Uphold North Korea Sanctions

North Korean actors have stolen billions of dollars over the past decade as part of a massive campaign to generate illicit revenue through cybercrime. In recent years, they have devoted particular effort to stealing virtual assets. The proceeds of these operations help fund the Kim regime’s ballistic missile programme and the development of more robust cyber capabilities, among other initiatives. North Korea’s cyber-criminal activities undermine UN sanctions and represent a distinct threat to international security.

A US-led coalition has responded to North Korea’s exploitation of cryptocurrency by prioritising enforcement against the virtual asset platforms that facilitate money laundering, especially mixing services. Mixers enable users to obfuscate the origins of their cryptocurrency funds by commingling them in a large pool with other users’ assets. Recognising the key role non-compliant mixers such as Tornado Cash have played in North Korea’s cyber-criminal enterprise, US authorities and international partners have launched an aggressive crackdown. Authorities have supplemented their primary enforcement tools – sanctions and platform takedowns – with asset seizures, arrests and the adoption of new laws and regulatory measures. Over the past few months, governments have experimented with novel approaches to combating digital illicit finance, such as the possibility of designating all mixer transactions as suspicious by default.

This paper forms part of a series of research projects funded by the US Department of State to understand and mitigate obstacles to UN sanctions implementation. It aims to examine cryptocurrency mixers’ distinct technical, legal and regulatory dimensions and the challenges they pose to the sanctions regime. The paper provides detailed background information on North Korea’s cyber-criminal statecraft, focusing on North Korean actors’ use of mixers to launder illicitly obtained cryptocurrency. It takes stock of the government response to date, concluding that while actions against non-compliant virtual asset platforms have been effective individually, the campaign’s overall impact on North Korea’s laundering capacity has been limited. It also seeks to grapple with the unintended consequences of interventions, some of which have yet to manifest fully.

The paper offers 14 recommendations for policymakers and practitioners. The first cluster includes suggestions for broadening the current approach to countering North Korean mixer exploitation through unconventional partnerships and new conceptual frameworks. It advocates for empowering the disparate teams fighting cross-cutting North Korean cyber threats to collaborate more closely, and for expanding consideration of the second- and third-order marketplace effects enforcement actions may trigger. The next cluster focuses on cultivating stronger cooperative relations with the private sector. These recommendations emphasise nurturing the development of compliant blockchain privacy alternatives and tailoring government communications to the idiosyncratic virtual asset industry audience. The final cluster of recommendations focuses on raising global cyber security and anti-money laundering and counterterrorist finance standards. Achieving wider implementation of current best practices, with an eye toward augmenting them in light of emerging digital illicit finance risks, would substantially degrade North Korea’s ability to monetise cybercrime.

Introduction

North Korea’s innovative and highly motivated e-crime groups have emerged over the past decade as among the world’s most prolific cyber-criminals. Under the direction of the Kim regime, North Korean actors have pioneered a unique model that combines their technical acumen with the state’s experience in conducting illicit financial activities, honed over more than half a century, to cultivate a potent new revenue stream. The results speak for themselves. North Korea has stolen billions of dollars through electronic means from victims around the globe, including more than $3 billion in cryptocurrency. In 2022, North Korean groups accounted for roughly half of the nearly $4 billion stolen across the virtual asset ecosystem and a large portion of the funds taken from decentralised finance (DeFi) protocols, which have quickly become crypto hackers’ primary target. Following each theft, North Korean cyber-criminals steer their ill-gotten gains through a sophisticated laundering process and ultimately into state coffers. The profits from these operations fund much of Pyongyang’s ballistic missile programme, enable deeper investment in its cyber capabilities, bankroll slush funds for the North Korean elite, and help insulate the regime from the effects of sanctions. Through their direct and indirect effects, North Korea’s ongoing cyber-criminal activities pose an acute threat to international security and the global financial system. This paper explores North Korea’s use of these novel technologies to evade sanctions, considers the efficacy of states’ countermeasures, and provides recommendations on how authorities can further impede North Korea’s illicit cyber revenue-generating activities.

Cryptocurrency mixers play a key role in the laundering process underpinning the North Korean cyber-criminal model. Mixing services, also known as tumblers, obfuscate the provenance and ownership of cryptocurrency funds by blending many users’ holdings together and disbursing each customer’s “mixed” funds to new addresses under their control. By obscuring the otherwise transparent trail of blockchain transactions, mixers make it harder for victims and law enforcement to trace stolen assets, let alone recover them, and help convert dirty cryptocurrency into more usable funds. Recognising these advantages, North Korean actors have enthusiastically incorporated mixers into their repertoire. Their heavy use of mixers presents both a problem and an opportunity: while these technologies protect a crucial revenue stream, North Korea’s reliance on mixers creates vulnerability to interventions that could significantly degrade their ability to monetise crypto theft.

The US-led approach to countering North Korean mixer use is still taking shape. Thus far, the toolkit has mainly featured sanctions, platform takedowns, asset seizures, arrests and regulation, which authorities typically deploy simultaneously and in coordination with international partners. These tactics have proven effective across several cases, rendering certain major platforms much less functional and removing others from availability outright. All told, the ongoing campaign has reshaped key elements of the mixer landscape, and large recent asset seizures have generated a cautious optimism that law enforcement and private partners may be building their capacity to reclaim stolen funds. However, the strategic impact of these interventions on North Korea’s overall illicit finance capabilities is ambiguous, and even the successful platform takedowns may not prove to be enduring achievements. Moreover, the interventions have already triggered unintended consequences, the full scope of which remains to be seen. New platforms are emerging to fill the void predecessors have left, and the replacements may ultimately prove trickier to counter. The interventions have prompted cyber-criminals to adapt their operational procedures and spurred innovation by both legitimate and illicit market actors that promises to catalyse further change. The tough approach to mixers has also exacerbated divisions between the public and private sectors over the character and trajectory of the virtual asset space, undermining efforts to make it less hospitable to criminality. As the strategy for countering North Korean illicit digital finance continues to develop, authorities will need to reckon carefully with the second-order effects of their actions and continually refine their approach.

