Episode Show Notes



JACK: Ocean’s Eleven was a cool movie, an elaborately-planned casino heist where the thieves were trying to steal millions of dollars in cash by bypassing all kinds of physical security and tricking the guards. It was a thrill to watch, but I wonder if the great heist films are coming to an end, because the largest robberies are all done over computers now, and it’s just not visually stimulating to watch someone sit at a computer pushing buttons, transferring money from one account to another. But even if it was, does it sound interesting if Fast and the Furious 27 was all about who could pull off the best NFT scam? Or what if Reservoir Dogs was remade and instead of stealing jewelry, they tried to steal the private key to someone’s Dogecoin wallet; Reservoir Doge? [INTRO MUSIC] Or what if there was a Lock, Stock, and Two Smoking ICO Scams? I don’t know, maybe this is the future of heist films because art imitates life, and cryptocurrency heists are where the biggest thieves are playing today. (INTRO): These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: Alright, so, who are you and what do you do?

GEOFF: So, I’m Geoff White and I’m an author and investigative journalist.

JACK: Geoff is a fantastic investigative journalist doing a lot of work for the BBC, and he’s been tracking a particular story for a while now, and I’m fascinated with it. So, I wanted to bring him in here to talk about what he’s been looking into. The story starts with NiceHash.

GEOFF: [MUSIC] NiceHash is a cryptocurrency business.

JACK: I’ve actually used this service before; it’s a Bitcoin mining pool and it’s based out of Slovenia. Mining Bitcoin by yourself is hard to get any rewards, but if you pool your resources with other miners, you get a much bigger chance of making some money from it. So, with NiceHash, all these Bitcoin miners pool their resources together to make more money for mining. The service was one of the most popular Bitcoin mining pools in 2017, which means it made a lot of money. It would just keep a small fee and then issue the payouts to all the miners.

GEOFF: It’s December 4th, 2017. Employees at NiceHash start to get phishing e-mails sent to them, which is the classic way in, of course. Around this time, lots of phishing e-mails were targeting lots of people at lots of cryptocurrency businesses. Sooner or later, because it’s a numbers game, it seems somebody at NiceHash inadvertently clicked on the e-mail, opened the link, opened the attachment, and got themselves infected.

JACK: [MUSIC] The attackers used the malware to get into the employee’s computer, and from there they burrowed their way deeper into the NiceHash network, pivoting and escalating their privileges, and this particular attacker was looking for a very specific thing; NiceHash’s Bitcoin wallet private keys. If they could manage to get their hands on the private key, they could empty NiceHash’s wallet entirely and maybe some of the customers’ wallets too, because when NiceHash payed out the people in the mining pool, some people just kept their money at NiceHash, accumulating Bitcoin but not cashing it out. There were a lot of users who were not cashing out their Bitcoin that they earned; maybe they’d come in once a month and transfer their coins outta there. But this attacker got into NiceHash’s systems and found where the private keys were for the Bitcoin wallets and just drained everything they could out of it, stealing a lot of money from NiceHash. Do we know how much they took?

GEOFF: Yes and no, which sounds like a peculiar answer to give. We know the point it was hacked. This was in December 2017; they transferred out Bitcoins worth about $75 million. So, the reason I’m saying no, we don’t know how much it was worth, was because at this time you’ll remember Bitcoin’s value was swinging absolutely massively, so this was the era when it was peaking, I think, at about $20,000 per Bitcoin. So, at the time of the hack, it was about $75 million. Subsequently it might have been less, but in the intervening years, it will have been more. All we can do is a snapshot of time at the time; $75 million.

JACK: $75 million in Bitcoin stolen, gone just like that. That’s a lot of money. I mean, that’s bigger than any bank robbery ever in the US.

GEOFF: Largest theft in the history of Slovenia, according to somebody who worked for NiceHash at the time. So, certainly in Slovenian terms, an absolute mega-haul.

JACK: The thing about cryptocurrency is once it’s stolen, it’s gone. There’s no way to reverse the charge or call the bank and say hey, this was stolen; please freeze the account that stole it. No; Bitcoin is a type of currency that’s decentralized, meaning there’s no central controlling entity or place or person that you can call for help.

GEOFF: So, NiceHash starts investigating. They’re obviously trying to trace down the money. Obviously, NiceHash is full of very clever people who do cryptocurrency all the time, so part of their effort is to try and trace where the cryptocurrency is going, to try and keep track of it, and as a lot of your listeners will be very familiar with, there’s now a game of cat-and-mouse. The hackers start to move the transactions through, move the money through to different cryptocurrency wallets, possibly into different types of cryptocurrency, so swapping it from Bitcoin into other cryptocurrencies, and the investigators at NiceHash initially are pursuing it and trying to keep track of it and trying to keep track of where this money goes, which gets increasingly more complicated the more efforts the hackers make to move it around. Sooner or later this crosses the radar, it seems, of US investigators, almost certainly the FBI, who get involved and start trying to do that tracing effort as well, because pretty soon the US government and the FBI have a sense of who’s behind this hack and how serious it might actually be.

JACK: You know, do you have any real – any understanding of why the FBI would be investigating a Slovenia company?

GEOFF: Yes. The FBI are constantly on the lookout for leads on investigations that they’re running, so the FBI have, for a long period of time, been tracking various cyber-crime gangs, and they’re quite canny. Across the world, whenever there’s a computer hack, particularly if it’s a cryptocurrency exchange attack and the FBI have been tracking a cryptocurrency exchange gang, they will start to look at that and think hang on, does this have any of the indicators, does it have any of the likely fingerprints connecting it to an investigation we’re already running? We’ve seen this before in the case of the attack on Sony Pictures Entertainment back in 2015. Subsequent to that, another attack by the same gang on Bangladesh Bank, the central bank of Bangladesh. The FBI start looking at that and thinking hang on, we’re seeing some commonalities. So, the FBI are constantly scanning around the world, aware that the hackers that they’re chasing can be operating in almost any country around the world, and trying to connect the dots between fresh attacks and fresh cyber-attacks and ones that the FBI’s already got on its radar to see if it can lump in that attack with another attack and potentially charge the same gang with both.

