Darknet Diaries - 119: Hot Wallets
Episode Date: June 14, 2022In this episode we interview journalist Geoff White to discuss some of the recent crypto currency heists that have been happening. Geoff has been tracking a certain group of thieves for some ...time and shares his knowledge of what he’s found.Much of what we talk about in this episode has been published in Geoff’s new book The Lazarus Heist: From Hollywood to High Finance: Inside North Korea’s Global Cyber War (https://amzn.to/3mKf1qB).SponsorsSupport for this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the cloud — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. axonius.com/darknetSupport for this show comes from Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.
Transcript
Discussion (0)
Ocean's Eleven was a cool movie.
An elaborately planned casino heist
where the thieves were trying to steal millions of dollars in cash
by bypassing all kinds of physical security and tricking the guards.
It was a thrill to watch.
But I wonder if the great heist films are coming to an end.
Because the largest robberies are all done over computers now.
And it's just not visually stimulating to watch someone sit at a computer
pushing buttons, transferring money from one account to another.
But even if it was, does it sound interesting if Fast and the Furious 27
was all about who could pull off the best NFT scam?
Or what if Reservoir Dogs was remade and instead of stealing jewelry,
they tried to steal the private key to someone's Dogecoin wallet?
Reservoir Doge.
But what if there was lock stock and two smoking ICO scams?
I don't know.
Maybe this is the future of heist films.
Because art imitates life.
And cryptocurrency heists are where the biggest thieves are playing today.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them
because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control
of your data and keep your private life private by signing up for Delete Me. Now at a special
discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to
joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20%
off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring
to help keep businesses secure.
I know a few people who work over there,
and I can vouch they do very good work.
If you want to improve the security of your organization,
give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission
to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsIninfosec.com. Blackhillsinfosec.com.
All right, so who are you and what do you do?
So I'm Jeff White, and I'm an author and investigative journalist.
Jeff is a fantastic investigative journalist doing a lot of work for the BBC,
and he's been tracking a particular story for a while now, and I'm fascinated with it.
So I wanted to bring him in here to talk about what he's been looking into.
The story starts with NiceHash.
NiceHash is a cryptocurrency business.
I've actually used this service before.
It's a Bitcoin mining pool,
and it's based out of Slovenia. Mining Bitcoin by yourself is hard to get any rewards, but if you pool your resources with other miners, you get a much bigger chance of making some money from it.
So with NiceHash, all these Bitcoin miners pool their resources together to make more money from
mining. And the service was one of the most popular Bitcoin mining pools in 2017, which means
it made a lot of money. And it would just keep a small fee and then issue the payouts to all the
miners. So it's December 4th, 2017. Employees at NiceHash start to get phishing emails sent to them,
which is the classic way in, of course. And around this time, lots of phishing emails were targeting
lots of people at lots of cryptocurrency businesses.
And sooner or later, because it's a numbers game, it seems somebody at NiceHash inadvertently clicked on the email, opened the link, opened the attachment, got themselves infected.
The attackers used the malware to get into the employee's computer.
And from there, they burrowed their way deeper into the NiceHash network, pivoting and escalating their privileges.
And this particular attacker was looking for a very specific thing.
NiceHash's Bitcoin wallet private keys.
If they could manage to get their hands on the private key, they could empty NiceHash's wallet entirely.
And maybe some of the customer's wallets too. Because when
NiceHash paid out the people in the mining pool, some people just kept their money at NiceHash,
accumulating Bitcoin, but not cashing it out. And there were a lot of users who were not cashing
out their Bitcoin that they earned. Maybe they'd come in once a month and transfer their coins out
of there. But this attacker got into NiceHash's systems
and found where the private keys were for the Bitcoin wallets
and just drained everything they could out of it,
stealing a lot of money from NiceHash.
Do we know how much they took?
Yes and no, which sounds like a peculiar answer to give.
We know that at the point it was hacked, this was in December 2017,
they transferred out Bitcoin's worth about $75 million.
So the reason I'm saying no, we don't know how much it was worth,
was because at this time, you'll remember,
Bitcoin's value was swinging absolutely massively.
So this was the year when it was peaking, I think, at about $20,000 per Bitcoin.
So at the time of the hack, it was about $75 million. Subsequently, it might have been less,
but in the intervening years, it will have been more. All we can do is a snapshot of time at the time, $75 million. $75 million in Bitcoin stolen. Gone just like that. That's a lot of money. I mean, that's bigger than any bank robbery ever in the US.
Largest theft in the history of Slovenia,
according to somebody who worked for NiceHash at the time.
So certainly in Slovenian terms, an absolute mega haul.
And the thing about cryptocurrency is once it's stolen, it's gone.
There's no way to reverse the charge or call the bank and say,
hey, this was stolen.
Please freeze the account that stole it.
No.
Bitcoin is a type of currency that's decentralized,
meaning there's no central controlling entity
or place or person that you can call for help.
So NiceHash starts investigating.
They're obviously trying to trace down the money.