This paper forms part of a series of research projects funded by the US Department of State to understand and mitigate obstacles to UN sanctions implementation. It aims to examine the distinct technical, legal and regulatory dimensions of cryptocurrency mixers and the challenges they pose to the sanctions regime. The paper concludes a four-month research project, commencing in June 2023 and ending in September 2023, on the use of cryptocurrency mixers for illicit financial purposes by North Korean actors. The analysis is based on a close review of US government documents, such as indictments, sanctions designations, statements of policy and press releases; reports by the UN Panel of Experts on North Korea (“the Panel”); publicly available threat intelligence and blockchain analysis reporting from firms such as BAE Systems, Chainalysis, Elliptic and TRM Labs; and primary data that certain firms have collected on North Korean cyber operations and cryptocurrency transactions. The paper has also benefited from interviews with 16 experts in relevant fields, including compliance specialists, anti-money laundering and counterterrorist finance (AML/CTF) practitioners, leading figures in the cryptocurrency industry, threat intelligence and blockchain analysts, policy researchers, and multiple former senior officials from the US Department of the Treasury, the US Department of Justice and the National Security Council.

The paper contains three chapters. Chapter I offers background on Pyongyang’s cybercrime programme, the factors that draw cyber-criminals to mixers and the countermeasures governments have started taking. Chapter II analyses government interventions to date, focusing on the Blender, Tornado Cash, ChipMixer and Sinbad actions. It identifies unintended consequences that government action may trigger and suggests possible strategies for mitigating them. Chapter III offers a series of policy recommendations for augmenting the current approach to countering North Korean mixers, building stronger cooperative relations with the private sector, and raising global cyber security and AML/CTF standards. The paper concludes by flagging areas for further research and reflecting on how this issue could evolve in the years to come.

I. Background

This chapter provides background information on North Korea’s cyber-criminal activities and explains why mixers have become appealing tools for money laundering. It also outlines the measures governments and international bodies such as the Financial Action Task Force (FATF) have undertaken in response to virtual asset crime.

The North Korean Cybercrime Programme

Cybercrime has quickly become an essential pillar of North Korean statecraft. In the mid-2010s, having already developed a capacity for destructive and espionage cyber activities, Pyongyang launched a global campaign of financially motivated intrusions whose early results prefigured an enormous return on investment. The 2016 Bank of Bangladesh heist, in which threat actors submitted fraudulent SWIFT requests to the bank’s accounts at the New York Federal Reserve, extracted more than $80 million and might have yielded 10 times more if not for a typo in the phoney wire instructions that exposed the ruse. In May 2017, the WannaCry ransomware affected several hundred thousand machines in at least 150 countries, demonstrating the ease with which hackers cloistered untouchably in faraway jurisdictions could commit digital extortion at massive scale. These and subsequent operations validated the idea that state-directed computer crime could pay quite handsomely. Over the past decade, North Korea has assembled a web of interlocking threat actor sets whose primary or secondary aims are to generate revenue, including the groups known as APT38, Andariel and the Lazarus Group, some of the world’s most active and successful e-crime syndicates. Their combined operations have generated several billion dollars for the Kim regime. That North Korea’s annual foreign trade volume, long its chief source of hard currency, has not surpassed $3 billion since 2019 underscores the impact of this new revenue stream.

Among national cyber strategies, Pyongyang’s is unique. North Korea was likely the first country to generate illicit revenue via cybercrime, and to the extent that any other countries have experimented with cyber-criminal statecraft, North Korea remains by far its largest practitioner. Its threat actors have benefited from robust ties to the global underground, from hacker forums and off-the-shelf malware vendors to high-level network access brokers and transnational money laundering networks. North Korea’s repertoire comprises a wide range of activities typically associated with non-state criminals rather than state actors. Of these, theft from major enterprises is the most profitable, but by no means the only, core element. North Korean threat actors have launched ransomware campaigns, solicited fraudulent investments, hijacked other users’ processing power to mine cryptocurrency, stolen customer payment information from e-commerce websites, and programmed ATMs to dispense cash for collection by networks of money mules, among other pursuits. Capitalising on the prevalence of remote work and outsourcing since the Covid-19 pandemic, North Korea has steered many of its skilled programmers into freelance IT work, performing services such as web development and database creation for foreign companies under false identities – activities that would be legal if not for sanctions. The thousands of workers engaging in these activities, many of whom operate from Russia or China, cumulatively bring in millions of dollars per year. In addition to generating income, they may enable future compromises by planting malware in company systems or gathering data to inform social engineering schemes that involve deception of unsuspecting employees. Lesser North Korean cyber-criminals engage in petty e-crime, such as online gaming and casino scams, which are not lucrative individually but scale easily.

The characteristics that distinguish virtual assets make them attractive targets for criminal exploitation. Having surpassed the trillion-dollar market capitalisation threshold in 2021 and remained near or above it since, the cryptocurrency space is awash with cash, the critical factor for opportunistic cyber-criminals, who follow the money above all. Market actors have often prioritised breakneck innovation and user growth at the expense of due attention to compliance and cyber security, leaving large pots of assets under-protected against highly motivated thieves. Users and investors drawn to the prospect of fast and high returns frequently exercise insufficient care in guarding against scammers. Criminals looking to fly under the radar benefit from the space’s emphasis on privacy and, in many circles, its scepticism or outright antagonism toward regulatory authorities and traditional compliance practices perceived as intrusive or burdensome. Instantaneous, borderless transactions enable malign actors to quickly abscond with ill-gotten funds, while decentralisation enables buck-passing with respect to compliance, investigation and victim support. The rapid rise of DeFi and the advances in decentralisation, speed and automation it heralds have increased virtual assets’ appeal to North Korean cyber-criminals in particular. As the US Department of the Treasury assessed in April 2023, “many existing DeFi services covered by the BSA [Bank Secrecy Act] fail to comply with AML/CFT obligations, a vulnerability that illicit actors exploit”.