JACK: Mm-hm. So, with this in – now the FBI is investigating, did they ever discover who stole the $75 million?

GEOFF: [MUSIC] Well, according to the FBI, this was the work of the Lazarus Group, who – believed to be working on behalf of the North Korean government. These are North Korean state hackers who are going around the world and in a lot of cases, trying to get their hands on as much cash, as much foreign currency, certainly, as possible so they can transfer it back either to North Korea directly or for the use of North Korea in other foreign countries. So, these are the kind of jigsaw pieces that the FBI’s starting to put together.

JACK: Oh, whoa; this is somehow surprising and not surprising at the same time. It’s surprising that a nation state actor, a government organization, would be in the business of cyber crime. But it’s not surprising because the North Korean government is just weird. I mean, they’re really, really weird. But this is also surprising because this is the first time North Korea has ever stolen cryptocurrency before. Specifically, they broke in and stole Bitcoin from a company in Slovenia. Where the heck did they learn how to do this from?

GEOFF: They’d been experimenting with cryptocurrency, so you’ve got to think back slightly earlier than this attack, and this is December 2017. May 2017, of course, was the WannaCry cyber-attack, the ransomware attack that hit multiple countries around the world, hundreds of thousands of devices infected and so on. Classic ransomware attack, but spread through this incredible sort of auto-spreading and auto-detonating technology. What’s interesting about that from a cryptocurrency point of view, because the WannaCry attack was also attributed to the Lazarus Group, was that in the wake of the WannaCry attack, there was obviously this question around how the ransom payments – which were obviously in cryptocurrency, in Bitcoin, in this case – how those ransomware payments would be gathered together and distributed and laundered. They didn’t make huge money out of – a huge amount of money out of WannaCry; I think they barely – at the time, I think it barely topped a million dollars, which is sort of almost laughable among ransomware gangs’ profit margins.

But the interesting thing about WannaCry was the efforts that the hackers made to launder the money. You could see – because the cryptocurrency transactions are transparent and available on the blockchain –you could see in the months after WannaCry the money being moved around, moved to different wallets, tumbled, as the terminology says, into different wallets, and eventually disappearing into one cryptocurrency exchange, never to be seen or at least never to be traced again. So, you’re right; North Korea hadn’t really done a huge amount of cryptocurrency theft, bare cryptocurrency theft. They definitely experimented with moving cryptocurrency around and laundering it, and in hindsight, maybe the WannaCry cyber-attack – part of the motivation was to get the hang of – if indeed it was North Korea behind it – getting the hang of laundering cryptocurrency so that they could then go on to do hacks like the one on NiceHash in December.

JACK: Oh boy, this does not bode well. If North Korea learned how to launder Bitcoin from WannaCry and they’re already equipped to carry out hacking campaigns and they use these offensive techniques to get in and steal $75 million from NiceHash, this win for them could mean North Korea is going to go full throttle and start attacking all cryptocurrency companies, looking for big licks. [MUSIC] Because, North Korea has been robbing banks for years at this point. In fact, Geoff came on the show before to tell us about the time when North Korea robbed the Bangladesh Bank. That’s Episode 72. But when you rob a bank, it’s a lot harder to launder the money versus when you steal some crypto. Crypto is private and anonymous by design. It’s much easier to move the crypto around and hide behind the wallets. Like for instance, if this money was stolen from a bank, there would be an immediate sense of urgency to get that money out. It might have been transferred to another bank, and then they’d have to deploy a whole network of money mules to try to quickly cash out all the money they stole. But when you steal Bitcoin, there’s no sense of urgency. You can just let it sit there until you’re ready to cash it out. Nobody can touch it or freeze it on you. The scary thing is that North Korea needs money badly and isn’t afraid to commit heists and robberies to just steal as much as they can. So, as they learned about crypto, this must have been seen as a great opportunity for them.

GEOFF: Absolutely, yes. The direct – the trajectory, really, of the North Korean Lazarus Group, according to both US investigators and the United Nations who keep an eye on North Korea and its activities, the direction of travel for its hackers I think really has been cryptocurrency. In the years following the NiceHash attack and the WannaCry ransomware attack, there was just this proliferation of loads and loads of different tactics of targeting people and loads and loads of different methodologies for doing it.

JACK: Many crypto companies reported they received phishing attacks since 2018 onward that seemed to be coming from the Lazarus Group. These are almost always e-mails that employees would receive to try to trick the employee to read the e-mail, download the attachment, and open it. These phishing e-mails weren’t some spray-and-pray kind of attack where they’re sending out millions of e-mails a day. No, these phishing e-mails were often very well-crafted to target a specific person at a specific company, and they were well-designed. One of these phishing e-mails targeted an employee who worked at a crypto company, and what the attackers did was they looked on LinkedIn to see who worked at that company, and found an employee that they think would have access to what they wanted [MUSIC] and would be susceptible to a phishing attack. So, they crafted an e-mail which was trying to recruit that person to come work at a different company.

GEOFF: It just looked like the dream job, just absolute dream job; all the things you want, loads of money. Unfortunately, of course, the dream job doesn’t exist. It’s been made up by the computer hackers to appeal to exactly this individual, because they’ve managed to research that person on LinkedIn and said oh, they work for this company, work for that company; they’d probably be interested in this job. So, the employee thinks well, I’ll open this job ad and see what happens and what it looks like.

JACK: He read the e-mail and was curious to learn more. It said there was more information in the attached document. He was interested and downloaded the attachment. It was a Word doc, and when he opened the Word doc, a pop-up showed up which said this document is protected by GDPR regulations. Please click to accept the GDPR terms. Well, as you can imagine, this button had nothing to do with GDPR, and when he clicked OK is when the Word doc executed a script which infected that employee’s machine. With that, the North Korean hackers were in his computer, hunting for the crypto wallets that that company controlled. I find this fascinating because time and time again, I’ve heard penetration testers do this exact same thing; they want to target a company, so they go to LinkedIn, find some people to target, and craft some phishing e-mails, and they get into the company that way. Social media just makes this kind of attack so much easier. The thing is, we don’t know how many crypto companies were robbed by North Korea. Companies feel embarrassed when they get hacked like this. They’d lose customers if they publicly announce they’ve been hacked. So, even when a company reports this to the authorities, those companies can still remain nameless. But what we do know is that North Korea has steadily and persistently attacked and stole cryptocurrency from companies for years.