Obviously, NiceHash is full of very clever people
who do cryptocurrency all the time. So part of their effort is to try and trace where the cryptocurrency
is going, to try and keep track of it. And as a lot of your listeners will be very familiar with,
there's now a game of cat and mouse. So the hackers start to move the transactions through,
move the money through, through different cryptocurrency wallets, possibly into different
types of cryptocurrencies, so swapping it from Bitcoin into other cryptocurrencies.
And the investigators at NiceHash initially are pursuing it
and trying to keep track of it
and trying to keep track of where this money goes,
which gets increasingly more complicated
the more efforts the hackers make to move it around.
Sooner or later, this crosses the radar, it seems,
of US investigators, almost certainly the FBI,
who get involved and start trying to do that tracing effort as well,
because pretty soon the US government and the FBI
have a sense of who's behind this hack
and how serious it might actually be.
Do you have any understanding of why the FBI
would be investigating a Slovenia company?
Yes, the FBI are constantly on the lookout for leads on
investigations that they're running. So the FBI have for a long period of time been tracking
various sort of cybercrime gangs. And they're quite canny across the world whenever there's a
computer hack, particularly if it's a cryptocurrency exchange attack, and the FBI have been tracking
a cryptocurrency exchange gang, they will start to look at that and think,
hang on, does this have any of the indicators, if any of the likely fingerprints connecting it to
an investigation we're already running? And we've seen this before in the case of the attack on
Sony Pictures Entertainment back in 2015. Subsequent to that, another attack by the same
gang on Bangladesh Bank, the central bank of bangladesh
the fbi start looking at that and thinking hang on we're seeing some commonality so the fbi are
constantly scanning around the world aware that the hackers that they're chasing can be operating
almost any country around the world and trying to connect the dots between fresh attacks fresh
cyber attacks and ones that the fbi has already got on its radar to see if it can lump in that attack with another attack
and potentially charge the same gang with both.
And so with this, and now the FBI is investigating,
did they ever discover who stole this 75 million?
Well, according to the FBI, this was the work of the Lazarus Group,
who are believed to be working on behalf of the North Korean government.
This is North Korean state hackers who are going around the world and in a lot of cases trying to get their hands on as much cash, as much foreign currency, certainly, as possible.
So they can transfer it back either to North Korea directly or for the use of North Korea in other foreign countries.
So these are the kind of jigsaw pieces that the FBI is starting to put together.
Oh, whoa.
This is somehow surprising and not surprising at the same time.
It's surprising that a nation-state actor, a government organization,
would be in the business of cybercrime.
But it's not surprising because the North Korean government is just weird.
I mean, they're really, really weird.
But this is also surprising because this is the first time North Korea has ever stolen cryptocurrency before.
And specifically, they broke in and stole Bitcoin from a company in Slovenia.
Where the heck did they learn how to do this from?
They'd been experimenting with cryptocurrency.
So you've got to think back
slightly earlier than this attack. This is December 2017. May 2017, of course, was the
WannaCry cyber attack, the ransomware attack that hit multiple countries around the world,
hundreds of thousands of devices infected and so on. Classic ransomware attack, but spread
through this incredible sort of auto-spreading
and auto-detonating technology. And what's interesting about that from a cryptocurrency
point of view, because the WannaCry attack was also attributed to Lazarus Group, was that in
the wake of the WannaCry attack, there was obviously this question around how the ransom
payments, which were obviously in cryptocurrency, in Bitcoin in this case, how those ransomware
payments would be sort of gathered together and distributed and laundered.
They didn't make a huge amount of money out of WannaCry. I think they barely, at the time,
I think it barely topped a million dollars, which is sort of almost laughable among ransomware gangs'
profit margins. But the interesting thing about WannaCry was the efforts that the hackers made
to launder the money.
You could see, because obviously cryptocurrency transactions are transparent and available on the blockchain,
you could see in the months after WannaCry, the money being moved around,
moved through different wallets, tumbled, as the terminology says, into different wallets,
and eventually disappearing into one cryptocurrency exchange, never to be seen, or at least never to be traced again. So you're right, North Korea hadn't really done a huge amount of cryptocurrency theft,
bare cryptocurrency theft, but they definitely experimented with moving cryptocurrency around
and laundering it. And in hindsight, maybe the WannaCry cyber attack, part of the motivation
was to get the hang of, if indeed it was North Korea behind it, getting the hang of laundering cryptocurrency
so that they could then go on to do hacks
like the one on NiceHash in December.
Oh boy, this does not bode well.
If North Korea learned how to launder Bitcoin from WannaCry
and they're already equipped to carry out hacking campaigns
and they use these offensive techniques
to get in and steal $75 million from NiceHash,
this win for them could mean North Korea
is going to go full throttle
and start attacking all cryptocurrency companies
looking for big licks.
Because North Korea has been robbing banks
for years at this point.
In fact, Jeff came on the show before
to tell us about the
time when North Korea robbed the Bangladesh Bank. That's episode 72. But when you rob a bank,
it's a lot harder to launder the money versus when you steal some crypto. Crypto is private
and anonymous by design. It's much easier to move the crypto around and hide behind the wallets.