Embracing Mixers

Mixers enable North Korean cyber-criminals to launder dirty cryptocurrency with increased speed and anonymity by blending their holdings together with those of many other users. Traditional mixers operate a custodial model, commingling user deposits in a large pool and then returning “clean” funds to their original owners, less a small fee. Relying on a central operator, however, presents counterparty risk and creates opportunities for compromise or law enforcement interdiction, as cases such as the ChipMixer seizure have demonstrated. To solve these problems, some newer mixers employ a non-custodial approach, in which smart contracts – blockchain-based programs that execute automatically when given conditions are met – tumble users’ holdings without ever placing them under a central operator’s control. Non-custodial mixers such as Tornado Cash offer enhanced security, reduce platform administrators’ direct involvement in daily operations, and greatly diminish the possibility of unauthorised asset seizure. While there are plenty of legitimate reasons for law-abiding cryptocurrency owners to wish to use these sorts of privacy tools, most mixers practise minimal compliance, if any, and many were designed explicitly to facilitate illegal transactions. As Chainalysis noted in a mid-2022 review of mixing services’ regulatory obligations, “We aren’t aware of any custodial mixers currently following [US compliance] rules”.

Figure 1: Life Cycle of a Sample North Korean Mixer Transaction

North Korean cyber-criminals have embraced using mixers to launder stolen funds, which now represents a core component of North Korea’s cryptocurrency theft protocols. According to Chainalysis, the percentage of ill-gotten North Korean cryptocurrency that flowed through mixing services grew from under 10% in 2018 to 65% in 2021. North Korean actors laundered more than $1 billion from at least 10 separate operations through Tornado Cash alone prior to the mixer’s designation in August 2022, including from the January 2022 Qubit hack and the June 2022 Horizon Bridge hack. They processed $20 million from the massive March 2022 Axie Infinity hack through Blender and several tens of millions from the aforementioned operations and others, like the September 2020 KuCoin heist, through ChipMixer. In 2023, North Korean cyber-criminals turned to alternative platforms, whisking funds from the Atomic Wallet hack through a new Bitcoin mixer called Sinbad and more than $60 million of Ethereum from Horizon Bridge through the Railgun privacy protocol. Employing a variety of mixers distributes risk across multiple platforms, but also reflects the need to replace services that have shut down.

Most illicit actors use mixers in similar fashion – after all, the point is to blend in with the crowd – but certain characteristics mark North Korea’s use. For one, North Korean actors are among the largest mixer users in the world, accounting for 30% of the funds that sanctioned entities tumbled in 2022, behind only the Hydra darknet marketplace. They appear more inclined toward using mixers than most other cryptocurrency thieves, as less than 20% of the proceeds of non-North Korean cryptocurrency hacks flowed through mixers in 2022. According to Elliptic, illicit North Korean funds comprised 70% of Railgun’s total receipts as of early 2023. In practice, North Korean cyber-criminals have fewer mixer options to choose from than less prolific outfits. As a general rule, the larger a mixer’s pool of assets and users, the stronger the anonymity it can provide; conversely, investigators are generally better able to trace dirty assets through a tumbling protocol with lower volume. Only a handful of platforms can accommodate tens of millions of dollars in North Korean-controlled cryptocurrency in one shot without becoming useless, and authorities can even “de-mix” transactions through certain larger platforms. North Korean launderers often add further layers of obfuscation by employing multiple mixers and bridging funds across blockchains, a practice known as chain-hopping. Of course, the end uses of North Korean virtual asset crime – supporting the regime’s nuclear weapons and ballistic missile programmes, among other purposes – distinguish it from operations whose perpetrators seek personal profit. Nonetheless, North Korea’s money-laundering methodologies largely overlap with those of other sophisticated cyber-criminals.

Government Responses

Having begun formulating AML/CTF frameworks for virtual assets in the decade prior, global regulators moved in the late 2010s to account for the emergence of mixers. The FATF, the international standard-setting organisation, updated its core recommendations in October 2018 to apply to virtual assets and virtual asset service providers (VASPs), and in June 2019 it adopted an Interpretive Note to Recommendation 15 detailing how its rules should apply to that ecosystem in practice. Accompanying guidance for implementing a risk-based approach to regulating virtual assets and VASPs expressed concern at “the rise of anonymity-enhanced cryptocurrencies (AECs), mixers and tumblers, decentralised platforms and exchanges, and other types of products and services that enable or allow for reduced transparency and increased obfuscation of financial flows”. The FATF subsequently identified mixer use as a “red flag” indicating users’ possible “intent to obscure the flow of illicit funds”. The FATF urges governments to ensure that VASPs can manage the risks associated with operating or transacting with mixers, and to ban providers that are incapable of or unwilling to do so.

US and UK regulators have established similar frameworks. The US Financial Crimes Enforcement Network (FinCEN) issued a pair of documents in May 2019 to clarify VASPs’ obligations under the Bank Secrecy Act (BSA) and to warn that “FinCEN and US law enforcement have observed unregistered entities being exploited or wittingly allowing their platforms to be utilised by criminals in the United States and abroad to further illicit activity”. The FinCEN guidance asserts explicitly that mixers fall under the purview of the BSA, building on a 2008 administrative ruling that classified anonymising services as money transmitters and on 2013 guidance concerning virtual currency use and exchange. Importantly, these determinations oblige regulable VASPs to comply with key AML policies such as the Travel Rule, which requires financial institutions to convey certain information about funds they transmit. Heeding encouragement from the FATF and calls from its own National Crime Agency to address mixers “churning criminal cash”, the British government revised its AML legislation in 2022 and implemented the Travel Rule for virtual assets in September 2023. US and UK regulators are working actively with global partners to strengthen the framework governing anonymising technologies such as mixers and to achieve more robust implementation of AML/CTF standards.

Mixers initially appeared on law enforcement authorities’ radar as facilitators for money laundering and internet crime, rather than as vectors of North Korean national security threats. In May 2019, the Dutch financial crime agency and Europol took down BestMixer, at the time one of the three largest mixing platforms, with Europol commenting that “the investigation so far into this case shows that many of the mixed cryptocurrencies on BestMixer.io had a criminal origin or destination”. Culminating an investigation launched the previous summer, the BestMixer intervention appears to have been the first such law enforcement action. In 2020, FinCEN levied a $60 million civil penalty against the primary operator of the Helix Bitcoin mixer for wilfully and systematically violating the BSA in the course of servicing more than three dozen illicit darknet marketplaces, a few months after his indictment on federal money laundering charges. In April 2021, US authorities arrested a dual Russian–Swedish national “on criminal charges related to his alleged operation of the longest-running bitcoin money laundering service on the darknet”, the Bitcoin Fog mixer, which achieved “notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement”. That summer, FinCEN assessed a $100-million penalty against BitMEX, a cryptocurrency exchange and derivative trading platform, for BSA infractions that included facilitating thousands of transactions with mixers like Helix.