GEOFF: So yeah, so you start off with $75 million or thereabouts at NiceHash, and this sort of develops and gets bigger and bigger. At one stage, the FBI are talking about the stealing of $230 million. This is from an unnamed cryptocurrency exchange. Absolutely astonishing amount of money.

JACK: $230 million stolen from one exchange? Unbelievable, and with little to no punishment? Of course North Korea’s gonna continue on this robbery spree. Who’s gonna stop them? [MUSIC] Well, the FBI investigated this $230 million heist and tried to figure out who cashed this money out.

GEOFF: Obviously one of the things you can do when someone steals cryptocurrency is you can trace it, because cryptocurrency transactions are recorded on the blockchain and you can – anybody can go to the blockchain and look at where they go. This is the game now; investigators, law enforcement, and private companies are constantly on the case when these hacks happen, trying to work out where the money goes. What they’re hoping is they can chase it to somewhere that’s legitimate, or at least they can chase the money into a cryptocurrency exchange that will answer the phone to law enforcement. So, law enforcement see these transactions through the blockchain, they go a-ha, they’re now putting it into this cryptocurrency exchange. We’ve got a number for them; let’s give them a bell and see if we can get them to stop the money. Now obviously, not all cryptocurrency exchanges are gonna do that, but some of them – quite a lot of them, actually – do want to answer the phone to law enforcement. They don’t want to be part of criminality, so you can call them up. They managed to trace the money to a particular cryptocurrency exchange, and what was good about this exchange was they’d implemented what are called Know Your Customer controls, so this is – you’ll have been through it; I’m sure lots of your listeners will have been through it. You try and set up a bank account, they want you to hand over ID.

Increasingly with cryptocurrency exchanges, the legitimate ones, they’re doing the same thing. If you set up an account at one of these places, you’ll probably have had to send your ID, your passport or whatever. So, one of the exchanges into which this $230 million of stolen cryptocurrency vanishes is one of these legitimate exchanges that asks for ID for customers. So, the FBI think right, we can phone these guys up, this cryptocurrency exchange, and we can ask for the ID for the customers that set up the accounts that the stolen money went into. That’s a pretty good – that’s gonna be a good lead. So sure enough, they do; they make contact with the exchange and say look, here’s the accounts. Please give us the IDs of the people who set up these accounts. The cryptocurrency exchange obliges and sends the FBI a screen-grab, an image of the ID of the person who set this thing up. What the cryptocurrency exchange has is a photo, a webcam photo, of someone sitting in a chair. He’s got quaffed hair, he’s holding up a South Korean driver’s license, I think it was. He’s wearing a little white t-shirt. The driver’s license has got this guy’s – his name and his address and his ID and everything on it. So, I imagine the FBI at this point are thinking great, [MUSIC] this seems to be the guy who’s helping launder the stolen $230 million. But there’s a bit of a snag because there’s two accounts that are being used, and the FBI’s asked for the IDs for both of the account holders.

So, the first ID comes and it’s this South Korean guy holding up a South Korean driver’s license. Badda-boom. Second picture arrives for the second account holder, and this time it’s a German guy and he’s holding up a different type of ID and he’s got a bald head and it was completely different. But then as you compare the two photographs, which the FBI must have done, things start to look a bit skewy because they’re both wearing the same t-shirt. That’s weird, that’s a coincidence. Then their fingers are in exactly the same positions around the ID, and they’re sort of sitting in exactly the same chair. As you look close, you realize their pictures have just been Photoshopped or at least manipulated somehow. They’ve basically taken the heads off the two different pictures and put them onto the IDs. Basically, a picture’s been ripped off the internet and they – the hackers have effectively faked the pictures on the ID, faked the pictures on the photograph, convinced the cryptocurrency exchange these are real people who want to set up an account, used that to set up the account, and washed the $230 million through it. So, the FBI’s dream of knocking down the door of these two chaps with their IDs on display vanished into thin air, unfortunately.

JACK: Huh, interesting. They’ve got fake IDs and have figured out how to cash out their stolen money without getting caught. You might wonder hey, there are banks in North Korea, right? Why isn’t there a crypto exchange in North Korea where the Lazarus Group can just send their Bitcoin there and cash it out without having to use any fake IDs? Well, for a few reasons. First, it would be obvious if you saw the stolen Bitcoin wallet go to an exchange in North Korea that it’s gonna be the North Koreans who did this, and North Korea doesn’t want to take credit for any of this. They are already in trouble and getting sanctioned and just don’t want to make things worse, so they always deny that they had anything to do with these heists. But second, we’re talking $230 million cash-outs here. It kind of breaks my brain to think this through, but where would a North Korean crypto exchange get $230 million to give to someone who wants to cash that much out? They would have to have that kinda cash on hand to pay it out, and it’s not like you can just start an exchange and only do payouts. The reason why exchanges work is because the exchange has enough people buying crypto with the cash, and they can pay out what’s needed.

Like I said, that kinda breaks my brain to fully understand that, but suffice to say, there’s no crypto exchange in North Korea, so they have to use exchanges in other countries to get their money out. [MUSIC] They don’t actually cash it all out at once; North Korea has this technique they use called peel-chaining. See, once money gets stolen, the wallet it went to actually gets flagged so exchanges know not to do business with that wallet. So, like if you stole $75 million and transferred it to your wallet, the FBI might flag your wallet and tell exchanges hey, don’t do business with this. So, if you then send your money to Coinbase, Coinbase might freeze your funds and turn it over to the FBI. So, what North Korea does since they know their wallets are being watched is they transfer all their money to a brand-new wallet, and quickly, before it can be flagged as a stolen wallet, they take a small chunk of money, maybe five grand or fifty grand, send that to an exchange to quickly get it cashed out using one of these phony IDs they have, and then they continue doing this until they’ve cashed out all of what they want, transfer all the money to a new wallet, peel off a little, send it to an exchange, and do it again, transfer money to a new wallet, peel a little off, send it to an exchange, and just keep repeating. This is the peel chain laundering technique that they use. By the way, I learned all about this peel-chaining technique from Geoff’s book that he just published called The Lazarus Heist which goes into great detail about this and so much more.