Like for instance, if this money was stolen from a bank, there would be an immediate sense of urgency to get that money out.
It might have been transferred to another bank,
and then they'd have to deploy a whole network of money mules
to try to quickly cash out all the money they stole.
But when you steal Bitcoin, there's no sense of urgency.
You can just let it sit there until you're ready to cash it out.
Nobody can touch it or freeze it on you.
And the scary thing is that North Korea
needs money badly and isn't afraid to commit heists and robberies to just steal as much as
they can. So as they learned about crypto, this must have been seen as a great opportunity for
them. Absolutely. Yes. The trajectory really of the North Korean
Lazarus Group, according to both US investigators and the United Nations who keep an eye on North
Korea and its activities, the direction of travel for its hackers, I think really has been
cryptocurrency. In the years following the NiceHash attack and the WannaCry ransomware attack,
there was just this sort of proliferation of loads and loads of different tactics
of targeting people and loads and loads of different methodologies for doing it.
Many crypto companies reported they received phishing attacks since 2018 onward that seemed
to be coming from the Lazarus Group. These are almost always emails that employees would receive
to try to trick the employee to read the email, download the attachment, and open it.
And these phishing emails weren't some spray-and-pray kind of attack where they're sending out millions of emails a day.
No, these phishing emails were often very well-crafted
to target a specific person at a specific company.
And they were well-designed.
One of these phishing emails targeted an employee
who worked at a crypto company.
And what the attackers did was they looked on LinkedIn to see who worked at that company
and found an employee that they think would have access to what they wanted
and would be susceptible to a phishing attack.
So they crafted an email which was trying to recruit that person to come work at a different company.
That just looked like the dream job, just absolute dream job.
All the things you want, loads of money.
Unfortunately, of course, the dream job doesn't exist.
It's been made up by the computer hackers to appeal to exactly this individual because
they've managed to research that person on LinkedIn and said, oh, they work for this
company, work for that company, they'd probably be interested in this job.
So the employee thinks, well, I'll open this job ad and see what happens and what
it looks like. He read the email and was curious to learn more, said there was more information
in the attached document. He was interested and downloaded the attachment. It was a Word doc.
And when he opened the Word doc, a pop-up showed up, which said, this document is protected by GDPR regulations.
Please click to accept the GDPR terms.
Well, as you can imagine, this button had nothing to do with GDPR.
And when he clicked OK is when the Word doc executed a script
which infected that employee's machine.
And with that, the North Korean hackers were in his computer
hunting for the crypto wallets that that company controlled.
And I find this fascinating because time and time again,
I've heard penetration testers do this exact same thing.
They want to target a company, so they go to LinkedIn,
find some people to target, and craft some phishing emails,
and they get into the company that way.
Social media just makes this kind of attack so much easier.
The thing is, we don't know how many crypto companies were robbed by North Korea. Companies
feel embarrassed when they get hacked like this. They'd lose customers if they publicly announced
they've been hacked. So even when a company reports this to the authorities, those companies
can still remain nameless. But what we do know is that North Korea has steadily and persistently
attacked and stole cryptocurrency from companies for years.
So yes, you start off with, you know, 75 million or thereabouts at NiceHash.
And this sort of develops and gets bigger and bigger.
At one stage, the FBI are talking about the stealing of $230 million. This is from an
unnamed cryptocurrency exchange. Absolutely astonishing amount of money. $230 million
stolen from one exchange? Unbelievable. And with little to no punishment, of course,
North Korea is going to continue on this robbery spree. Who's going to stop them? Well, the FBI investigated this $230 million heist
and tried to figure out who cashed this money out.
And obviously one of the things you can do
when somebody steals cryptocurrency
is you can trace it
because cryptocurrency transactions
are recorded on the blockchain
and anybody can go to the blockchain
and look at where they go.
And this is the game now.
Investigators, law enforcement, and private companies are constantly on the case when these hacks happen,
trying to work out where the money goes. And what they're hoping is they can chase it to somewhere
that's legitimate, or at least they can chase the money into a cryptocurrency exchange that will
answer the phone to law enforcement. So law enforcement see these transactions through the
blockchain. They go, aha, they're now putting it into this cryptocurrency exchange. We've got a number for
them. Let's give them a bell and see if we can get them to stop the money. Now, obviously,
not all cryptocurrency exchanges are going to do that. But some of them, quite a lot of them,
actually, do want to answer the phone to law enforcement. They don't want to be part of
criminality. So you can call them up. And they managed to trace the money to a particular cryptocurrency exchange. And what was
good about this exchange was they'd implemented what are called know-your-customer controls.
So this is, you'll have been through it. I'm sure lots of your listeners have been through it. You
try and set up a bank account, they want you to hand over ID. Increasingly with cryptocurrency
exchanges, the legitimate ones, they're doing the same thing. You know, if you set up an account at one of these places, you'll probably have had to send your ID,
your passport or whatever. And so one of the exchanges into which this $230 million of stolen
cryptocurrency vanishes is one of these legitimate exchanges that asks for ID for customers.