North Korea’s brazen string of cryptocurrency hacks in 2021 and 2022, as well as the high-profile Colonial Pipeline and JBS ransomware crises of 2021 and Russia’s full-scale invasion of Ukraine, prompted an evolution in how officials tend to view illicit mixer use, from a criminal tool to a direct national security threat. In October 2021, the White House launched the Counter Ransomware Initiative (CRI), bringing together dozens of governments to develop cyber-security and AML standards and to coordinate action against the perpetrators and facilitators of cyber-criminal extortion. The UK and Singapore have jointly spearheaded much of the CRI’s work on mixers, co-leading a working group on countering illicit finance in 2022 and the CRI’s policy arm in 2023. The US Department of the Treasury’s February 2022 National Money Laundering Risk Assessment, which includes a full sub-section on virtual assets and a sub-header therein on anonymity-enhancing technologies, names North Korean, Russian and Iranian threat actors as primary exploiters of those services, noting that “ransomware attacks … frequently stem from jurisdictions with elevated sanctions risk” and that “ransomware payments may … fund activities that harm US national security”. The Department’s April 2023 report, Illicit Finance Risk Assessment of Decentralized Finance, the most comprehensive government report on this topic at the time of writing, treats North Korean mixer use extensively, noting that “the DPRK … increasingly steals virtual assets from both centralized VASPs and DeFi services” and that North Korean cyber-criminals “are using DeFi services in the process of transferring and laundering their illicit proceeds”. The report offers in-depth suggestions for curtailing this activity by building regulatory capacity and expanding collaboration with foreign and private sector partners.

Since early 2022, global authorities have dramatically ramped up efforts to disrupt North Korean illicit mixer use and experimented with new tools for doing so. The US Office of Foreign Assets Control (OFAC) issued its first-ever designation of a mixing service in May 2022, sanctioning Blender for obfuscating tens of millions of dollars in North Korean proceeds from the Axie Infinity heist.

Asked a few months later about North Korea’s cyber activities, Anne Neuberger, US Deputy National Security Advisor for Cyber and Emerging Technology, commented, “Given that cyber is such a core driver of revenue, it’s something we must address … We’re doubling down and planning to do much more work to make it riskier, costlier, and harder for North Korea to gain funds that way”. The US government’s most prominent mixer action to date has been its August 2022 designation of Tornado Cash, which demonstrated OFAC’s ability to target platforms without a traditional centralised operating entity while also provoking much private sector ire, including well-funded legal challenges. Undeterred, US authorities revised and expanded the Tornado Cash designation and recently indicted two of the service’s alleged operators, one of whom was arrested in Washington state. Last year, international coalitions took down ChipMixer, whose servers and nearly $50 million in cryptocurrency holdings were seized by the German Federal Criminal Police, and Sinbad, which OFAC designated in November. In a noteworthy development, in October 2023 FinCEN proposed a new rule that would classify mixing as a transaction class of primary money laundering concern and impose substantial new record-keeping and reporting requirements on domestic participants. If implemented, the proposal would represent a novel exercise of the US Department of the Treasury’s authorities under Section 311 of the USA PATRIOT Act of 2001, with which it has previously targeted only individual foreign jurisdictions and financial institutions.

II. Analysis

Evaluating Interventions to Date

This chapter takes stock of the US-led campaign against virtual asset mixers through its first two years. The first portion assesses seven major interventions against platforms and considers their overall impact on North Korea’s money laundering capacity. The second portion outlines the unintended consequences that actions against mixers can trigger, and explores possible mitigations.

Viewed through the narrow lens of impact on the target platform, government interventions against mixers facilitating North Korean money laundering have achieved success. Blender shut down shortly after its designation, removing one of North Korean cyber-criminals’ favourite options for mixing Bitcoin. Indeed, Chainalysis reports that roughly 90% of the funds North Korean actors mixed in Q2 2021 passed through Blender. ChipMixer likewise ceased operations following the Germany- and US-led intervention, and Europol anticipates that the four servers and seven terabytes of data seized in the takedown will catalyse further investigations. In the more complicated case of Tornado Cash, the OFAC designation has resulted in a transaction volume decrease of over 80% as of late 2023, shrinking the platform’s pool of mixable funds and in turn significantly degrading its effectiveness at obfuscating asset movements, especially for larger-volume users. According to Chainalysis, after the designation “Tornado Cash … saw drops in inflows from virtually every category” of sender, including funds from thieves and sanctioned entities. As a portion of the total funds North Korean cyber-criminals mixed, Tornado Cash flows declined to under 25% in Q4 2022, following four consecutive quarters of these actors’ pushing essentially all their stolen cryptocurrency through Tornado Cash at some point in the laundering process, which typically involved bridging and layering with other services. Western authorities have arrested two of Tornado Cash’s three alleged “principal” co-founders and in August 2023 unsealed a remarkably detailed indictment indicating that the men deliberately sought to create a “haven for criminals to engage in large-scale money laundering and sanctions evasion”. On an individual basis, these tactics have proven potent, removing or seriously compromising platforms North Korea has relied on to launder dirty virtual assets. Considered together, they have reshaped the cryptocurrency mixer landscape.

Table 1: Notable Interventions Against Mixers

Still, in some cases governments have fallen short. Despite its reduced functionality, Tornado Cash continues to operate because it runs on smart contracts that authorities are unable to seize or shut down directly, as they could a centralised server or custodial entity. Some users, including North Korean actors, have continued engaging the platform to obscure illicit fund trails, albeit in lesser amounts. This situation reveals a major limitation on authorities’ ability to counter decentralised, smart contract-based mixers, and raises questions about whether measures against similar platforms will be effective in the future. The first action against such an entity, the Tornado Cash designation, has also suffered from a lack of clarity, which generated marketplace confusion as to the extent of the restrictions and liability for interacting, even unwittingly, with the service. These issues and the aforementioned court challenges prompted OFAC in November 2022 to de-list the platform and redesignate it under a broader justification, as well as to publish answers to market actors’ frequently asked questions.