GEOFF: Exactly, and this is the interesting thing about North Korea’s efforts to steal money generally, is – I think when I started out with Season 1 of The Lazarus Heist, the podcast that we did that led to the book, my assumption was well, all this money sort of washes back to North Korea, all these allegations of stolen money. If that’s what’s happening, then it must end up back in North Korea. I had this image, I think – I don’t know, maybe Kim Jong-un writhing around in a pit of money. But that’s not necessarily how it works, because as you say, once you get your stolen Bitcoin or whatever it is back to Pyongyang, if it is indeed them behind it, you’ve gotta sort of take that cryptocurrency and swap it into something. Obviously in North Korea, that’s just [MUSIC] Korean – North Korean won; it’s just the local currency. What often happens instead is this cryptocurrency is just left in wallets around the world, wallets connected to the internet, that can then be used for things North Korea would want to buy.

So, if North Korea wants to purchase something in, I don’t know, Kazakhstan or Russia or Brazil, they can use the money locally, if you like. They don’t keep the money back in North Korea; they have the money stashed out in other places so that they can buy things they need, because they can’t dispatch the money from North Korea to go and buy them. It’s much better to have, if you like, local credits that you can spend in different countries that you need. That’s why cryptocurrency’s really useful, is if you’ve got your money stashed in Russia and you want to buy something in Russia, fair enough. But if you want to buy something in Brazil, you’ve got to move the money from Russia to Brazil. Whereas with cryptocurrency, it’s accessible anywhere in the world. That’s one of the joys of it. So, for people like North Korea who are seemingly stashing this money around the world, it’s really useful ‘cause they can make purchases in different countries with it.

JACK: Oh, that’s very interesting. I never thought of that. But okay, so still, can you give us any kind of idea on how they might be laundering it? Because it – like you said, it is becoming more regulated and it’s more difficult to get it out, because then it’s tied to a real bank account somewhere in the world.

GEOFF: Yeah.

JACK: Maybe there are just places in the world that is not regulated, like you can find some back street exchange in some third world country or something. I don’t know.

GEOFF: Yeah, yeah. Exactly. It’s a really interesting picture, this one, and there have been instances of hacks where – particularly recently because the investigators, both law enforcement and also private industry investigators of cryptocurrency, are getting so quick and so fast and so thorough at chasing the stolen money, stolen cryptocurrency, that it’s really difficult for those who’ve stolen it to launder it because all eyes are then on those hot wallets, if you’d like, those – I say hot wallets; I mean hot as in stolen money wallets. So, there’s instances in which the hackers are sort of caught out because they’ve got the money in a wallet, but as soon as they try and move it somewhere, as soon as they try and cash it out, the investigators are gonna try and get one step ahead of them, contact the company that’s doing the cashing out and say hang on, that’s stolen money; you can’t transfer that. You can’t transfer that into fiat currency; pounds, dollars, and so on.

So, the hackers face this really interesting challenge of trying to sort of [MUSIC] find those – as you say, those back streets, if you like, in the cryptocurrency market, so the exchanges aren’t doing Know Your Customer, the exchanges that don’t care that they’re handling stolen money. The other thing they’re going to is tumblers, is Bitcoin mixers and cryptocurrency mixers who will take your cryptocurrency, mix it with other people’s. If you imagine a whole bunch of bank notes on the table, you stick your stolen bank notes in the middle, you wash them all around with the other notes, and then you get some notes back, but some people get some other notes back. Really difficult to work out which bank notes came from the drug deal. So, these mixers are effectively a cryptocurrency version of that. You stick your money in, it gets washed with some other people’s, you get your money back, but it’s really hard for investigators then to say look, the money that went into that hole there is the same as the money that came out of that hole over the other side of the mixer.

So, that’s one other thing they’re doing. The other thing is North Koreans are allegedly, along with other cyber-criminals, relying on some networks of people, of individuals who offer to take bits of cryptocurrency and try and cash them out, try and convert them into different types of things. The US has charged a couple of Chinese chaps with offering exactly this kind of service, probably in exchange for a fee, using little bits of cryptocurrency and changing it into real-world money, in some cases using things like iTunes gift cards, anything they can do to eke out this money. But the overall picture with this is if you’ve stolen let’s say $230 million of cryptocurrency, it’s just not possible in this situation, this world right now, to suddenly swap that into $230 million of real money, of actual US dollars, bank notes. You can’t do that. You’ve got to do it slowly. You’ve got to eke it out. So, there’s a handbrake being applied to all of this which is really interesting.

JACK: All this takes a special kind of skill. You can’t just Google how to launder $200 million in Bitcoin and follow some step-by-step guide. This is a dark art of sorts, finding the cracks in the walls that should stop people from doing this and exploiting them. This means as years go on, the Lazarus Group is getting better and better at finding large piles of crypto, stealing it, and laundering it, which means they’re starting to venture out into new crypto territories.

GEOFF: Yeah, this is where it gets really weird and interesting. There’s this very peculiar story that emerges about a company setup called Marine Chain.

JACK: Okay, so Marine Chain was this cryptocurrency startup. I think they were working on an ICO where they wanted to raise money from investors to issue crypto coins for however much they bought in. This company was based in Singapore, but then out of nowhere, this guy [MUSIC] Tony Walker just decided to join the company.

GEOFF: Tony Walker’s the brains behind Marine Chain. He says look, you’re gonna set up this company. I know all the business side. He’s got a sort of fancy slide deck that shows how much money they’re gonna make. They’re gonna be in for tens of millions of dollars off the back of this.

