some people get some other notes back. Really difficult to work out which banknotes came from the drug deal.

And so these mixers are effectively a cryptocurrency version of that. You stick your money in, it gets washed with some other people's, you get your money back. But it's really hard for investigators then to say, look, the money that went into that hole there is the same as the money that came out of that hole over the other side of the mixer. So that's one other thing they're doing. And the other thing is the North Koreans are...

allegedly, along with other cyber criminals, relying on some networks of people, of individuals who offer to take bits of cryptocurrency and try and cash them out, try and convert them into different types of things. The US has charged a couple of Chinese chaps with offering exactly this kind of service, probably in exchange for a fee, using little bits of cryptocurrency and changing it into real world money. In some cases, using things like iTunes gift cards, anything they can do to eke out this money

But the overall picture of this is if you've stolen, let's say, $230 million of cryptocurrency, it's just not possible in the situation in this world right now to suddenly swap that into $230 million of real money of actual US dollars banknotes. You can't do that. You've got to do it slowly. You've got to eke it out. So there's a handbrake being applied to all of this. It's really interesting.

All this takes a special kind of skill. You can't just Google how to launder $200 million in Bitcoin and follow some step-by-step guide. This is a dark art of sorts. Finding the cracks in the walls that should stop people from doing this and exploiting them. This means as years go on, the Lazarus Group is getting better and better at finding large piles of crypto, stealing it, and laundering it.

which means they're starting to venture out into new crypto territories. Yeah, this is where it gets really weird and interesting. There's this very peculiar story that emerges about a company set up called Marine Chain. Okay, so Marine Chain was this cryptocurrency startup I think they were working on in ICO, where they wanted to raise money from investors to issue crypto coins for however much they bought in. And this company was based in Singapore,

But then out of nowhere, this guy Tony Walker just decided to join the company. And Tony Walker's the brains behind Marine Chain. He says, look, we're going to set up this company. I know all the business side. He's got a sort of fancy slide deck that shows how much money they're going to make. They're going to be in for tens of millions of dollars off the back of this. Tony Walker starts helping this Singapore-based company launch. But he doesn't seem very focused on the business. So your chap in Singapore, Jonathan Fung Kak-kyong,

starts to get a bit suspicious about this, but keeps going with this guy, Tony Walker, because it looks like it's going okay. They are getting, you know, interest in this and potentially they're getting investment. But gets increasingly suspicious. And then Tony Walker starts asking your Singaporean chap, Jonathan Fung Kakong, to have his name on the business. The business needs to be registered in his name.

And the Singaporean chap says, well, no, I'm not sure about that. That's going to cause problems. But Tony Walker's insistent on this. And then things get a bit weirder. Tony Walker's name appears on contracts, but he's not signing himself Tony Walker. He's signing himself Julian Kim. And by this point, a lot of alarm bells should be ringing because it's clear something's going wrong with this business. Something very peculiar about this marine chain business.

Well, Marine Chain starts getting talked about on forums and on Reddit, and someone made a comment about Marine Chain. And says just sort of out of the blue, no, I don't think you should. I think this is a bit of a scam. And by the way, I think it's a North Korean motivated scam.

And this just drops on these forums. And what's weird about this is the key comment comes on a Reddit forum from a user calling themselves Arsenal Fan 5000. Arsenal being a very famous football team in the UK, which probably needs no introduction. And so some football fan is popping up on Reddit and saying, no, you shouldn't invest in Marine Chain. I think it's a North Korean front operation. Now, what's weird about that is at that point in time,

I don't think anybody had actually clocked that. And yet this user, who's apparently some football fan on Reddit, pops up and says, you know, I think it's North Korean. What's weird about Arsenal fan as well is this user posts that comment and nothing else. No other discussion. It's the only comment they post on the whole forum and then they just vanish and disappear.

Turns out they're on the money. As other people start investigating, they uncover different links to North Korea from Marine Chain. And it does turn out to be a North Korean front operation. So a lot of people are pretty glad they didn't invest in this particular firm. Now, what's interesting about Marine Chain is partly thanks to being exposed by people like Arsenal fan 5000, the company just folds significantly.