So the FBI think, right, we can phone these guys up, this cryptocurrency exchange, and we can ask
for the ID for the customers that set up the accounts that the stolen money went into.
That's a pretty good, you know, that's going to be a good lead. So sure enough, they do,
they make contact with the exchange and say, look, here's the accounts, please give us the IDs
of the people who set up these accounts. And the cryptocurrency exchange obliges and sends the FBI a screen grab,
an image of the ID of the person who set this thing up. And what the cryptocurrency exchange
has is a photo, a webcam photo, someone sitting in a chair, you know, he's got quaffed hair,
he's holding up a South Korean driver's license, I think it was, he's wearing a little white t-shirt.
And so, and the driver's license has got this guy's name and his address and his ID and everything on it. So I imagine the FBI at this
point are thinking, great, this seems to be the guy who's helping launder the stolen $230 million.
But there's a bit of a snag because there's two accounts that are being used. And the FBI has
asked for the IDs for both of the account holders.
So the first ID comes, it's a South Korean guy
holding up a South Korean driver's license, badaboo.
Second picture arrives for the second account holder,
and this time it's a German guy,
and he's holding up a different type of ID,
and he's got a bald head, and it looks completely different.
But then as you compare the two photographs,
which the FBI must have done,
things start to look a bit skewy
because they're both wearing the same T-shirt.
That's weird. That's a coincidence.
And then their fingers are in exactly the same positions
around the ID,
and they're sort of sitting in exactly the same chair.
And as you look closer, you realize
the pictures have just been Photoshopped or at least manipulated somehow. They've basically taken closer, you realize that the pictures have just been photoshopped or at
least manipulated somehow. They've basically taken the heads off the two different pictures
and put them onto the IDs. It's basically a picture that's been ripped off the internet.
And the hackers have effectively faked the pictures on the ID, faked the pictures on the
photograph, convinced the cryptocurrency exchange these are real people who want to set up an
account, use that to set up the account and wash the 230 million through it.
So the FBI's dream of knocking down the door with these two chaps
with their IDs on display vanished into thin air, unfortunately.
Oh, interesting.
They've got fake IDs and have figured out how to cash out their stolen money
without getting caught.
And you might wonder, hey, there are banks in North Korea, right?
Why isn't there a
crypto exchange in North Korea where the Lazarus Group can just send their Bitcoin there and cash
it out without having to use any fake IDs? Well, for a few reasons. First, it would be obvious if
you saw the stolen Bitcoin wallet go to an exchange in North Korea that it's going to be the North
Koreans who did this. And North Korea doesn't want to take credit for any of this. They are already in trouble and getting sanctioned and just don't want to make things worse.
So they always deny that they had anything to do with these heists. But second, we're talking
$230 million cash outs here. It kind of breaks my brain to think this through, but where would
a North Korean crypto exchange get $230 million to give to someone who wants to cash that much out?
They would have to have that kind of cash on hand to pay it out.
And it's not like you can just start an exchange and only do payouts.
The reason why exchanges work is because the exchange has enough people buying crypto with the cash,
and they can pay out what's needed.
Like I said, that kind of breaks my brain to fully understand that.
But suffice to say, there's no crypto exchange in North Korea. So they have to use exchanges in
other countries to get their money out. And they don't actually cash it all out at once.
North Korea has this technique they use called peel chaining. See, once money gets stolen,
the wallet it went to actually gets flagged. So exchanges know not to do business with that
wallet. So like if you stole $75 million and transferred it to your wallet, the FBI might
flag your wallet and tell exchanges, hey, don't do business with this. And so if you then send
your money to Coinbase, Coinbase might freeze your funds and turn it over to the FBI. So what
North Korea does, since they know their wallets are being watched, is they transfer all their
money to a brand new wallet and quickly before it can be flagged as a stolen wallet, they take
a small chunk of money, maybe five grand or 50 grand, send that to an exchange to quickly get
it cashed out using one of these phony IDs they have. And then they continue doing this until
they've cashed out all of what they want. Transfer all the money to a new wallet, peel off a little,
send it to an exchange, and do it again. the money to a new wallet, peel off a little, send it to an exchange,
and do it again.
Transfer money to a new wallet,
peel a little off, send it to an exchange,
and just keep repeating.
This is the peel chain laundering technique that they use.
And by the way, I learned all about this peel chaining technique from Jeff's book that he just published
called The Lazarus Heist,
which goes into great detail about this and so much more. Exactly. And this is the interesting thing about North Korea's efforts to
steal money generally is, I think when I started out with season one of The Lazarus Heist, the
podcast that we did that led to the book, my sort of assumption was, well, all this money sort of,
you know, washes back to North Korea, all these allegations of stolen money, you know, if that's
what's happening, it must end up back in North Korea. And I had this image, I think, I don't know, maybe Kim Jong-un,
you know, writhing around in a pit of money. But that's not necessarily how it works. Because
as you say, once you get, you know, your stolen Bitcoin or whatever it is back to Pyongyang,
if it is indeed then behind it, you've got to sort of take that cryptocurrency and swap it
into something. And obviously, in North Korea, that's just North Korean won. It's just a local currency.
