US Government Sanctions Two Chinese Nationals in Connection With Lazarus Group Hack

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two Chinese nationals accused of laundering cryptocurrency that was stolen in a 2018 crypto exchange hack. At the same time, the Department of Justice announced an indictment for money laundering against the same two individuals.

Their activity is linked to Lazarus Group, a hacking group allegedly connected to the North Korean government. OFAC accuses Yinyin Tian and Juiadong Li of assisting “a malicious cyber-enabled activity.” Secretary Steven Mnuchin gave the following statement:

“The North Korean regime has continued its widespread campaign of extensive cyber-attacks on financial institutions to steal funds. The United States will continue to protect the global financial system by holding accountable those who help North Korea engage in cyber-crime.”

Stole $250 million, Laundered $100 million

On the separate Department of Justice charges, Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division commented:

“These defendants allegedly laundered over a hundred million dollars worth of stolen cryptocurrency to obscure transactions for the benefit of actors based in North Korea. Today's actions underscore that the Department will pierce the veil of anonymity provided by cryptocurrencies to hold criminals accountable, no matter where they are located.”

The indictment alleges that “the North Korean co-conspirators,” in 2018, stole $250 million worth of cryptocurrency from an exchange (may refer to the Coincheck hack); and that Tian Yinyin and Li Juiadong managed to launder $100 million worth of cryptocurrency between December 2017 and April 2019 for their North Korean accomplices.

UpBit?

According to the documents, “the North Korean co-conspirators” are also responsible for the hacking of a South Korean exchange in November of 2019, stealing $48.5 million worth of cryptocurrency — likely, a reference to the UpBit hacking, which had roughly the same amount of Ether stolen at the same time.

According to the Department of Justice’s press release:

“The civil forfeiture complaint specifically names 113 virtual currency accounts and addresses that were used by the defendants and unnamed co-conspirators to launder funds. The forfeiture complaint seeks to recover the funds, a portion of which has already been seized.”

20 address vs. 113 addresses

The civil forfeiture complaint lists 113 cryptocurrencies “accounts and addresses that were used by the defendants and unnamed co-conspirators to launder funds. The forfeiture complaint seeks to recover the funds, a portion of which has already been seized.”

However, the OFAC has added only 20 bitcoin addresses to its Specially Designated Nationals list. Twelve are linked with Juiadong Li, while eight with Yinyin Tian.

Currently, none of those 20 addresses hold any bitcoins. However, all of these addresses seem to belong to just five wallets, that hold 139411.6022 BTC. One of those wallets is identified by two separate wallet explorers as being on the Huobi exchange — though it is of course possible that both resources have misattributed it.

It is unclear at this time why OFAC only added 20 addresses to the list if the Department of Justice knows of 113 crypto addresses and accounts connected with the accused.

US Treasury Sanctions North Korean Hacker Groups for Cyber Attacks   Sept. 13, 2019
Crypto's impact on sanctions: Are regulators' concerns justified?   Nov. 30, 2021
North Korea-obsessed Ethereum dev gets 5 years for breaking sanctions   April 13, 2022
US Treasury Dept sanctions 3 Ethereum addresses allegedly linked to North Korea   April 22, 2022
Proactive sanctions can help spare the ecosystem: Chainalysis exec   Dec. 7, 2022