Stay tuned with CashEssentials news ! - beyond payments
By subscribing, you accept our Privacy Policy.

Crime Pays in Crypto

Categories : Cash does not require a technology infrastructure, Cash generates security, Cash protects privacy and anonymity
June 17, 2021
Tags : Cryptocurrency, Hacking, North Korea, Privacy and anonymity, United States
Some crypto exchanges are not diligent in safekeeping users’ funds. Hackers employ platforms to obscure the destination of their ransoms. North Korean hackers have targeted exchanges in Hong Kong and South Korea.
Manuel A. Bautista-González

Ph.D. in U.S. History, Columbia University in the City of New York

Post-Doctoral Researcher in Global Correspondent Banking, 1870-2000 – Mexico and South America, University of Oxford

This post is also available in: Spanish

Excess liquidity from expansive monetary policies to counteract the recessive effects of the Covid-19 pandemic, combined with markets’ irrational exuberance, have resulted in a second bitcoin-cum-cryptocurrencies boom. As a result, the global market capitalization of cryptocurrencies has grown 1,153.41%, going from US$142.89 billion on March 11, 2020 (when President Trump announced the suspension of air travel between the United States and Europe due to the pandemic), to US$1.72 trillion on June 16, 2021 (see Graph 1).

Graph 1. Global Market Capitalization of Cryptocurrencies, March 1, 2020-June 16, 2021 (trillions of U.S. dollars)

Despite bullish media narratives and crypto fandoms, cryptocurrencies are far from being adopted in retail payments. Leaving aside the question of whether a “currency” with a highly volatile value can be used as means of payment for things other than digital assets such as non-fungible tokens (NFTs), retail investors often join crypto transfer platforms and trading exchanges with little to no knowledge about their security failures. Old and new reports detail misbehavior, fraud, and open criminality committed by and enabled by crypto platforms.

When the Custodian Doesn’t Custody: The Fall of Mt. Gox

One of the oldest examples of crypto exchanges going rogue was Mt. Gox, a Tokyo-based crypto exchange that collapsed in 2014. Shortly after filing for bankruptcy, Mt. Gox announced that it had “lost” 750,000 bitcoins from customers and more than 100,000 of its bitcoins, then worth more than US$450 million at the time.

Bitcoins started disappearing from Mt. Gox in 2011. Kim Nilsson, a researcher with WizSec, a computer security firm, said that the “unfortunate reality of Bitcoin is that it’s just so tempting to steal it digitally.” In 2015, Japanese authorities arrested Mark Karpeles, the French head of Mt. Gox, on suspicion of illicitly falsifying data on outstanding balances held by the exchange.

Turkish Crypto Platform Suspends Operations Amid Fraud Accusations

In mid-April 2021, Turkish authorities suspended the operations of Thodex, a cryptocurrency trading platform, amid fraud accusations. The Thodex platform had nearly 400,000 active users and holdings of almost US$2 billion.

Thodex’s founder, Faruk Fatih Ozer, left Turkey for Albania. Ozer said Thodex had locked users out of their accounts due to a cyberattack. Many people in Turkey have resorted to holding their savings in cryptocurrencies, given the depreciation of the Turkish lira and accelerating inflation. Just on April 16, the central bank of Turkey had banned the use of crypto assets.

The Digital Wallets of Ransomware Attackers

By definition, cryptocurrencies impede the traceability of transactions, making them a favorite payment instrument for cybercriminals. Cybersecurity experts say that the payment of ransoms in cryptocurrencies has increased the frequency of ransomware attacks in recent years.

Two recent examples have occurred with the attacks against Colonial Pipeline (operator of one of the largest U.S. pipelines, carrying refined gasoline and jet fuel from Texas to New York) and Ireland’s Health Service Executive (HSE). A spokeswoman for the HSE confirmed that the HSE hackers sought a ransom in bitcoins and that it “won’t be paid in line with state policy.”

Colonial Pipeline paid its extortionists 75 bitcoins (roughly US$5 million) to recover its stolen data. Tom Robinson, a co-founder and chief scientist at blockchain-analytics firm Elliptic, revealed that the firm followed Colonial Pipeline’s payment to criminal group DarkSide. Elliptic’s analysis shows the hackers’ digital wallet was active since March 2021, having “received 57 payments from 21 different wallets […] with a total value of US$17.5 million.”

According to Robinson, DarkSide’s wallet shipped 18% of the bitcoins to other crypto exchanges and 4% to Hydra, “the world’s largest darknet marketplace, servicing customers in Russia and neighboring countries… [offering] cash-out services alongside narcotics, hacking tools, and fake IDs. These allow bitcoin to be converted into gift vouchers, prepaid debit cards, or cash rubles.”

The U.S. Department of Justice (DOJ) has since announced that it had recovered US$2.3 million worth of bitcoin out of the US$4.4 million ransom that Colonial had paid to DarkSide. According to the DOJ, the Federal Bureau of Investigations (FBI) had the password to a bitcoin wallet that DarkSide had sent the ransom money to, allowing the FBI to seize the funds.

North Korean Hackers Target Crypto Exchanges

 In 2019, a panel of experts reporting to the U.N. Security Council estimated that North Korean hackers had raised almost US$2 billion in several cyber heists. In addition, a recent report by Ed Caesar in The New Yorker on North Korean cybercrime has exhibited the reliance of the North Korean regime on cryptocurrency thefts to obtain hard currency despite U.N. and U.S. sanctions. According to Jesse Spiro, cryptocurrency-related crime researcher and head of policy initiatives at Chainalaysis, North Korean hackers have stolen at least US$1.75 billion in digital coins from trading exchanges. That amount could cover nearly 10% of the country’s defense budget.

North Korean hackers usually target users with admin-level credentials and access to escrow accounts with their customers’ coins. The escrow accounts or “hot wallets” allow an immediate transfer of funds between accounts. “Once the funds have moved out of the exchange, you can’t reverse those transactions, like you can maybe with a traditional bank payment. Once they’re gone, they’re gone,” said Tom Robinson, Elliptic’s co-founder.

In 2018, North Korean hackers targeted employees at a crypto trading platform in Hong Kong. They stole 10,008 bitcoins, then valued at US$94 million, now worth more than half a billion U.S. dollars. North Korean hackers spread the bitcoins into dozens of small amounts and sent them to different crypto exchanges to prevent traceability. Using fake identities, two Chinese nationals cashed out the coins and deposited the funds in Chinese banks. By August 2019, Bithumb, a South Korean crypto exchange and one of the largest in the world, had been raided four times.

House of Bits: Robbing Digital Wallets Becomes the New Bank Heist

In February 2021, the U.S. Justice Department unsealed charges against three North Korean hackers who planned to steal more than US$1.3 billion in cash and cryptocurrency. The hackers would have managed to steal at least US$190 million, mostly from exchanges.

“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, have become the world’s leading bank robbers,” said John C. Demers, assistant attorney general for national security. That same month, a preliminary U.N. inquiry suggested that North Korea was behind the US$281 million theft of cryptocurrencies from Seychelles-based KuCoin. In 2021, crypto exchanges around the world have been raided 15 times, according to Spiro.

A draft report by a U.N. expert panel asserts that North Korea stole US$316 million from cryptocurrency exchanges in 2019 and 2020, per Nikkei Asia. In addition, the United Nations Office on Drugs and Crime report on “Darknet Cybercrime Threats to Southeast Asia” has recently detailed how cryptocurrencies have enabled cybercrime in darknet marketplaces (UNODC 2021: 3).


This post is also available in: Spanish