So it just vanishes and disappears. And Tony Walker, aka Julian Kim, just drops off the face of the earth, drops off the radar, at least for the moment under those particular pseudonyms, and is never heard of again. So marine chain is an interesting sort of facet to this. It's a sort of North Korean attempt at an initial coin offering, an ICO, that never really lands, never really takes off.

Whoa, this is a totally new type of tactic for North Korea to launch an ICO?

Here's the thing. In 2018, it was quite the year for ICOs. ICO stands for Initial Coin Offering. It's kind of like a company starting a business and to raise money to kickstart it, they sell this new type of crypto to early investors. And if the company does well, then the value of the coin goes up. And if the company does poorly, the value of the coin goes down. And 2018 was sort of a boom year for ICOs. There were lots of them springing up everywhere and people wanted to invest in these companies.

But not all these ICO projects were good. In 2018, there was a company called Guoyang Blockchain Financial Co., which launched its own ICO. And they raised $60 million and then disappeared, exit-scamming all their investors.

So I think North Korea may have taken notice of this and tried dabbling in their own exit scam by launching what looked like a real company, but then possibly they had the intention of pulling the rug out from investors? We don't know what the real intentions were for this Tony Walker guy, but this might have been an indicator that North Korea is trying to conduct their own exit scams now. Wild!

Is there any scenario where it's just maybe somebody from North Korea and not the North Korean government? Because, you know, I imagine anyone who's doing it from North Korea is the North Korean government. But maybe there is a scenario where I haven't considered. It's a good point. I think broadly speaking, you have to realize in North Korea, if you have an Internet connection and a laptop...

It's because you have either been given it or granted access to it by the North Korean government. It's a point maybe a lot of your listeners will know, but just to stress this, it is not the case in North Korea that you can go out and get a laptop and be connected to the open internet.

as you can in most other countries in the world, it's incredibly well-policed and restricted. So if you're talking about somebody like Tony Walker, aka Julian Kim, who sets up online, who's having Skype conversations with people, who's emailing people back and forth, who's setting up websites,

That's got to be somebody in North Korea who's got an internet connection laptop or possibly a North Korean who's outside the country and has got an internet connection laptop. Either way, that's government sanctioned. Okay, so to get out of North Korea...

The North Korean government needs to give you the say-so and the okay to do that. Or to be in North Korea with an internet connection, a laptop, the government's got to be okay with that. So, you know, really all roads lead back to the North Korean government. It's almost inconceivable that Marine Chain, if it is North Korean, could have been done without the say-so, the express say-so of the North Korean regime. I'm going to take a quick ad break here, but stay with us because when we come back, North Korea set some new records. So,

While I was making this episode, I was doom-scrolling on Twitter, and I came across this tweet, which was so remarkable that I just had to call the guy up who tweeted it to hear the story. I'm John Woo. I am head of growth at Aztec Network. Aztec is a crypto company which aims to make your cryptocurrency usage more private. And to do that, you can use their system to move your money around.

They sort of shield it so that you can move it around without anybody knowing that you're doing that. But because their tool is catching on, a lot of people are using it and moving their money around through Aztec's network, which means at any point they've got control over quite a bit of their users' money. Yes. So if you look at all the public dashboards, our smart contract,

holds about $15 million last I checked, although the market has come down a bit. And we've had, again, depending on ETH price, but as of a couple of weeks ago,

80 to $100 million of throughput. And so certainly a lot of value has moved through the system. Now, Aztec is growing, which means they're hiring and have open positions. And John is the one who looks at resumes and does interviews to hire new people who work there. Yeah, that's right. And so, you know, we get lots of inbound resumes all the time for our full stack engineering roles and smart contract dev roles. And I'm on the hiring team at Aztec. So

I got automatically assigned a resume that had already been internally reviewed and looked super legit. The person had a GitHub with a bunch of projects on it and had a resume with some things that I'd heard about like F2Pool.

The name was Bobby Sierra. He set up a time to do an interview with Bobby Sierra, a remote one, through video conferencing. John and Bobby both got on the video call. I immediately noticed that the person's camera was off and that there was a little bit of latency, but also that there was just a lot of background noise, so just a bunch of chatter in the background. Did you ask to turn the video on? I did, and he made some excuse about how he couldn't do so.

