The United States Department of the Treasury took decisive action on September 13, 2019, sanctioning two Chinese nationals for their roles in laundering cryptocurrency stolen by North Korean state-sponsored hacking groups. The move marked a significant escalation in the US government’s efforts to combat the Democratic People’s Republic of Korea’s (DPRK) growing use of cybercrime to fund its regime.
TL;DR
- The US Treasury’s OFAC sanctioned Chinese nationals Tian Yinyin and Li Jiadong for laundering stolen cryptocurrency
- The pair received approximately $91 million from a devastating April 2018 crypto exchange hack
- Lazarus Group stole the equivalent of $250 million in the April 2018 attack alone
- Tian converted nearly $1.4 million in Bitcoin into Apple iTunes gift cards to obscure the funds
- The action identified Lazarus Group, Bluenoroff, and Andariel as North Korean government entities
Treasury Crackdown on North Korean Cybercrime Networks
The Office of Foreign Assets Control (OFAC) designated Tian Yinyin and Li Jiadong pursuant to Executive Orders 13694 and 13722, freezing any assets they held under US jurisdiction and prohibiting American citizens from engaging in transactions with them. Treasury Secretary Steven T. Mnuchin delivered a blunt message: “The United States will continue to protect the global financial system by holding accountable those who help North Korea engage in cyber-crime.”
The sanctions were the result of close coordination between OFAC, the US Attorney’s Office for the District of Columbia, and the Internal Revenue Service’s Criminal Investigation Division. Foreign financial institutions that knowingly facilitated significant transactions for the designated individuals could also face correspondent account sanctions under US law.
The $250 Million Exchange Heist
At the center of the enforcement action was a devastating April 2018 cyber intrusion. An employee of an unnamed cryptocurrency exchange unwittingly downloaded DPRK-attributed malware through a phishing email, granting malicious cyber actors remote access to the platform. The hackers exploited this access to steal private keys used to access virtual currency wallets stored on the exchange’s servers.
The result was staggering: the equivalent of $250 million in virtual currencies was stolen in a single attack. This one incident accounted for nearly half of the DPRK’s estimated virtual currency heists for the entire year of 2018, underscoring the scale and sophistication of North Korea’s cyber operations.
Gift Card Laundering Exposes Creative Tactics
Perhaps the most striking detail in the Treasury’s announcement was the laundering method employed by Tian Yinyin. After receiving approximately $91 million in stolen funds from the April 2018 hack and an additional $9.5 million from a separate exchange breach, Tian moved the equivalent of more than $34 million through a newly added bank account linked to his exchange account.
But Tian’s most creative maneuver involved converting nearly $1.4 million worth of Bitcoin into prepaid Apple iTunes gift cards. At certain exchanges, these gift cards could be used to purchase additional Bitcoin, creating a complex layering scheme designed to obscure the origin of the illicit funds. The tactic highlighted the evolving sophistication of money laundering methods in the cryptocurrency space and the challenges regulators faced in tracing stolen digital assets.
North Korean Hacking Groups Officially Identified as State Entities
In addition to the individual sanctions, the Treasury formally identified three North Korean hacking groups — Lazarus Group, Bluenoroff, and Andariel — as agencies, instrumentalities, or controlled entities of the Government of North Korea. This designation, made pursuant to Executive Order 13722, provided a clear legal framework for future enforcement actions against anyone providing material support to these groups.
The DPRK has long been accused of training cyber actors to target financial institutions and launder stolen funds. The September 2019 action was one of the most detailed public disclosures of North Korean cryptocurrency theft operations to date, revealing not just the scale of the thefts but the intricate methods used to move and disguise the proceeds.
Why This Matters
This Treasury action was a watershed moment in the intersection of cryptocurrency and national security. With Bitcoin trading around $10,360 at the time, the sheer scale of the stolen funds — hundreds of millions of dollars — demonstrated that cryptocurrency had become a primary target for state-sponsored cybercrime. The use of gift cards as a laundering vehicle showed that bad actors were developing increasingly creative methods to exploit the pseudo-anonymous nature of digital assets. For the crypto industry, the sanctions served as a stark reminder that regulatory scrutiny was intensifying, and exchanges would need to strengthen their security and compliance infrastructure or risk becoming vectors for state-sponsored financial crime.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.