What often happens instead is this cryptocurrency is just left in wallets around the world,
in wallets connected to the internet, that can then be used for things North Korea would want
to buy. So if North Korea wants to purchase something in, I don't know, Kazakhstan or Russia or Brazil, they can use the money sort of locally, if you like. They don't
keep the money back in North Korea. They have the money stashed out in other places so that they can
buy things they need because they can't dispatch the money from North Korea to go and buy them.
It's much better to have, you know, if you like, local credits that you can spend in different
countries that you need. And that's why cryptocurrency is really useful is if you've got
your money stashed in Russia and you want to buy something in Russia, fair enough. But if you want
to buy something in Brazil, you could have moved the money from Russia to Brazil. Whereas with
cryptocurrency, it's accessible sort of anywhere in the world. It's, you know, that's one of the
joys of it. So for people like North Korea, who are seemingly stashing this money around the world,
it's really useful because they can make purchases
in different countries with it.
Ooh, that's very interesting.
I never thought of that.
But okay, so still, can you give us any kind of idea
on how they might be laundering it?
Because like you said, it is becoming more regulated
and it's more difficult to get it out
because then it's tied to a real bank account somewhere in the world.
And maybe there are just places in the world that is not regulated,
like you can find some backstreet exchange in some third world country or something.
I don't know.
Yeah, exactly. It's a really interesting picture, this one.
And there have been instances of hacks where, particularly recently,
because the investigators,
both law enforcement and also private industry investigators on cryptocurrency,
are getting so quick and so fast and so thorough at chasing the stolen money, stolen cryptocurrency,
that it's really difficult for those who've stolen it to launder it,
because all eyes are then on those hot wallets, if youets. I say hot wallets, I mean hot as in
stolen money wallets. And so there's instances in which the hackers are sort of caught out because
they've got the money in a wallet, but as soon as they try and move it somewhere, as soon as they
try and cash it out, the investigator is going to try and get one step ahead of them, contact the
company that's doing the cashing out and say, hang on, that's stolen money. You can't transfer that. You can't transfer that into fiat currency, pounds, dollars,
and so on. So the hackers face this really interesting challenge of trying to sort of
find those, as you say, those backstreets, if you like, in the cryptocurrency market.
So the exchanges that aren't doing know your customer, the exchanges that don't care that
they're handling stolen money. The other thing they're going to is tumblers, is Bitcoin mixers and cryptocurrency
mixers who will take your cryptocurrency, mix it with other people's. If you imagine a whole
bunch of banknotes on the table, you stick your stolen banknotes in the middle, you wash them all
around with the other notes, and then you get get some notes back but some people get some other notes back really difficult to work out which bank notes came from the drug deal and so these
mixers are effectively a cryptocurrency version of that you stick your money in it gets washed
with some other people's you get your money back but it's really hard for investigators then to say
look the money that went into that hole there is the same as the money that came out of that hole
over the other side of the mixer.
So that's one other thing they're doing. And the other thing is that the North Koreans are allegedly, along with other cyber criminals, relying on some networks of people, of individuals
who offer to take bits of cryptocurrency and try and cash them out, try and convert them into
different types of things. The US has charged a couple of Chinese chaps
with offering exactly this kind of service,
probably in exchange for a fee,
using little bits of cryptocurrency
and changing it into real world money.
In some cases, using things like iTunes gift cards,
anything they can do to eke out this money.
But the overall picture of this is,
if you've stolen, let's say, $230 million of cryptocurrency,
it's just not possible in the situation in this world right now to suddenly swap that into $230 million of real money,
of actual US dollars banknotes.
You can't do that.
You've got to do it slowly.
You've got to eke it out.
So there's a handbrake being applied to all of this.
It's really interesting.
All this takes a to all of this. It's really interesting. and exploiting them, this means as years go on, the Lazarus Group is getting better and better
at finding large piles of crypto,
stealing it, and laundering it.
Which means they're starting to venture out
into new crypto territories.
Yeah, this is where it gets really weird and interesting.
There's this very peculiar story that emerges about a company
set up called Marine Chain.
Okay, so Marine Chain
was this cryptocurrency startup
I think they were working on in ICO
where they wanted to raise money
from investors to issue crypto coins
for however much they bought in.
And this company was based in Singapore,
but then out of nowhere,
this guy Tony Walker
just decided to join the company.
And Tony Walker's the brains behind Marine Chain.
He says, look, we're going to set up this company.
I know all the business side.
He's got a sort of fancy slide deck
that shows how much money they're going to make.
They're going to be in for tens of millions of dollars
off the back of this.
Tony Walker starts helping this Singapore-based company launch
but he doesn't seem very focused on the business.
So your chap in Singapore, Jonathan Fung Kak-Kyong, starts to get a bit suspicious about this,
but keeps going with this guy, Tony Walker, because it looks like it's going okay. They
are getting, you know, interested in this and potentially getting investment,
but gets increasingly suspicious. And then Tony Walker starts asking your Singaporean chap,
Jonathan Fung Kak-Kyong, to have his name on the business.