And I talk to folks, you know, not infrequently who are uncomfortable on video, but it is one of the best tools that we have for validating identity. And Bobby Sierra, again, not to be stereotypical, but it's obvious on the face that Bobby Sierra is a Western name and this person had a heavy Korean accent.

The way I was able to tell is I'm Asian too, I'm Taiwanese. I grew up in an immigrant community around New York. And some of my absolute best friends growing up were Korean. I spent a lot of time in Korean households. And I was like, this guy's obviously Korean. I've heard an accent like this and some of the mannerisms like a thousand times. And then I kind of flat out asked him, where are you based? And he said, I'm based in Hong Kong. And I'm like, that's not what your resume says.

Your resume says you're based in Canada. And then he did this multiple times through the call, but then he would just mute me. You know, he would just go on mute and then he would come back online and pretend like nothing happened. Did you ask any technical questions that he knew? Like, did he know his chops about what you wanted him to know? No, absolutely not. He didn't say almost anything coherent. Um,

He kind of just kept repeating stuff like, I'm an experienced blockchain developer. I've worked on many successful projects. I'll bring you a lot of success. And of course, the infamous line from his cover letter was, the world will see a great result from my hands, which was just so villainous sounding as to be comical.

And so, yeah, no, he really couldn't answer any technical questions, couldn't even answer the basic questions of where he had worked previously.

The whole thing was super bizarre. And he was just either unfazed or didn't understand when I was pointing out red flags and inconsistencies. He was clearly spoofing someone's legitimate resume and pretending to be them, like had just downloaded it from like an open resume site or a recruiting site. But it was when I was like, hey, man, it says here that you worked here at F2 Pool. Tell me about F2 Pool. And if I were to recreate what he said, he literally was like, yeah.

And then muted. And I was like, "Hey, are you there?" And I would say at least a minute or two minutes went by just silence on the other line. And I was like, "No one does this." It doesn't matter how incompetent you are, right? Like if you think about like, there's kind of two axes I'm judging on this interview. Are you competent or incompetent? That's like the standard interview framework. Like am I gonna move you on to the next step or not? But the other one that you don't consider usually when you talk to someone is like, "Is this person nefarious?"

And it wasn't until he kind of went dark for like two minutes after being asked a really simple question and then came back again with his renewed purpose, like pretending like that didn't happen. Like, I want to work with you. I'm an experienced blockchain developer. I'll make you successful. That I was like, dude, something's going on here. It's a scam. It's a behavioral hack. And that's when I hung up.

Honestly, right when I left the call room, I shut the door of the call room and I remember being in the office and I was like, guys, I think I just interviewed a North Korean hacker. That was my intuition. My intuition, and it was biased from weeks of having observed it and reported on it. And I had already been covering some of these security hacks of really famous DeFi individuals like Arthur0x and a lot of the coverage on Lazarus Group. So I was already primed to be thinking about this.

So between that, his undeniably Korean accent, and just how sketchy and scammy it was, that was kind of my intuition.

John was actually pretty spooked by this. I mean, if this was a North Korean, that's a pretty close encounter. To be on a video call with them? To have this whole email exchange? To be opening resumes and email attachments? He starts retracing his steps, trying to remember exactly how much he shared with this Bobby Sierra. Did he do any screen sharing? How much did he explain about the company and what tech they use?

John was on high alert and feeling pretty disturbed by this. So he tweeted the whole encounter. The tweet went super viral because, you know, frankly, it was entertaining. Even when I was in the room, I was kind of laughing at myself. I was like, who is this guy? Like, this is so crazy. You don't have interviews like that ever. You know, you don't ever have those. It's rare to have an experience in your life where that's just so surreal. You're like, is this happening? Like,

This person is just making stuff up and their resume is not consistent with their GitHub, is not consistent with their real name. And their quote-unquote real name is Bobby Sierra and his cover letter sign-off is...

the world will see a great result from my hands. And so it was just a funny thread and it just went super viral instantly. It got thousands of likes. Some people were saying, no, dude, this is typical. If you interview enough people for a while, there's some really weird ones that just show up. So John was starting to doubt that it was North Korea. But another crypto investor who had his digital assets stolen a little before this said it was definitely North Korea because he's seen this before. So John wasn't sure again. But then...