JACK: Tony Walker starts helping this Singapore-based company launch, but he doesn’t seem very focused on the business.

GEOFF: So, your chap in Singapore, Jonathan Foong Kah Keon, starts to get a bit suspicious about this but keeps going with this guy Tony Walker ‘cause it looks like it’s going okay. They are getting interested in this and potentially they’re getting investment. But gets increasingly suspicious, and then Tony Walker starts asking your Singaporean chap, Jonathan Foong Kah Keon, to have his name on the business; the business needs to be registered in his name. The Singaporean chap says well no, I’m not sure about that. That’s gonna cause problems. But Tony Walker’s insistent on this. Then things get a bit weirder. Tony Walker’s name appears on contracts, but he’s not signing himself Tony Walker; he’s signing himself Julian Kim. By this point, a lot of alarm bells should be ringing ‘cause it’s clear something’s going wrong with this business. There’s something very peculiar about this Marine Chain business.

JACK: Well, Marine Chain starts getting talked about on forums and on Reddit, and someone made a comment about Marine Chain.

GEOFF: And says just sort of out of the blue, no, I don’t think you should; I think this is a bit of a scam. By the way, I think it’s a North Korean-motivated scam. [MUSIC] This just drops on these forums. What’s weird about this is the key comment comes on a Reddit forum from a user calling themselves ArsenalFan5000, Arsenal being a very famous football team in the UK, which probably needs no introduction. So, some football fan is popping up on Reddit and saying no, you shouldn’t invest in Marine Chain. I think it’s a North Korean front operation. Now, what’s weird about that is at that point in time, I don’t think anybody had actually clocked that, and yet this user who’s apparently some football fan on Reddit pops up and says, you know, I think it’s North Korean. What’s weird about ArsenalFan as well is this user posts that comment and nothing else. No other discussion.

It’s the only comment they post on the whole forum, and then they just vanish and disappear. Turns out, they were on the money. As other people start investigating, they uncover different links to North Korea for Marine Chain, and it does turn out to be a North Korean front operation. So, there was a of people that felt pretty glad they didn’t invest in this particular firm. Now, what’s interesting about Marine Chain is – partly thanks to being exposed by people like ArsenalFan5000, the company just folds. So, it just vanishes and disappears. Tony Walker, AKA Julian Kim, just drops off the face of the earth, drops off the radar at least for the moment under those particular pseudonyms and is never heard of again. So, Marine Chain’s an interesting facet to this. It’s a North Korean attempt at an initial coin offering, an ICO that never really lands, never really takes off.

JACK: Whoa, this is a totally new type of tactic for North Korea, to launch an ICO. [MUSIC] Here’s the thing; in 2018, it was quite the year for ICOs. ICO stands for initial coin offering. It’s kind of like a company starting a business, and to raise money to kickstart it, they sell this new type of crypto to early investors. If the company does well, then the value of the coin goes up, and if the company does poorly, the value of the coin goes down. 2018 was sort of a boom year for ICOs. There were lots of them springing up everywhere, and people wanted to invest in these companies. But not all these ICO projects were good. In 2018, there was a company called Guiyang Blockchain Financial Co which launched its own ICO. They raised $60 million and then disappeared, exit scamming all their investors. So, I think North Korea may have taken notice of this and tried dabbling in their own exit scam by launching what looked like a real company, but then possibly they had the intention of pulling the rug out from investors. We don’t know what the real intentions were for this Tony Walker guy, but this might have been an indicator that North Korea is trying to conduct their own exit scams now. Wild. Is there any scenario where it’s just maybe somebody from North Korea and not the North Korean government? ‘Cause you know, it’s – I imagine anyone who’s doing it from North Korea is the North Korean government, but maybe there’s a scenario where I haven’t considered.

GEOFF: It’s a good point. I think broadly speaking, you have to realize in North Korea, if you have an internet connection and a laptop, it’s because you’ve either been given it or granted access to it by the North Korean government. It’s a point maybe a lot of your listeners will know, but just to stress this, it is not the case in North Korea that you can go out and get a laptop and get – be connected to the open internet as you can in most other countries in the world. It’s incredibly well-policed and restricted. [MUSIC] So, if you’re talking about somebody like Tony Walker, AKA Julian Kim, who sets up online, who’s having Skype conversations with people, who’s e-mailing people back and forth, who’s setting up websites, that’s gotta be somebody in North Korea who’s got an internet connection with a laptop or possibly a North Korean who’s outside the country and has got an internet connection, a laptop. Either way, that’s government sanctioned, okay? So, to get out of North Korea, the North Korean government needs to give you the say-so and the okay to do that, or to be in North Korea with an internet connection and a laptop; the government’s gotta be okay with that. So, really, all roads lead back to the North Korean government. It’s almost inconceivable that Marine Chain, if it is North Korean, could have been done without the say-so, the express say-so, of the North Korean regime.

JACK: I’m gonna take a quick ad break here but stay with us ‘cause when we come back, North Korea sets some new records. [MUSIC] So, while I was making this episode, I was doomscrolling on Twitter and I came across this tweet which was so remarkable that I just had to call the guy up who tweeted it to hear the story.

JON: I’m Jon Wu. I am head of growth at Aztec Network.

JACK: Aztec is a crypto company which aims to make your cryptocurrency usage more private, and to do that, you can use their system to move your money around. They sort of shield it so that you can move it around without anybody knowing that you’re doing that. But because their tool is catching on, a lot of people are using it and moving their money around through Aztec’s network, which means at any point, they’ve got control over quite a bit of their user’s money.

JON: Yes, so if you look at all the public dashboards, our smart contract holds about $15 million last I checked, although the market has come down a bit and we’ve had – again, depending on Eth price, but as of a couple weeks ago, $80 to $100 million of throughput. So, certainly a lot of value has moved through the system.

JACK: Now, Aztec is growing which means they’re hiring and have open positions, and Jon is the one who looks at resumes and does interviews to hire new people who work there.