The business needs to be registered in his name.
And the Singaporean chap says, well, no, I'm not sure about that.
That's going to cause problems.
But Tony Walker's insistent on this.
And then things get a bit weirder.
Tony Walker's name appears on contracts, but he's not signing himself Tony Walker.
He's signing himself Julian Kim.
And by this point, a lot of alarm bells should be ringing because it's clear something's going wrong with this business,
something very peculiar about this Marine Chain business.
Well, Marine Chain starts getting talked about on forums and on Reddit,
and someone made a comment about Marine Chain.
And says, just sort of out of the blue, no, I don't think you should. I think this is a bit of a scam. And by the way, I think
it's a North Korean motivated scam. And this just drops on these forums. And what's weird about this
is the key comment comes on a Reddit forum from a user calling themselves Arsenal Fan 5000.
Arsenal being a very famous football team in the UK, which probably needs no introduction.
And so some football fan is popping up on Reddit and saying,
no, you shouldn't invest in Marine Chain. I think it's a North Korean front operation.
Now, what's weird about that is at that point in time,
I don't think anybody had actually clocked that.
And yet this user, who's apparently some football fan on Reddit,
pops up and says, you know, I think it's North Korean.
What's weird about Arsenal fan as well is this user posts that comment and nothing else.
No other discussion.
It's the only comment they post on the whole forum.
And then they just vanish and disappear.
Turns out they're on the money.
As other people start investigating,
they uncover different links to North Korea from Marine Chain. And it does turn out to be a North Korean front operation. So a lot of people are pretty glad they didn't invest in
this particular firm. Now, what's interesting about Marine Chain is, partly thanks to being
exposed by people like Arsenal fan 5000, the company just folds. So
it just vanishes and disappears. And Tony Walker, aka Julian Kim, just drops off the face of the
earth, drops off the radar, at least for the moment under those particular pseudonyms,
and is never heard of again. So Marine Chain is an interesting sort of facet to this.
It's a sort of North Korean attempt at an initial coin offering, an ICO,
that never really lands, never really takes off.
Whoa, this is a totally new type of tactic for North Korea to launch an ICO?
Here's the thing.
In 2018, it was quite the year for ICOs.
ICO stands for initial coin offering.
It's kind of like a company starting a business
and to raise money to kickstart it
they sell this new type of crypto to early investors
and if the company does well then the value of the coin goes up
and if the company does poorly the value of the coin goes down
and 2018 was sort of a boom year for ICOs
there were lots of them springing up everywhere
and people wanted to invest in these companies
but not all these ICO projects were good.
In 2018, there was a company called Goyang Blockchain Financial Co.,
which launched its own ICO, and they raised $60 million and then disappeared,
exit-scamming all their investors.
So I think North Korea may have taken notice of this
and tried dabbling in
their own exit scam by launching what looked like a real company, but then possibly they had the
intention of pulling the rug out from investors. We don't know what the real intentions were for
this Tony Walker guy, but this might have been an indicator that North Korea is trying to conduct their own exit scams now.
Wild.
Is there any scenario where it's just maybe somebody from North Korea
and not the North Korean government?
Because, you know, I imagine anyone who's doing it from North Korea
is the North Korean government, but maybe there is a scenario where I haven't considered.
It's a good point.
I think, broadly speaking, you have to realize in North Korea,
if you have an internet connection and a laptop,
it's because you have either been given it or granted access to it
by the North Korean government.
It's a point maybe a lot of your listeners will know,
but just to stress this, it is not the case in North Korea
that you can go out and get a laptop and be connected to
the open internet as you can in most other countries in the world. It's incredibly well
policed and restricted. So if you're talking about somebody like Tony Walker, aka Julian Kim,
who sets up online, who's having Skype conversations with people, who's emailing
people back and forth, who's setting up websites. That's got to be
somebody in North Korea who's got an internet connection laptop, or possibly a North Korean
who's outside the country and has got an internet connection laptop. Either way, that's government
sanctioned. Okay, so to get out of North Korea, the North Korean government needs to give you the
say so and the okay to do that. Or to be in North Korea with an internet connection, a laptop, the government's got to be okay with that. So, you know, really all roads lead back to the North Korean government needs to give you the say-so and the okay to do that. Or to be in North Korea with an internet connection, a laptop,
the government's got to be okay with that.
So, you know, really all roads lead back to the North Korean government.
It's almost inconceivable that Marine Chain, if it is North Korean,
could have been done without the say-so, the express say-so of the North Korean regime.
I'm going to take a quick ad break here, but stay with us,
because when we come back, North Korea set some new records.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever. I recently visited spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal, from credentials to cookies to
PII. Knowing what's putting you and your organization at risk and what to remediate is critical for
protecting you and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime,
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
So, while I was making this episode, I was doom-scrolling on Twitter,
and I came across this tweet,
which was so remarkable that I just had to call the guy up
who tweeted it to hear the story.