Beyond the complexities of the Tornado Cash case, several other interventions that met the core goal of taking a malign service offline did not accomplish secondary goals such as arrests or property seizures. The operators of ChipMixer and Blender remain at large, and reports indicate that the administrator of the latter may have absconded with as much as $22 million in Bitcoin and remains involved in operating dirty mixers. While multimillion dollar virtual asset seizures impose heavy costs on criminals and may help compensate their victims, few have accounted for more than a small fraction of the total amount the illicit actors in question are known to have processed or taken in profits. These shortcomings should not take away from the altogether impressive results that government interventions have achieved against mixing platforms themselves.

Table 2: Tactical Outcomes of Notable Interventions Against Mixers

The ultimate strategic outcome of authorities’ campaign to disrupt North Korean revenue streams by pursuing dirty mixers remains to be seen, but initial indications have been somewhat discouraging. Every intervention so far has achieved degradation of the target platform, only for replacements or reincarnations to quickly absorb much of its transaction volume. A prominent blockchain investigator privately described the Tornado Cash designation, whose bite on the platform itself has been evident, as a “blip” for North Korean cyber-criminals, who adapted quickly by re-routing illicit asset flows through other service.

Elliptic reported in February 2023 that Sinbad, one of the preferred tumblers of North Korean threat actors from late 2022 until its designation last November, was very likely a relaunched version of Blender. In fact, as discussed at length in the next section, taking down a platform may prompt users to shift not just to comparable substitutes but to more powerful anonymising tools. Considering the abundant alternatives and the ease with which developers can launch a new mixer, it has become apparent that compromising individual platforms may not have an enduring effect on the mixer ecosystem’s overall capacity. It is plausible that these interventions have delayed cash-outs to North Korean actors and raised transaction costs, and authorities have managed to interdict small but non-trivial North Korean illicit fund movements. These actions have injected a degree of uncertainty into the laundering process, demonstrating that stolen funds are always vulnerable and forcing cyber-criminals to engage with platforms of unknown pedigree. Nevertheless, the campaign so far has not substantially impaired North Korea’s ability to mix cryptocurrency. With this conundrum in mind, FinCEN’s October 2023 proposal that mixing be classified as a transaction category of primary money-laundering concern is especially intriguing. Could targeting mixing transactions as a class have greater impact than going after facilitators one by one? Whether through this type of action or other means, authorities may need to broaden their approach in order to curtail North Korea’s monetisation of cyber-criminal statecraft.

Reckoning with Unintended Consequences

Unintended consequences can undermine or even reverse achievements in the fight against North Korea’s digital illicit finance. For example, intervening may require authorities to expose sensitive capabilities such as the ability to trace funds through reputedly opaque technologies or to secure cooperation from a state or platform regarded as hospitable to criminals. Revealing valuable sources and methods may prompt cyber-criminals to adapt by shifting away from compromised partners and improving operational security. In 2017, for example, US and European law enforcement took down AlphaBay, a massive darknet marketplace for illegal goods and services of all kinds. A few years later, the platform relaunched with stronger security protocols designed to prevent such disruptions, including a requirement that users transact only in the “anonymity-enhanced” Monero cryptocurrency as well as a decentralised hosting system that purports to defend against seizures and infrastructure compromises. A related drawback is that shutting down platforms that authorities have quietly infiltrated reduces visibility into malign actors’ fund movements and evolving tactics, techniques and procedures. Several blockchain analysts from firms that work with governments expressed concern in interviews that the Blender, ChipMixer and Sinbad actions, among others, had shuttered key windows into North Korean criminals’ activities, which they argued could leave authorities less well positioned to track and act against future activity.

Taking out non-compliant platforms may simply push bad actors further into the shadows of the underground, where they can be harder for law enforcement to reach. A few days after the AlphaBay intervention, administrators of BitMixer – then the most popular tumbler – shut down their platform too, citing the realisation that truly anonymising Bitcoin transactions was impossible, and encouraging illicit-minded users to switch to anonymous-by-design privacy coins instead. Blockchain analysts and government officials report significant difficulty tracking privacy coins, whose utility to North Korean actors seems to be constrained more by impermanent challenges such as low liquidity and exchangeability than by any inherent operational shortcoming. Troublingly, use by North Korean actors of privacy coins, especially Monero, and privacy-enhanced operating systems like TRON, a favourite of terrorist groups, has grown sharply in recent years. Beyond mixers, North Korean threat actors have increasingly turned for laundering solutions to technologies like privacy wallets, which enable users to participate in obfuscating procedures known as CoinJoins. As with decentralised mixers like Tornado Cash, CoinJoins involve non-custodial transactions, meaning privacy wallets are not vulnerable to disruption or seizure in the way that centralised platforms such as Blender or ChipMixer are. Providers such as Wasabi Wallet and Samourai Wallet have facilitated North Korean money laundering after major heists, such as the $281-million KuCoin exchange hack in September 2020, and strike many investigators as substantially more difficult to crack than the mixers that authorities have dismantled so far. On the whole, while shutting down a dirty mixer or rendering it ineffective may be a short-term tactical victory, the net strategic result may be to induce North Korean cyber-criminals to pivot toward more hardened protocols, exacerbating the challenge overall.

Interventions may cause detrimental second-order impacts in the broader virtual asset ecosystem. Popular mixers and illicit marketplaces can be highly profitable to run, and the unexpected shutdown of a market leader creates a tremendous incentive for other actors to offer replacement services in order to meet the unfulfilled user demand. Reviewing the effects of an important recent action, analysts at TRM Labs commented, “The vacuum left by Hydra’s takedown resulted in a veritable ‘Cambrian explosion’ in [darknet markets], with at least a dozen illicit projects having surfaced in its place”. Elliptic found in late 2022 that the Tornado Cash designation had led to an analogous situation, and identified several new or as yet relatively unknown platforms that had begun competing for suddenly available market share. In addition to Sinbad, North Korean actors have passed tens of millions of dollars of virtual assets from recent heists through Railgun, a decentralised privacy protocol that purports to serve professional investors but which FinCEN considers a mixer. Although less established services tend to have lower throughput and fewer users, limiting the privacy benefits they can provide, dispersal across multiple nascent platforms may make it harder to build a complete picture of North Korean activity. Similarly, targeted bans or punitive measures levied against specific entity categories may spur responsive innovation outside the scope of the action. This phenomenon might manifest as a negative or a positive: developers could seek to build compliant solutions or to innovate around the letter of the law just enough to avoid punishment. Other possible market effects include spooking developers into offshoring – moving to more permissive jurisdictions beyond the reach of responsible authorities – and, counterintuitively, enhancing sanctioned actors’ capabilities by raising the prices criminal facilitators can command, thereby attracting more sophisticated partners to enter the marketplace.