JON: Yeah, that’s right. So, we get lots of inbound resumes all the time for our full-stack engineering roles and smart contract dev roles. I’m on the hiring team at Aztec. So, I got automatically assigned a resume that had already been internally reviewed and looked super legit. The person had a GitHub with a bunch of projects on it and had a resume with some things that I’d heard about like F2Pool. The name was Bobby Sierra.

JACK: [MUSIC] He set up a time to do an interview with Bobby Sierra, a remote one through video conferencing. John and Bobby both got on the video call.

JON: I immediately noticed that the person’s camera was off and that there was a little bit of latency, but also that there was just a lot of background noise, so just a bunch of chatter in the background.

JACK: Did you ask to turn the video on?

JON: I did, and he made some excuse about how he couldn’t do so. I talk to folks not infrequently who are uncomfortable on video, but it is one of the best tools that we have for validating identity. Bobby Sierra, again, not to be stereotypical, but it’s obvious on the face that Bobby Sierra is a Western name and this person had a heavy Korean accent. The way I was able to tell is I’m Asian too; I’m Taiwanese. I grew up in an immigrant community around New York, and some of my absolute best friends growing up were Korean. I spent a lot of time in Korean households, and I was like, this guy’s obviously Korean. I’ve heard an accent like this and some of the mannerisms a thousand times. Then I kind of flat-out asked him, where are based? He said I’m based in Hong Kong. I’m like, that’s not what your resume says. Your resume says you’re based in Canada. Then he did this multiple times through the call, but then he would just mute me. He would just go on mute and then he would come back online and pretend like nothing happened.

JACK: Did you ask any technical questions that he knew? Like, did he know his chops about what you wanted him to know?

JON: No, absolutely not. He didn’t say almost anything coherent. [MUSIC] He kinda just kept repeating stuff like I’m an experienced blockchain developer or I’ve worked on many successful projects, I’ll bring you a lot of success. Of course, the infamous line from his cover letter was ‘the world will see a great result from my hands’, which was just so villainous-sounding as to be comical. So yeah, no, he really couldn’t answer any technical questions. Couldn’t even answer the basic questions of where he had worked previously. The whole thing was super bizarre and he was just either unfazed or didn’t understand when I was pointing out red flags and inconsistencies. He was clearly spoofing someone’s legitimate resume and pretending to be them, like, had just downloaded it from an open resume site or a recruiting site.

But it was when I was like hey man, it says here that you worked here at F2Pool. Tell me about F2Pool. If I were to recreate what he said, he literally was like, yeah, and then muted. I was like hey, are you there? I would say at least a minute or two minutes went by just silence on the other line. I was like, no one does this. It doesn’t matter how incompetent you are. If you think about – there’s two axes I’m judging on this interview; are you competent or incompetent? That’s the standard interview framework. Like, am I gonna move you on to the next step or not? But the other one that you don’t consider usually when you talk to someone is like, is this person nefarious? It wasn’t until he kind of went dark for like, two minutes after being asked a really simple question, and then came back again with this renewed purpose, like pretending like that didn’t happen.

Like, I want to work with you, I’m an experienced blockchain developer, I’ll make you successful, that I was like dude, something’s going on here. It’s a scam, it’s a behavioral hack, and that’s when I hung up. Honestly, right when I left the call room, I shut the door to the call room, and I remember being in the office and I was like guys, I think I just interviewed a North Korean hacker. That was my intuition. My intuition – and it was biased from weeks of having observed it and reported on it, and I had already been covering some of these security hacks of really famous crypto individuals like Arthur0x and a lot of the coverage on Lazarus Group, so I was already primed to be thinking about this. So, between that, his undeniably Korean accent, and just how sketchy and scammy it was, that was kind of my intuition.

JACK: Jon was actually pretty spooked by this. I mean, if this was a North Korean, that’s a pretty close encounter, to be on a video call with him, to have this whole e-mail exchange, to be opening resumes and e-mail attachments. [MUSIC] He starts retracing his steps, trying to remember exactly how much he shared with this Bobby Sierra. Did he do any screen-sharing? How much did he explain about the company and what tech they use? Jon was on high alert and feeling pretty disturbed by this. So, he tweeted the whole encounter.

JON: The tweet went super viral because, you know, frankly it was entertaining. Even when I was in the room, I was kinda laughing at myself. I was like, who is this guy? This is so crazy. You don’t have interviews like that ever, you know? You don’t ever have those. It’s rare to have an experience in your life where that’s just so surreal. You’re like, is this happening? Like, this person’s just making stuff up and their resume’s not consistent with their GitHub, is not consistent with their real name, and their quote, unquote real name is “Bobby Sierra” and his cover letter sign-off is ‘the world will see a great result from my hands’. So, it was just a funny thread and it just went super viral. It instantly got thousands of likes.

JACK: Some people were saying no, dude, this is typical; if you interview enough people for a while, there’s some really weird ones that just show up. So, Jon was starting to doubt that it was North Korea, but another crypto investor who had his digital assets stolen a little before this said it was definitely North Korea because he’s seen this before. So, Jon wasn’t sure again.

JON: But then yesterday, I think, this week, the US Treasury published a sixteen-page advisory on North Korean overseas IT workers. That advisory explained almost to the word the tactics that this guy Bobby Sierra was using on me.

JACK: This advisory from the US Treasury and the FBI says that North Korea has been trying to dispatch IT workers to work for companies all over the world remotely, posing as non-North Koreans. Some of these people, when they get hired, they don’t even do the work; they just hire a subcontractor to actually do the job that they were supposed to do. Once again, North Korea has flabbergasted me. I mean, what level of social engineering even is this, to try to get a job at the very place you want to rob, and it’s done by the world’s worst social engineer? It’s bold and ridiculous at the same time. One thing that seems clear from this is that the Lazarus Group is on a tenacious mission to steal crypto from people and places all over the world, and they’re pretty creative at coming up with new ideas on how to do it. [MUSIC] It’s almost like the Lazarus Group has a whole RND department that cooks up ways to steal money.