I'm John Woo.
I am head of growth at Aztec Network.
Aztec is a crypto company which aims to make
your cryptocurrency usage more private.
And to do that, you can use their system
to move your money around.
They sort of shield it so that you can move it around without anybody knowing that you're doing that. But because their
tool is catching on, a lot of people are using it and moving their money around through Aztec's
network, which means at any point, they've got control over quite a bit of their users' money. Yes. So if you look at all the public dashboards,
our smart contract holds about $15 million.
Last I checked, although the market has come down a bit,
and we've had, again, depending on ETH price,
but as of a couple of weeks ago,
$80 to $100 million of throughput.
And so certainly a lot of value has moved through the system.
Now, Aztec is growing, which means they're hiring and have open positions. $80 to $100 million of throughput. And so certainly a lot of value has moved through the system.
Now, Aztec is growing, which means they're hiring and have open positions.
And John is the one who looks at resumes and does interviews to hire new people who work there.
Yeah, that's right. And so, you know, we get lots of inbound resumes all the time for our full-stack engineering roles
and smart contract dev roles.
And I'm on the hiring team at Aztec.
So I got automatically assigned a resume
that had already been internally reviewed
and looked super legit.
The person had a GitHub with a bunch of projects on it
and had a resume with some things that I'd heard about,
like F2Pool.
The name was Bobby Sierra.
He set up a time to do an interview with Bobby Sierra,
a remote one, through video conferencing.
John and Bobby both got on the video call.
I immediately noticed that the person's camera was off
and that there was a little bit of latency,
but also that there was just a lot of background noise,
so just a bunch of chatter in the background.
Did you ask to turn the video on?
I did, and he made some excuse about how he couldn't do so.
And I talked to folks, you know, not infrequently
who are uncomfortable on video,
but it is one of the best tools that we have
for validating identity.
And Bobby Sierra, again, not to be stereotypical, but it's obvious on the face that Bobby Sierra is a Western name. And this person
had a heavy Korean accent. The way I was able to tell is I'm Asian too, I'm Taiwanese. I grew up
in an immigrant community around New York. And some of my absolute best friends growing up were
Korean. I spent a lot of time in Korean households. And I was like, this guy's obviously Korean.
I've heard an accent like this
and some of the mannerisms like a thousand times.
And then I kind of flat out asked him,
like, where are you based?
And he said, you know, I'm based in Hong Kong.
And I'm like, that's not what your resume says.
Your resume says you're based in Canada.
And then he did this multiple times through the call,
but then he would just mute me.
You know, he would just go on mute.
And then he would come back online and pretend like nothing happened.
Did you ask any technical questions that he knew?
Like, did he know his chops about what you wanted him to know?
No, absolutely not.
He didn't say almost anything coherent.
You know, he kind of just kept repeating stuff like, I'm an experienced blockchain developer.
I've worked on many successful projects. You know. I'll bring you a lot of success. And of course, the infamous line from
his cover letter was, the world will see a great result from my hands, which was just so villainous
sounding as to be comical. And so yeah, no, he really couldn't answer any technical questions,
couldn't even answer the basic questions
of where he had worked previously.
The whole thing was super bizarre.
And he was just either unfazed or didn't understand
when I was pointing out red flags and inconsistencies.
He was clearly spoofing someone's legitimate resume
and pretending to be them,
like had just downloaded it from like open resumé site or a
recruiting site. But it was when I was like, hey, man, it says here that you worked here at F2Pool.
Tell me about F2Pool. And if I were to recreate what he said, he literally was like, yeah,
and then muted. And I was like, hey, are you there? And I would say at least a minute or
two minutes went by, just silence on the other line. And I was like, no one does this. It doesn't
matter how incompetent you are, right? If you think about there's kind of two axes I'm judging
on this interview. Are you competent or incompetent? That's like the standard interview framework. Am I
going to move you on to the next step or not? But the other one that you don't consider usually when you talk to someone is like,
is this person nefarious? And it wasn't until he kind of went dark for like two minutes after
being asked a really simple question and then came back again with this renewed purpose.
Pretending like that didn't happen. I want to work with you. I'm an experienced blockchain developer. I'll make you successful. That I was like, dude, something think I just interviewed a North Korean hacker. That was my intuition.
My intuition, and it was biased from weeks of having observed it
and reported on it.
And I had already been covering some of these security hacks
of really famous DeFi individuals like Arthur0x
and a lot of the coverage on Lazarus Group.
So I was already primed to be thinking about this.
So between that, his like
undeniably Korean accent and just how sketchy and like scammy it was, that was kind of my intuition.
John was actually pretty spooked by this. I mean, if this was a North Korean, that's a pretty close
encounter. To be on a video call with him? To have this whole email exchange?
To be opening resumes and email attachments?
He starts retracing his steps,
trying to remember exactly how much he shared with this Bobby Sierra.
Did he do any screen sharing?
How much did he explain about the company and what tech they use?
John was on high alert and feeling pretty disturbed by this.
So he tweeted the whole encounter.