In an industry where relations between authorities and developers are often particularly antagonistic, aggressive measures against virtual asset platforms risk further alienating the private sector and intensifying the misalignment that undermines efforts to combat North Korean cybercrime. Since market actors drive digital financial innovation and serve as the gatekeepers of the virtual asset marketplace, building an ecosystem inhospitable to crime will depend at least as much on private sector buy-in as on government intervention. While widespread industry adoption of standards such as Know Your Customer would go a long way towards curbing malign activity, sustained apathy or resistance to cyber security and compliance will only worsen endemic cybercrime. In other words, whatever an enforcement action’s short-term outcome, the private sector’s response may shape much of its net effect in the long run. Accordingly, while authorities must react firmly to threats and misconduct, officials should be mindful of how industry is likely to perceive their actions, and seek to shrink the gulf between the public and private sectors. Moreover, the fact that most mixer users are not criminals means that interventions inflict collateral damage on law abiding customers. Just as they do for criminals, enforcement actions may restrict ordinary users’ access to mixers, reduce their efficacy, or raise the cost of using them. Chainalysis has determined that, since early 2022, the proportion of mixed funds originating from illicit sources has grown, which may increase the risk to non-criminal users of violating sanctions or of having their assets caught in a seizure. Regrettably, until platforms with the will and capacity to perform sufficient compliance emerge – some do appear to be in development or in preliminary stages of deployment – infringement on ordinary users will likely remain a necessary cost of fighting North Korean cybercrime. As is practicable, authorities should seek to minimise these impacts and mitigate their actions’ negative unintended consequences overall.

Conversely, authorities should seek to encourage favourable knock-on effects. Actions designed to target North Korea may impose costs on other malign actors, including some outside the traditional cyber-criminal set. Financially motivated North Korean groups interact regularly with other elements of the global digital underground to purchase malware kits and network accesses, arrange digital infrastructure and cash-outs, and exchange technical know-how. In the course of their operations, threat actors across borders rely on an overlapping suite of tools and platforms, of which mixers are just one prominent example. According to the US Department of the Treasury, “OFAC’s investigation also identified Blender’s facilitation of money-laundering for, among others, Russian-linked malign ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab”. Blender likewise processed funds from the massive Russian-language Hydra marketplace, which authorities took down a month before the US Department of the Treasury designated Blender. Criminal filings against ChipMixer describe it as “one of the most popular mixing services used by ransomware operators”, darknet markets, and even Russia’s GRU (Main Intelligence Directorate), whose operators used mixed Bitcoin to surreptitiously purchase infrastructure for hosting malware. Prominent dirty mixers and the North Korean actors who engage heavily with them share additional nexuses with illegal weapons and narcotics distributors, counterfeiters, purveyors of exploitative sexual material, and countless other criminal enterprises whose architects have gravitated toward virtual assets and digital privacy technology. These groups’ convergence of interests and tradecraft creates an opportunity for authorities to strike at multiple malign actor sets simultaneously.

III. Recommendations

This paper offers 14 recommendations for policymakers, national security practitioners, regulatory agencies and law enforcement working to counter North Korean cyber-criminals’ abuse of mixing services. The recommendations fall into three interrelated categories: broadening the approach to countering mixer exploitation through unconventional partnerships and new conceptual frameworks; building stronger cooperative relations with the private sector; and raising global cyber security and AML/CTF standards.

Broadening the Approach to Countering North Korean Mixer Exploitation

1. Institutions responsible for countering malign cyber operations should reduce barriers between teams focused on state-level and criminal threats, as well as strengthen collaboration between nation-state-specific teams.

A core theme of this paper is that the lines between state and criminal activities in cyberspace and between disparate threat actor sets have become increasingly blurred. Government agencies around the world have often struggled to keep pace with these cross-cutting threats; former practitioners report burdensome delays in interagency processes, difficulty sharing information across institutions and inefficient allocations of scarce technical resources. Authorities should adjust to these trends by promoting further integration between teams responsible for state Advanced Persistent Threats, ransomware groups, virtual asset exploitation and traditional e-crime. Doing so would empower practitioners to more effectively identify and respond to overlapping threats, such as collaboration between North Korean and Russian-speaking cyber-criminal groups, as well as to capitalise on opportunities to achieve multiple victories in one fell swoop.

The US Justice Department has taken laudable steps to de-silo its approach to cyber-criminal threats, having recently merged the National Cryptocurrency Enforcement Team into the Computer Crime and Intellectual Property Section and established the National Security Cyber Section (“NatSec Cyber”), which seeks to promote “Department-wide and intragovernmental partnerships in tackling increasingly sophisticated and aggressive cyber threats by hostile nation-state adversaries”. It could be beneficial for national financial, cyber security and regulatory authorities, as well as international partnerships countering malign cyber activity, to consider forming analogous ad hoc task forces with wider mandates and more adaptable capabilities.

2. Practitioners should incorporate a robust analysis of potential unintended consequences as a standard element when planning any mixer intervention.

Practitioners would benefit from adopting an expanded standard assessment of the potential second- and third-order effects of a proposed mixer action. Practitioners might consider:

• Whether the target platform can be easily relaunched or reconstituted elsewhere.

• The operational security adaptations the action is likely to trigger among cyber-criminals.

• The replaceability of the service being targeted.

• The likely alternatives cyber-criminals will adopt, and those platforms’ vulnerability to surveillance and disruption.

• The extent to which the action’s success depends on industry cooperation, and the likelihood that market actors will cooperate.

• The action’s probable effects on legitimate financial technology innovation.

• Collateral damage to non-criminal virtual asset holders.

3. When taking action against mixers, authorities should seek out opportunities to make arrests, seize assets and operational infrastructure and instigate favourable knock-on effects, with an eye toward achieving enduring impact on malign actor groups.