Yesterday, I think, you know, this week, the U.S. Treasury published a 16-page advisory on North Korean overseas IT workers. And that advisory explained almost to the word the tactics that this guy Bobby Sierra was using on me.

This advisory from the U.S. Treasury and the FBI says that North Korea has been trying to dispatch IT workers to work for companies all over the world remotely, posing as non-North Koreans. And some of these people, when they get hired, they don't even do the work. They just hire a subcontractor to actually do the job that they were supposed to do.

Once again, North Korea has flabbergasted me. I mean, what level of social engineering even is this? To try to get a job at the very place you want to rob, and it's done by the world's worst social engineer? It's bold and ridiculous at the same time. And one thing that seems clear from this is that the Lazarus Group is on a tenacious mission to steal crypto from people and places all over the world.

And they're pretty creative at coming up with new ideas on how to do it. It's almost like the Lazarus Group has a whole R&D department that cooks up ways to steal money. And one of the amazing things was the sort of rash of cryptocurrency trading apps that they launched around the sort of 2018 kind of period.

First one we think was May 2018. This was a thing called Celastrade Pro, which was basically a sort of cryptocurrency trading app. The idea was you'd plug in your cryptocurrency wallets and it would assist you through the process of this. And this was set up with a very glitzy looking website, you know, all looked very above the board to those who are giving it casual glance. And the idea was download this app. It'll give you cryptocurrency trading advice and allow you to sort of

do this if you connect your wallets to it. Unfortunately, behind this was a piece of malicious software. So when you downloaded it, you effectively gave the hackers backdoor access to your machine. And of course, as soon as you connected your cryptocurrency wallet, you'll potentially give them access to it and they could steal your money. So that was Seller Trade Pro, which was the initial

iteration of this. It didn't take long for the tech security community to clock that this was malicious. So, you know, SELUS gets reported on, lots of reports come out about the fact that there's actually malware within this.

But it doesn't really seem to matter to the hackers behind it, who are allegedly the North Korean Lazarus Group, because they just relaunch it under different names. You know, it's this bewildering variety of different cryptocurrency apps that come out in sort of 2018, 2019. And they're just the same malicious software, just rebadged and repackaged.

So Union Crypto Trader, Coupé Wallet, Coingo Trade, Crypto Neurotrader, Ants to Whale was one of my favorite ones. They're just the same piece of malware, just dressed up in different iterations. And it seems that, you know, they think so long as we can just keep rebadging this, we'll keep finding suckers.

So they set up these crypto apps that would be viruses, malware of some kind. Do you think they ever actually hit anybody with this and stole some money from people? Yeah, yeah, it did actually work. I mean, the recorded case according to the US investigators is August 2020. It's a financial services company in New York who downloaded a thing called Crypto Neurotrader. And the Lazarus Group apparently got away with $11.8 million. Wow.

In 2018, another crypto exchange was robbed. This time it was Coincheck, based out of Japan. And this was an exchange that handled different cryptocurrencies, Bitcoin, Ethereum, and NEM tokens, N-E-M.

Well, someone hacked into this exchange, looked for the crypto wallets, and found the NEM hot wallet. They emptied the whole thing. About 500 million NEM were in that hot wallet. And at the time, one NEM was worth $1. So this resulted in a theft of $500 million worth of crypto.

Which was the largest heist ever, larger than any bank heist or crypto heist ever reported at the time. The thing about Coincheck is the attribution. It is not clear to me, and I don't think it's clear to investigators, whether this was North Korean. One of the issues with that is the malware that apparently was used to break into Coincheck was commodity malware. So it's quite difficult from that perspective to attribute it. You can't say, well, this

This was particular malware that we've only seen used in these particular attacks by these particular groups. I think that was one of the issues around it. There was some talk in the media about this being the work of North Korea. Certainly, it's a cryptocurrency attack. It's in the Asian area. You know, that sort of maybe points to Lazarus Group. But beyond that, for me anyway, you need a few extra bits of evidence. As I say, the malware didn't really point to it.