GEOFF: One of the amazing things was the rash of cryptocurrency trading apps that they launched around the 2018 period. First one we think was May 2018; this was the thing called Celas Trade Pro which was basically a sort of cryptocurrency trading app. The idea was you’d plug in your cryptocurrency wallet and it would assist you through the process of this. This was set up with a very glitzy-looking website. All looked very above the board to those who were giving it a casual glance. The idea was download this app; it’ll give you cryptocurrency trading advice and allow you to sort of do this if you connect your wallet to it. Unfortunately, behind this was a piece of malicious software, so when you downloaded it, you effective – getting the hacker’s backdoor access to your machine. Of course, as soon as you connected your cryptocurrency wallet, you’ll potentially give them access to it and they could steal your money. So, that was Celas Trade Pro which was the initial iteration of this.

It didn’t take long for the tech security community to clock that this was malicious, so Celas gets reported on, lots of reports come out about the fact that there’s actually malware within this, but it doesn’t really seem to matter to the hackers behind it who are allegedly the North Korean Lazarus Group, ‘cause they just relaunch under different names. There’s this bewildering variety of different cryptocurrency apps that come out in sort of 2018, 2019. They’re just the same malicious software just rebadged and repackaged. So, Union Crypto Trader, QPay Wallet, CoinGoTrade, Crypto Neuro Trader. Ant to Whale was one of my favorite ones. They’re just the same piece of malware just dressed up in different iterations, and it seems that they think so long as we can keep rebadging this, we’ll keep finding suckers.

JACK: So, they set up these crypto apps that would be viruses, malware of some kind. Do you think they ever actually hit anybody with this and stole some money from people?

GEOFF: Yeah, yeah. It did actually work. I mean, the recorded case according to the US investigators is August 2020. There’s a financial services company in New York who downloaded a thing called Crypto Neuro Trader, and the Lazarus Group apparently got away with $11.8 million.

JACK: In 2018, another crypto exchange was robbed. This time, it was Coincheck, based out of Japan, and this was an exchange that handled different cryptocurrencies; Bitcoin, Ethereum, and Nem tokens, N-E-M. Well, someone hacked into this exchange, looked for the crypto wallets, and found the Nem hot wallet. They emptied the whole thing. About 500 million Nem were in that hot wallet, and at the time, one Nem was worth one dollar. So, this resulted in a theft of $500 million worth of crypto, which was the largest heist ever, larger than any bank heist or crypto-heist ever reported at the time.

GEOFF: The thing about Coincheck is the attribution. It is not clear to me and I don’t think it’s clear to investigators whether this was North Korean. One of the issues with that is the malware that apparently was used to break into Coincheck was commodity malware, so it’s quite difficult from that perspective to attribute it. You can’t say well, this is particular malware that we’ve only seen used in these particular attacks by these particular groups. I think that’s – that was one of the issues around it. There was some talk in the media about this being the work of North Korea. Certainly it’s a cryptocurrency attack. It’s in the Asian area. That sort of maybe points to Lazarus Group, but beyond that, for me anyway, you need a few extra bits of evidence. As I say, the malware didn’t really point to it. Then there was the whole laundering procedure and the cashing-out procedure for this.

So, some of those Nem coins that were stolen from Coincheck eventually ended up being sold as cryptocurrency assets on dark web sites where they were sort of offered at a discount. Didn’t quite look like some of the other laundering cash-out operations that have been attributed to Lazarus Group. So, for lots of different reasons, there’s a bit of a question mark over Coincheck. Look, that attack is still being investigated. Japanese police are still all across it. Coincheck still I believe working with law enforcement to check into it. So, there may be news on that, there may be movements on that, and the Lazarus Group story just keeps developing, developing, so keep a watching brief on that. But for the moment, I’m not sure whether I’d add Coincheck’s $530 million to my tally of suspected Lazarus Group cryptocurrency wins.

JACK: Okay, so, we’ll put a question mark on whether or not North Korea robbed Coincheck. [MUSIC] But then in September 2020, there was another big robbery at another crypto exchange.

GEOFF: This is the attack on KuCoin, another cryptocurrency exchange based, I believe, in Singapore, this one. This was various different types of cryptocurrency assets, so some of it was in Bitcoin, some of it was some – in some really obscure types of cryptocurrency and crypto asset. Some ERC-20 tokens were taken, some stablecoins, so it’s a mix, a mixed bag of stuff once the hackers got in. Because once they get in, it’s not just one wallet they have access to. If they’ve got this kind of blanket backdoor access, they’ve got access to the entire safe and whatever’s in there, so they start pulling out this money. If you totaled it all up, certainly at the time, this would be worth about $275 million.

JACK: $275 million. This one is firmly attributed to being North Korea. It has all the signs of what previous North Korean crypto-heists look like, as well as the laundering techniques they used after. Now, as if that wasn’t enough, March 2022, we saw a new record for the largest cyber-heist ever. This time was on the Ronin network. The Ronin network is, well, it’s hard to describe. There’s this NFT game called Axie Infinity which is one of the first NFT games out there and it’s also one of the most popular. To play it, you need to deposit your money into this Ronin network. So, there’s a lot of money tied up in this Bridge network.

GEOFF: The Ronin Bridge in the middle is the conduit and like any conduit for money, particularly these new types of money, these new crypto assets, it’s a target for the hackers. They seem to have discovered some vulnerability here. They were able to take over different nodes in the Ronin Bridge and steal what was valued at the time as $625 million, [MUSIC] which I just think we need to take a step back and – I mean, that is – I think – I’m gonna go out on a limb here and I’ve been trying to get people to call me out on this, but I think it’s – from what I can remember, that is the largest single amount of money stolen in a single hack of all time, I think.

JACK: He’s right; $600 million is the largest heist ever. It beats the biggest bank robberies, the biggest exit scams, even the biggest crypto-heists. Yeah, many security researchers have attributed this attack to be the work of the Lazarus Group once again. If we add all this up, it brings the crypto-heists alone to somewhere around two billion dollars. That’s not even adding up all the bank robberies they’ve done. Two billion dollars stolen by North Korea. All this is happening, which – it’s confidently being blamed on North Korea. Has North Korea taken credit for any of this and said yeah, we did do that? Or what’s their stance here?