Actions against non-compliant mixers that remove key personnel and their resources from the field are more likely to have staying power. As the Blender and Sinbad cases reveal, motivated cyber-criminals can circumvent designations and takedowns rather nimbly. With arrests and infrastructure seizures, not to mention financial asset confiscation, authorities prevent threat actors from re-engaging in malign activity as easily and may glean useful intelligence. Targeting platforms and facilitators that service multiple malign actor sets can boost the return on investment of a single action.

4. Policymakers and law enforcement should invest in better understanding developments in the virtual asset space and their implications for national security.

Building on the Illicit Finance Risk Assessment of Decentralized Finance, the US Department of the Treasury should launch a standing Virtual Asset Risk Board modelled on the Emerging Technology Board the US Department of Justice envisioned in its 2022 Comprehensive Cyber Review. Such a board should meet regularly and produce biannual reports analysing the economic and national security implications of developments in the virtual asset space. UK bodies such as HM Treasury and the Financial Conduct Authority should explore establishing a similar organ with a particular focus on the robust domestic virtual asset industry.

As discussed below, offices charged with countering North Korean digital illicit finance, such as OFAC and FinCEN in the US, and the Office of Financial Sanctions Implementation (OFSI) in the UK, should increase engagement with the private sector, which is naturally better positioned to track the cutting edge of advances in virtual assets and DeFi. Tapping more deeply into the expertise of investors and developers would usefully complement national security practitioners’ points of view.

Building Stronger Cooperative Relations with the Private Sector

5. Regulators and financial authorities such as the US Department of the Treasury and HM Treasury should nurture the development of compliant virtual asset privacy solutions.

Officials should encourage the private sector to bring to market new platforms that can offer enhanced privacy for cryptocurrency holders without blindly enabling money laundering. Providing clear guidance on what is or is not permissible, as well as meeting with investors and developers, would reassure upstanding market actors who otherwise might not risk their energy and capital on projects they fear will not be approved or, worse, could lead to their arrest or designation.

The widespread availability of compliant solutions would further mark the use of non-compliant platforms as an AML/CTF red flag and likely reduce the fund volume travelling through them, making it more difficult for bad actors to disappear in the crowd.

6. Authorities with mandates to intervene against virtual asset platforms, especially OFAC, FinCEN and the US Justice Department, should more clearly delineate the behaviours that will prompt enforcement action.

Justified or not, many virtual asset industry stakeholders, including some former senior government officials who now work in the private sector, have perceived US authorities’ enforcement approach as capricious and heavy handed. For the enforcement “deterrent” to work, authorities must make clear what malfeasance or inaction constitutes punishable bad behaviour – as distinct from the lesser legal and regulatory shortcomings that seem usually not to result in serious penalties in this burgeoning industry – as well as show that genuine good faith effort to avoid such bad behaviours will be rewarded with greater patience and leniency. While this issue appears most pronounced in the US, the lesson is applicable to all jurisdictions.

7. Regulators and national security practitioners should tailor their communications to the virtual asset industry on North Korean cybercrime by reframing the issue in economic terms.

When encouraging market actors to comply with regulations and cooperate with law enforcement, authorities should frame North Korean digital illicit finance as a threat to the survival and prosperity of the virtual asset ecosystem, rather than as a “national security” issue, or a matter of right and wrong. Those kinds of appeals may ring hollow or simply not register, especially to users and developers based outside the relevant authority’s jurisdiction and to those who view government as an adversary. Emphasising that compliance and transparency benefit market actors’ economic interests is likely to yield more enthusiastic cooperation.

8. As is practicable, governments should channel messaging to the virtual asset private sector through prominent senior officials, rather than practitioners.

Authorities should issue more communications on North Korean cybercrime through high-level officials. Participants in the virtual asset industry are more likely to encounter and appreciate the gravity of these kinds of statements when they come directly from principals and senior deputies in speeches or media engagements than when they come from more obscure, technical or impersonal routes, such as the official channels of national security organs.

9. Regulators and national security practitioners should institutionalise dialogue with the virtual asset industry and adapt to market actors’ preferred communication channels.

In the spirit of expanding efforts to meet with legitimate virtual asset investors and developers, bodies such as OFAC, OFSI, the US Securities and Exchange Commission and the Financial Conduct Authority should send more officials to speak at virtual asset conferences and appear on podcasts and livestreams – influential platforms that rarely feature government perspectives. The public engagement strategies developed at the US Cybersecurity and Infrastructure Security Agency and the Office of the National Cyber Director, whose top leaders regularly headline both industry and grassroots events, could serve as a model. Authorities should also increase efforts to host industry stakeholders in government facilities, particularly those who are actively seeking to create compliant anonymity-enhancing platforms.

Raising Global Cyber Security and AML/CTF Standards

10. Regulators and cyber security officials should work with the private sector to establish an Information Sharing and Analysis Center (ISAC) for the virtual asset industry.

Cyber security officials should engage private sector stakeholders as well as the architects of successful ISACs, such as those serving traditional finance and the North American electric grid, to help conceptualise and implement one for the virtual asset industry. To help assuage market actors’ concerns about revealing potentially sensitive customer information, officials should inform would-be ISAC participants of their special rights and liability protections under the law. Accomplishing the creation of such a body – which experts have suggested – will require champions in both government and the private sector.

11. Financial authorities should continue efforts to build global AML/CTF capacity and advance implementation of FATF standards, and political leaders should renew their support, especially for the virtual asset Travel Rule.

Recognising that cyber-criminals and money launderers frequently exploit gaps in financial regulatory regimes, increasing global AML capacity and patching loopholes remains a fundamental component of any strategy for countering North Korean malign activity. Without the resources, technical expertise and will to perform monitoring and enforcement, even the most robust regulatory frameworks are toothless.

According to the FATF’s latest implementation report, “jurisdictions are making limited progress implementing the FATF’s requirements on [virtual assets] and VASPs”, and “many jurisdictions seemingly do not know where to start when it comes to regulating the [virtual asset] sector for AML/CFT”. Of the 98 jurisdictions the FATF assessed in mid-2023, just 25 are largely or fully compliant. With respect to the FATF’s virtual asset Travel Rule, only 62 jurisdictions have adopted or are in the process of adopting the policy, while 127 appear to have taken no action towards implementation. Actual enforcement of the Travel Rule is presumably even less common.