And then there was the whole laundering procedure and the cashing out procedure for this. So some of those Nemcoins that were stolen from Coincheck eventually ended up being sold as cryptocurrency assets on dark websites where they were sort of offered at a discount.

didn't quite look like some of the other laundering cash out operations that have been attributed to Lazarus Group. So for lots of different reasons, there's a bit of a question mark over Coincheck. Look, that attack is still being investigated. Japanese police are still all across it. Coincheck still, I believe, working with law enforcement to check into it. So there may be news on that. There may be movement on that. And

The Lazarus Group story just keeps developing and developing. So keep a watching brief on that. But for the moment, I'm not sure whether I'd add Coincheck's $530 million to my tally of suspected Lazarus Group cryptocurrency wins. Okay, so we'll put a question mark on whether or not North Korea robbed Coincheck. But then in September 2020, there was another big robbery at another crypto exchange. This is the attack on KuCoin.

another cryptocurrency exchange, based I believe in Singapore, this one.

And this was various different types of cryptocurrency assets. So some of it was in Bitcoin, some in some really obscure types of cryptocurrency, crypto asset. Some ERC-20 tokens were taken, some stable coins. So it's a mix, a mixed bag of stuff once the hackers got in. Because once they get in, it's not just one wallet they have access to. If they've got this kind of blanket backdoor access...

You know, they've got access to the entire safe and whatever's in there. So they start pulling out this money. If you toss it all up, certainly at the time, this would be worth about 275 million dollars. 275 million dollars.

And this one is firmly attributed to being North Korea. It has all the signs of what previous North Korean crypto heists looked like, as well as the laundering techniques they used after. Now, as if that wasn't enough, March 2022, we saw a new record for the largest cyber heist ever. This time was on the Ronin Network. The Ronin Network is...

Well, it's hard to describe. There's this NFT game called Axie Infinity, which is like one of the first NFT games out there. And it's also one of the most popular. And to play it, you need to deposit your money into this Ronin network. So there's a lot of money tied up in this bridge network.

The Ronin Bridge in the middle is the conduit. And like any conduit for money, particularly these new types of money, these new crypto assets, it's a target for the hackers. They seem to have discovered some vulnerability here. They were able to take over different nodes in the Ronin Bridge and steal money.

What was valued at the time was $625 million, which I just think we need to take a step back. And I mean, that is, I think, I'm going to go out on a limb here, and I've been trying to get people to call me out on this, but I think it's, from what I can remember, that is the largest single amount of money stolen in a single hack of all time, I think. He's right. $600 million is the largest heist ever.

Ever. It beats the biggest bank robberies, the biggest exit scams, even the biggest crypto heists. And yeah, many security researchers have attributed this attack to be the work of the Lazarus Group. Once again. And if we add all this up, it brings the crypto heists alone to somewhere around $2 billion. And that's not even adding up all the bank robberies they've done. $2 billion stolen by North Korea.

All this is happening. It's confidently being blamed on North Korea. Has North Korea taken credit for any of this and said, yeah, we did do that? Or what's their stance here? No, North Korea has denied any connections to any of these hacks at all. The sort of official publication in North Korea, which is sort of as close as you get really to a government spokesman, certainly that I know of,

has said that these are effectively smears by the US government and its allies trying to besmirch the good name of North Korea. So no, they've denied all of it.

There is one point I'd raise, though, which is sort of speculative and a bit off my patch. But I sort of think of this from a kind of geopolitical diplomacy point of view. If it is the case that North Korea has got this sort of $2 billion that they've stolen, if the investigators are right in their accusations, and if North Korea are having this immense trouble laundering it, which from what we talked about, you know, over this podcast, I think that's fair to say, then

There's money sort of sitting out there that if North Korea one day confessed to it, if it is indeed them, they could sort of maybe offer to repatriate it. And at this stage, it'd be worth even more potentially than when they stole it. Could that become part of a sort of diplomatic negotiation in the future, sort of an amnesty, like when criminals sort of, you know,

and use returning their assets to try and bargain for a lower sentence? Could it somehow form some part of the diplomatic negotiations? As I say, this is outside my remit as a tech journalist, but I do wonder whether someday this could form part of it. And there is precedent for that. I mean, North Korea had, according to the US government, money in a bank deposit

a $25 million worth of money in a bank in Macau. And that money was frozen when the US government took action against that bank. And that frozen money in that bank in Macau became a sort of bargaining chip around the negotiations around nuclear weapons and so on. North Korea said, look, we want that money back and maybe our nuclear negotiations will, you know,

will be affected by whether you give us that money back. In the end, by the way, they got the 25 million back and kept testing nukes and testing missiles. So I guess North Korea won that poker game in the end. But could this stolen cryptocurrency money, this $2 billion, form part of some negotiation or diplomatic solution in the future? I don't know. I'm going out on a limb there, but I think it's an interesting question to consider.

