Earlier this week, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two Chinese nationals, Tian Yinyin and Li Jiadong, for their role in helping the North Korea-aligned Lazarus Group launder funds stolen in four separate cryptocurrency exchange hacks between 2017 and 2019. OFAC also added 20 cryptocurrency addresses controlled by the pair to its sanctions list as identifiers for Tian and Li, thereby placing prohibitions on transacting with those addresses. At the same time, the Department of Justice (DOJ) filed a civil forfeiture complaint charging Tian and Li with money laundering on Lazarus Group’s behalf, and seeking to seize funds from 93 additional cryptocurrency addresses and accounts.
UPDATE: On March 6, 2020, the DOJ updated its civil forfeiture filing to include another 33 Bitcoin and Ethereum addresses implicated in this money laundering scheme, bringing the total to 146. We have added the new addresses to the full list later in this article, and will update further if U.S. agencies continue to name new addresses or accounts.
We’ve written previously about Lazarus’ cryptocurrency exchange hacks, which experts believe are carried out to fund North Korea’s weapons of mass destruction programs. This week’s news represents an impressive breakthrough in the United States’ efforts against Lazarus Group. Using Chainalysis tools, the US Government was able to follow the path of funds Lazarus stole from various exchanges, and despite the complex obfuscation measures taken, uncover enough information to identify two of Lazarus’ China-based money laundering partners. Below, we’ll tell you more about how they cracked the case and the information they uncovered.
How the investigation unfolded
Multiple agencies participated in the investigation, using Chainalysis to trace funds stolen in four separate exchange hacks carried out by Lazarus Group between 2017 and 2019. Lazarus collaborated with Tian and Li to launder the stolen cryptocurrency, conducting hundreds of transactions and forming peel chains to obfuscate the path of funds. We see an example in the Reactor graph below, which shows how Lazarus Group moved funds during one of the 2018 exchange hacks cited in DOJ’s filing.
Funds move from left to right, starting at the victim exchange and then undergoing hundreds of transactions, presumably in an effort to throw law enforcement off the scent. Eventually, Li and Tian consolidated the funds at two exchanges and from there, converted them into Chinese yuan and deposited them into their bank accounts. Li and Tian seem to have circumvented the exchanges’ KYC measures using doctored photos, which you can see below.
Thanks to a combination of blockchain analysis and traditional information gathering, plus information provided by compliant exchanges, investigators were able to identify Li and Yian’s role in the operation despite their efforts to hide their activity.
The cryptocurrency addresses implicated
In total, 146 cryptocurrency addresses and accounts were implicated between the OFAC sanctions and DOJ civil forfeiture action. 40 of those addresses, including all 20 of those added to OFAC’s sanctions list, are deposit addresses at cryptocurrency exchanges. 126 of the 146 are standard cryptocurrency addresses. The remaining 20 are more difficult to categorize, but appear to be identification numbers and login information (e.g. usernames, email addresses) linked to exchange accounts. It’s important to keep in mind that the OFAC sanctions and DOJ filing are two separate actions brought by separate agencies with different goals and evidentiary standards, which may be why DOJ’s filing named more addresses.
In total, Tian Yinyin and Li Jiadong laundered over $100 million worth of stolen cryptocurrency using the 146 addresses and accounts named by both OFAC and the DOJ. Below is the full list:
20 cryptocurrency addresses added to OFAC sanctions list:
73 cryptocurrency addresses named in original DOJ civil forfeiture filing:
33 Bitcoin and Ethereum addresses added to DOJ civil forfeiture filing on 3/6/2020:
20 non-standard cryptocurrency addresses or exchange account ID numbers named in DOJ civil forfeiture filing:
User ID 35802038 at VCE10
User ID 35977393 at VCE10
User ID 35978286 at VCE10
User ID 36020326 at VCE10
User ID 38785599 at VCE10
User ID 9fdbd2ca-3994-411b-9ddb-f5318b63049d at VCE3
VCE12 internal transaction ID Fnc4bjm7ehwhdk6h4d
VCE12 internal transaction ID pd7e8fxxkuy2gfge7f
Account 1000021204 at VCE6
Account 1000079600 at VCE6
User IDs 1473600 & 14736005 at VCE5
User IDs 458281 & 4582819 at VCE5
User k*****@****** at VCE1
User 881051 at VCE7
Account 14166934 at VCE 11
Account 14166961 at VCE 11
Account 14167009 at VCE 11
User DavidniColinDC3 at VCE4
User Ep4444 at VCE4
User Sma414 at VCE4
Next steps for Chainalysis
As soon as we received the news Monday, we tagged the specific addresses mentioned in the OFAC sanctions as sanctioned entities and those in the DOJ filing as stolen funds in all of our products. Within 24 hours, we also sent alerts to any of our Chainalysis KYT clients with historic exposure to these addresses. Any future transactions involving these addresses will, of course, also generate alerts to clients with exposure.
We’re currently working with clients who have either hosted or previously transacted with the relevant addresses. Our goal is to help them identify information relevant to this case and understand how they can improve their KYC procedures to prevent this kind of activity in the future. Chainalysis is working to identify any further addresses associated with this laundering activity, and we will continually update labels in our products to reflect the latest information and inform customers of any exposure they may have.