The United States Department of the Treasury took decisive action on September 13, 2019, sanctioning two Chinese nationals for their roles in laundering cryptocurrency stolen by North Korean state-sponsored hacking groups. The move marked a significant escalation in the US government’s efforts to combat the Democratic People’s Republic of Korea’s (DPRK) growing use of cybercrime to fund its regime.
TL;DR
- The US Treasury’s OFAC sanctioned Chinese nationals Tian Yinyin and Li Jiadong for laundering stolen cryptocurrency
- The pair received approximately $91 million from a devastating April 2018 crypto exchange hack
- Lazarus Group stole the equivalent of $250 million in the April 2018 attack alone
- Tian converted nearly $1.4 million in Bitcoin into Apple iTunes gift cards to obscure the funds
- The action identified Lazarus Group, Bluenoroff, and Andariel as North Korean government entities
Treasury Crackdown on North Korean Cybercrime Networks
The Office of Foreign Assets Control (OFAC) designated Tian Yinyin and Li Jiadong pursuant to Executive Orders 13694 and 13722, freezing any assets they held under US jurisdiction and prohibiting American citizens from engaging in transactions with them. Treasury Secretary Steven T. Mnuchin delivered a blunt message: “The United States will continue to protect the global financial system by holding accountable those who help North Korea engage in cyber-crime.”
The sanctions were the result of close coordination between OFAC, the US Attorney’s Office for the District of Columbia, and the Internal Revenue Service’s Criminal Investigation Division. Foreign financial institutions that knowingly facilitated significant transactions for the designated individuals could also face correspondent account sanctions under US law.
The $250 Million Exchange Heist
At the center of the enforcement action was a devastating April 2018 cyber intrusion. An employee of an unnamed cryptocurrency exchange unwittingly downloaded DPRK-attributed malware through a phishing email, granting malicious cyber actors remote access to the platform. The hackers exploited this access to steal private keys used to access virtual currency wallets stored on the exchange’s servers.
The result was staggering: the equivalent of $250 million in virtual currencies was stolen in a single attack. This one incident accounted for nearly half of the DPRK’s estimated virtual currency heists for the entire year of 2018, underscoring the scale and sophistication of North Korea’s cyber operations.
Gift Card Laundering Exposes Creative Tactics
Perhaps the most striking detail in the Treasury’s announcement was the laundering method employed by Tian Yinyin. After receiving approximately $91 million in stolen funds from the April 2018 hack and an additional $9.5 million from a separate exchange breach, Tian moved the equivalent of more than $34 million through a newly added bank account linked to his exchange account.
But Tian’s most creative maneuver involved converting nearly $1.4 million worth of Bitcoin into prepaid Apple iTunes gift cards. At certain exchanges, these gift cards could be used to purchase additional Bitcoin, creating a complex layering scheme designed to obscure the origin of the illicit funds. The tactic highlighted the evolving sophistication of money laundering methods in the cryptocurrency space and the challenges regulators faced in tracing stolen digital assets.
North Korean Hacking Groups Officially Identified as State Entities
In addition to the individual sanctions, the Treasury formally identified three North Korean hacking groups — Lazarus Group, Bluenoroff, and Andariel — as agencies, instrumentalities, or controlled entities of the Government of North Korea. This designation, made pursuant to Executive Order 13722, provided a clear legal framework for future enforcement actions against anyone providing material support to these groups.
The DPRK has long been accused of training cyber actors to target financial institutions and launder stolen funds. The September 2019 action was one of the most detailed public disclosures of North Korean cryptocurrency theft operations to date, revealing not just the scale of the thefts but the intricate methods used to move and disguise the proceeds.
Why This Matters
This Treasury action was a watershed moment in the intersection of cryptocurrency and national security. With Bitcoin trading around $10,360 at the time, the sheer scale of the stolen funds — hundreds of millions of dollars — demonstrated that cryptocurrency had become a primary target for state-sponsored cybercrime. The use of gift cards as a laundering vehicle showed that bad actors were developing increasingly creative methods to exploit the pseudo-anonymous nature of digital assets. For the crypto industry, the sanctions served as a stark reminder that regulatory scrutiny was intensifying, and exchanges would need to strengthen their security and compliance infrastructure or risk becoming vectors for state-sponsored financial crime.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
Tian Yinyin and Li Jiadong converting $1.4M into iTunes gift cards out of $91M laundered. wonder how much they actually walked away with before Treasury caught on
probably not much, the laundering trail gets harder after the first hop. still wild that apple gift cards were the vehicle lol
Lazarus Group has been running these operations for years and exchanges still cant block them. $250M from one hack is insane
Lazarus has been running these ops since 2017 and the playbook barely changed. exchanges need real-time sanctions screening not just post-hoc compliance
$91M laundered and they used iTunes gift cards for $1.4M of it. the sophistication gap between the hack and the cashout is hilarious
treasury sanctions are reactive. lazarus had already moved the funds through mixers and bridges before tian and li were identified. the horse left the barn months earlier
treasury sanctions are always 6-12 months behind. by the time they identified Tian and Li the BTC was already through 3 mixers and 2 cross-chain bridges
converting btc to apple gift cards is such a low-tech laundering method. the fact it worked for $1.4M says more about gift card platforms than the hackers sophistication
apple gift cards are the crypto laundering equivalent of using a paper plate as a shield. the fact it worked for $1.4M shows how little KYC gift card platforms actually do