Several RUSI projects have highlighted opportunities for tightening regulations and building capacity.

12. The FATF and the governments spearheading the campaign against North Korean digital illicit finance should explore ways to expand lower income countries’ access to cyber security and blockchain analysis tools.

North Korean cyber-criminals and money launderers often take advantage of countries that struggle to prevent illicit financial activity and cyber intrusions within their borders. Governments leading the charge against North Korean malign activity should seek to expand global access to the technical training and advanced software packages required to track illicit virtual asset flows and to protect computer networks. They should consider purchasing or subsidising those services for countries that cannot afford them at the required scale, in addition to encouraging firms to provide their services at reduced cost. Authorities should also conduct more capacity-building exchanges and expand partnerships with the private sector to train more international practitioners.

13. Regulators and cyber security authorities should encourage or require market actors to adopt industry-standard security practices, especially code audits.

In 2022 alone, TRM Labs documented more than 100 major cases of cryptocurrency theft involving code exploits, which take advantage of vulnerabilities in a virtual asset platform’s architecture, or protocol attacks, which “target weaknesses in the underlying protocol or business logic of a cryptocurrency system”. The Wormhole and Qubit hacks, which led respectively to $325 million and $80 million in losses, are two recent examples of these kinds of compromises. Authorities should strongly encourage, and consider requiring, virtual asset firms to invest in robust cyber security practices, offer “bug bounties”, and engage third parties to perform thorough code audits before bringing a protocol to market.

14. Authorities should establish resource centres covering security and compliance best practices, incident response procedures and other important information for virtual asset developers.

At present, far less official guidance is available to entrepreneurs looking to start a virtual asset business than to those in better established industries. Publishing basic resources that emphasise security and compliance in the virtual asset industry could go a long way towards raising standards. In addition, providing incident response templates – particularly instructions on who to contact in the event of an intrusion, which many local police teams are not equipped to handle – would encourage more victims to engage with authorities and enable swifter reactions.

Further Research

As governments devote growing attention to virtual asset crime, a number of critical topics remain understudied. One blind spot involves early-stage technologies that have not yet received much scrutiny. Under the current paradigm, in which market actors function as the primary drivers of innovation, authorities are stuck playing catch-up as potentially risky platforms and practices come rapidly into being. Further, most of the detailed, up-to-date commentary on developments in virtual assets is aimed at prospective users or investors, rather than at legislators, regulators, law enforcement officers or national security practitioners. Of the security-focused research in this area, some of which has been quite impactful, nearly all projects look retrospectively at events from months or years prior. Given the pace of development in this space, officials would benefit greatly from a more proactive approach on the part of researchers. What new virtual asset technologies and platforms are emerging, and what are their implications for AML/CTF and national security? It would be especially valuable to assess the privacy-enhancing services that have appeared since the Blender and Tornado Cash designations in 2022, such as Privacy Pools, and whether they may help resolve the privacy/security dilemma. Researchers can also contribute by helping translate into policy terms the complexity of important new technologies and practices, which can require specialised knowledge to understand fully. These efforts help create a window into the rather insular virtual asset developer community, building the familiarity of officials and informing their decision-making.

The murky legal picture surrounding virtual asset technology is another area in need of additional research. Scholars and practitioners studying international security, cybercrime and digital finance often have no formal training in law and may be insufficiently prepared to evaluate the field’s novel legal questions. In many cases, there exists no legal basis for classifying these technologies, let alone taking action to address them in real-world contexts. Indeed, several former senior US Department of Justice and Treasury officials expressed concern that new technologies and practices could seek to exploit legal grey areas, such as outdated definitions of financial institutions and legal persons subject to sanctions, or to operate beyond the current scope of government authority. Are OFAC and OFSI, law enforcement, regulators and other relevant agencies properly equipped to handle virtual asset technologies that may pose security or money-laundering risks? Do they, or will they, require new legal authorities in order to continue fulfilling their mandates? In light of FinCEN’s recent proposal to increase scrutiny of mixers under its USA PATRIOT Act powers, do governments possess capabilities for virtual asset AML/CTF that have gone undiscovered or underused? Moreover, what standards should guide officials who are navigating dual imperatives to counter urgent national security threats without infringing excessively on legitimate expression and privacy interests? These questions demand thoughtful, evidence-based answers to supplement the cacophony of op eds, lawsuits and social media posts that have so far made up much of the public discourse, which has often been dominated by participants with vested interests in resolving the debate one way or another. RUSI and other outlets have offered valuable initial efforts, but more research is sorely needed.

Conclusion

Having stolen more than half a billion dollars from the virtual asset ecosystem in 2023, North Korean cyber-criminals represent a serious ongoing threat to global security. Mixing platforms such as Tornado Cash, Blender, ChipMixer and Sinbad have played a critical role in North Korean actors’ laundering of illicit cryptocurrency, enabling them to funnel ill-gotten gains into the Kim regime’s nuclear weapons and ballistic missile programmes. Although ordinary thieves and scammers are ubiquitous in the virtual asset space, North Korean cybercrime is distinguished by its sheer scale and ultimate beneficiaries. The industry’s indefatigable pace of innovation, along with the complex entanglement of malign actors and legitimate users, has only served to compound the problem facing authorities.

Since early 2022, governments have redoubled efforts to curtail these dangerous practices, intervening directly against non-compliant mixers through takedowns and designations, whilst investing in the teams responsible for countering virtual asset crime. Taking stock of the past two years of aggressive action, authorities should be heartened by their impressive victories against individual dirty platforms, but concerned about North Korean cyber-criminals’ adaptiveness, not to mention unanticipated second-order effects in the dynamic virtual asset marketplace. Moving forward, governments should seek to broaden their approach to countering North Korean digital illicit finance through unconventional partnerships and new conceptual frameworks to cultivate stronger cooperation with the private sector and to raise global cyber security and AML standards.

Alex O’Neill is a national security researcher who studies emerging technology, cyber threats and illicit finance. His current work focuses on North Korea’s financially motivated cyber operations and ties to the Russian-speaking cybercriminal ecosystem. Until 2023, Alex was an Associate at the Harvard Kennedy School’s Belfer Center for Science and International Affairs as well as Coordinator of the Belfer Center’s Korea Project, where he co-founded and led the North Korea Cyber Working Group for three years.