GEOFF: No, North Korea has denied any connections to any of these hacks at all. The official publication in North Korea which is sort of as close as you get, really, to a government spokesman, certainly that I know of, has said that these are effectively smears by the US government and its allies, trying to besmirch the good name of North Korea. So no, they’ve denied all of it. There is one point I’d raise though, which is sort of speculative and a bit off my patch, but I sort of think of this from a geopolitical diplomacy point of view. If it is the case that North Korea has got this two billion dollars they’ve stolen, if the investigators are right in their accusations, and if North Korea are having this immense trouble laundering it, which from what we’ve talked about with this podcast, I think that’s fair to say, there’s money sort of sitting out there that if North Korea one day confessed to it if it indeed is them, they could sort of maybe offer to, I don’t know, repatriate it. At this stage it’d be worth even more, potentially, than when they stole it.

Could that become part of a diplomatic negotiation in the future, a sort of – an amnesty like when criminals try and use returning their assets to try and bargain for a lower sentence. Could it somehow form some part of the diplomatic negotiations? As I say, this is outside my remit as a tech journalist, but I do wonder whether someday this could form part of it. There is precedent for that; [MUSIC] I mean, North Korea had, according to the US government, money in a bank, $25 million worth of money in a bank in Macao, and that money was frozen when the US government took action against that bank. That froze money and that bank in Macao became a sort of bargaining chip around the negotiations around nuclear weapons and so on. North Korea said we want that money back and maybe our nuclear negotiations will be affected by whether you give us that money back. In the end, by the way, they got the $25 million back and kept testing nukes and testing missiles. So, I guess North Korea won that poker game in the end. But could this stolen cryptocurrency money, this two billion dollars, form part of some negotiation of diplomatic solution in the future? I don’t know. I’m going out on a limb there, but I think it’s an interesting question to consider.

JACK: Now if you recall, the US has indicted a North Korean named Park Jin Hyok for the attacks on Sony and the Bangladesh Bank. But since then, the US has indicted more people involved with these cyber-heists.

GEOFF: Yes, there have been multiple indictments around the crypto-heists. So, there were the two Chinese individuals I talked about earlier who were accused of helping North Korea launder stolen cryptocurrency through bank accounts in China and also through iTunes giftcards, bizarrely. Also, in addition to Park Jin Hyok, the individual who was indicted in September 2018 for Sony, WannaCry, and the Bangladesh Bank heist, the US have now added accusations against two other people, and they are Jon Chang Hyok and Kim Il, who, callback to earlier in the episode, the US says is the real name of Tony Walker and Julian Kim, the man who was responsible for setting up Marine Chain. So according to the US government, Tony Walker and Julian Kim, this chap who was going on Skype and asking people to help invest in this weird BOAT coin marine shipping cryptocurrency thing was actually Kim Il, an operative of the North Korean government. So again, you can go on the FBI’s Cyber’s Most Wanted list and take a look at all the pictures of Kim, Park, and Jon and take a look at them.

JACK: Huh. I wonder, will it ever stop? [MUSIC] This seems to be working very well for North Korea, so I don’t see any reason why they would stop. Are they just gonna keep on stealing from people forever?

GEOFF: North Korea’s trapped in this loop, right? They desperately want to stay at the international table. They want to negotiate with the United States. How does a country of 25 million people that’s desperately poor – you know, Burkina Faso saying they want a meeting with Joe Biden. Why on earth would he meet with Burkina Faso? Well, if Burkina Faso had a nuclear weapon, well then you’d meet with Burkina Faso. That’s the argument. So, North Korea, we are – our only way in to power is nukes, and that’s the decision they’ve made. Nukes means they get hit with sanctions, means they have no money, but they need money to keep the nukes going. So, how do you get the money? Well, then you steal it. Then you get hit with more sanctions, so you’re still short of money, so you steal it. You’re just in this loop, this awful, chronic, grinding loop. What’s at the heart of it all is nukes, ‘cause nukes is their way to stay at the international table. That’s what’s motivating North Korean society. It’s what’s motivating, according to the investigators, all of the computer hacks and so on. It’s grinding and the people who are caught in the wheels of that grinding are North Korea’s 25 millions citizens who of course live in absolute poverty because when the government gets any money, they just spend it on nukes and missiles and propping up the leadership and the cadre of people.

JACK: Cryptocurrency is a wild place to be a player in right now. You should expect to be attacked. If it isn’t by teenagers trying to break into your e-mail or SIM-swap you, then it might be by scammers or people phishing you to try to get into your crypto wallet. If you’re a company with large crypto holdings, then you are probably on North Korea’s radar. When you’re being targeted by a nation state actor, that’s a serious amount of defenses that you should be putting in place. It’s a hard game to play in right now. But listen, all the stories Geoff shared with us today, they’re all in this book which he just published, called The Lazarus Heist. It’s great; it’s wonderfully written and researched and goes into great detail about all of what the Lazarus Group has been up to. But what we talked about in this episode is just one chapter in that whole book, so if you want to hear more about all the craziness that North Korea’s doing, go check out this book, The Lazarus Heist.

(OUTRO): [OUTRO MUSIC] A big thank you to Geoff White for coming on the show and telling us about the stories he’s been investigating. I recommend his book, The Lazarus Heist. I have an affiliate link for it in the show notes. This is also the second time I’ve had Geoff on the show, so if you want to hear another episode with him, go back to Episode 72 called The Bangladesh Bank Heist, or even go back to Episode 71 where I interview a North Korean refugee to talk about the information monopoly that the government has on North Korea. This show is made by me, the brave little CPU, Jack Rhysider. Sound design was created by the memory-intensive Andrew Meriwether, editing help this episode by the defragged Damienne, and our theme music is by the smoking Breakmaster Cylinder. Oh, I have this great joke I’m working on about documentation, but it’s not done yet. This is Darknet Diaries.


Transcription performed by LeahTranscribes