Now, if you recall, the U.S. has indicted a North Korean named Park Jin-hyuk for the attacks on Sony and the Bangladesh Bank. But since then, the U.S. has indicted more people involved with these cyber heists. Yes, there have been multiple indictments around the crypto heists. So there were the two Chinese individuals I talked about earlier who were accused of helping North Korea launder stolen cryptocurrency through bank accounts in China,

and also through iTunes gift cards, bizarrely. Also, in addition to Pak Jin-hyuk, the individual who was indicted in September 2018 for Sony WannaCry and the Bangladesh bank heist, the US have now added accusations against two other people, and they are John Chang-hyuk and Kim Il, who, callback to earlier in the episode, the US says is the real name of Tony Walker and Julian Kim, the man who was responsible for setting up Marine Chain. So, according to the US government...

Tony Walker and Julian Kim, this chap who was going on Skype and asking people to kind of help invest in this weird boat coin, marine shipping, cryptocurrency thing, was actually Kim Il, an operative of the North Korean government. So again, you can go on the FBI's Cyber's Most Wanted list and take a look at all the pictures of Kim, Pak and John and take a look at them. I wonder, will it ever stop?

This seems to be working very well for North Korea, so I don't see any reason why they would stop. Are they just going to keep on stealing from people forever? North Korea is trapped in this loop, right? They desperately want to stay at the international table. They want to negotiate with the United States. How does a country of 25 million people that's desperately poor, you know, like Burkina Faso saying they want a meeting with Joe Biden, why on earth would he meet with Burkina Faso?

Well, if Burkina Faso had a nuclear weapon, well, then you'd meet with Burkina Faso. That's the argument. So North Korea are like, we are, our only way in to power is nukes. And that's the decision they've made. Nukes means they get hit with sanctions, means they have no money, but they need money to keep the nukes going. So how do you get the money? Well, then you steal it.

And then you get hit with more sanctions, so you're still short of money, so you steal it. You're just in this loop, this awful, chronic, grinding loop. And what's at the heart of it all is nukes, because nukes is their way to stay at the international table. That's what's motivating North Korean society. It's what's motivating, you know, according to the investigators, all the computer hacks and so on. It's...

It's grinding. And the people, of course, in the wheels of that grinding are North Korea's 25 million citizens who, of course, live in absolute poverty because when the government gets any money, they just spend it on nukes and missiles and propping up the leadership and the cadre of people.

Cryptocurrency is a wild place to be a player in right now. You should expect to be attacked. If it isn't by teenagers trying to break into your email or swim swap you, then it might be by scammers or people phishing you to try to get into your crypto wallet. And if you're a company with large crypto holdings, then you are probably on North Korea's radar. And when you're being targeted by a nation-state actor, that's a serious amount of defenses that you should be putting in place.

It's a hard game to play in right now. But listen, all the stories Jeff shared with us today, they're all in this book, which he just published, called The Lazarus Heist. And it's great. It's wonderfully written and researched and goes into great detail about all of what the Lazarus Group has been up to. But what we talked about in this episode is just one chapter in that whole book. So if you want to hear more about all the craziness that North Korea is doing, go check out this book, The Lazarus Heist. ♪

A big thank you to Jeff White for coming on the show and telling us about the stories he's been investigating. And I recommend his book, The Lazarus Heist. I have an affiliate link for it in the show notes. This is also the second time I've had Jeff on the show. So if you want to hear another episode with him, go back to episode 72 called The Bangladesh Bank Heist. Or even go back to episode 71 where I interview a North Korean refugee to talk about the information monopoly that the government has on North Korea.

This show is made by me, the brave little CPU, Jack Recyder. Sound design was created by the memory intensive, Andrew Merriweather. Editing help this episode by the defragged, Damien. And our theme music is by the smoking Breakmaster Cylinder. Oh, I have this great joke I'm working on about documentation, but it's not done yet. This is Darknet Diaries.