The tweet went super viral because, you know, frankly, it was entertaining.
Even when I was in the room, I was kind of laughing at myself.
I was like, who is this guy?
Like, this is so crazy.
You don't have interviews like that ever.
You know, you don't ever have those.
It's rare to have an experience in your life where that's just so surreal.
You're like, is this happening?
Like, this person is just making stuff up.
And like their resume is not consistent with their GitHub,
is not consistent with their real name.
And their quote unquote real name is Bobby Sierra.
And his cover letter sign off is,
the world will see a great result from my hands.
And so it was just a funny thread.
And it just went super viral instantly.
It got thousands of likes.
Some people were saying, no, dude, this is typical.
If you interview enough people for a while,
there's some really weird ones that just show up.
So John was starting to doubt that it was North Korea.
But another crypto investor who had his digital assets stolen
a little before this said it was definitely North Korea
because he's seen this before.
So John wasn't sure again.
But then yesterday, I think, you know, this week, the U.S. Treasury published a 16-page advisory on North Korean overseas IT workers.
And that advisory explained almost to the word the tactics that this guy Bobby Sierra was using on me.
This advisory from the U.S. Treasury and the FBI says
that North Korea has been trying to dispatch IT workers
to work for companies all over the world remotely,
posing as non-North Koreans.
And some of these people, when they get hired,
they don't even do the work.
They just hire a subcontractor to actually do the job that they were supposed to do.
Once again, North Korea has flabbergasted me.
I mean, what level of social engineering even is this?
To try to get a job at the very place you want to rob,
and it's done by the world's worst social engineer?
It's bold and ridiculous at the same time.
And one thing that seems clear from this
is that the Lazarus Group is on a tenacious mission
to steal crypto from people and places all over the world.
And they're pretty creative at coming up with new ideas on how to do it.
It's almost like the Lazarus Group has a whole R&D department
that cooks up ways to steal money.
And one of the amazing things was the sort of rash of cryptocurrency trading apps that they launched
around the sort of 2018 kind of period. First one we think was May 2018. This was a thing called
Celastrade Pro, which was basically a sort of cryptocurrency trading app. The idea was you'd
plug in your cryptocurrency wallets,
and it would assist you through the process of this. And this was set up with a very glitzy
looking website, you know, all looked very above the board to those who are giving it casual glance.
And the idea was, download this app, it'll give you cryptocurrency trading advice and allow you to
sort of do this if you connect your wallets to it. Unfortunately, behind this was a
piece of malicious software. So when you downloaded it, you effectively gave the hackers backdoor
access to your machine. And of course, as soon as you connected your cryptocurrency wallet,
you'll potentially give them access to it and they could steal your money. So that was SELUS
Trade Pro, which was the initial iteration of this. It didn't take long for the tech security community to clock that this was
malicious. So, you know, Celos gets reported on, lots of reports come out about the fact that
there's actually malware within this. But it doesn't really seem to matter to the hackers
behind it, who are allegedly the North Korean Lazarus Group, because they just relaunch it
under different names. You know, it's this bewildering variety of different cryptocurrency apps
that come out in sort of 2018, 2019.
And they're just the same malicious software,
just rebadged and repackaged.
So Union Crypto Trader,
Coupé Wallet,
Coingo Trade,
Crypto Neurotrader,
Ants to Whale was one of my favorite ones.
They're just the same piece of malware,
just dressed up in different iterations.
And it seems that, you know, they think so long as we can just keep rebadging this,
we'll keep finding suckers. So they set up these crypto apps that would be
viruses, malware of some kind. Do you think they ever actually hit anybody with this and stole some
money from people? Yeah, yeah, it did actually work. I mean, the recorded case according to the U.S. investigators is August 2020.
It's a financial services company in New York who downloaded a thing called Crypto Neurotrader.
And the Lazarus Group apparently got away with $11.8 million.
In 2018, another crypto exchange was robbed.
This time it was Coincheck, based out of Japan.
And this was an exchange that handled different cryptocurrencies,
Bitcoin, Ethereum, and NEM tokens, N-E-M.
Well, someone hacked into this exchange,
looked for the crypto wallets, and found the NEM hot wallet.
They emptied the whole thing.
About 500 million NEM were in that hot wallet. And at
the time, one NEM was worth $1. So this resulted in a theft of $500 million worth of crypto,
which was the largest heist ever, larger than any bank heist or crypto heist ever reported at the
time. The thing about Coincheck is the attribution. It is not clear to me,
and I don't think it's clear to investigators, whether this was North Korean. One of the issues
with that is the malware that apparently was used to break into Coincheck was commodity malware. So
it's quite difficult from that perspective to attribute it. You can't say, well, this was
particular malware that we've only seen used in these particular attacks by these particular groups.
I think that was one of the issues around it.
There was some talk in the media about this being the work of North Korea.
Certainly, it's a cryptocurrency attack.
It's in the Asian area.
You know, that sort of maybe points to Lazarus Group.
But beyond that, for me anyway, you need a few extra bits of evidence.
As I say, the malware didn't really point to it. And then there was the other laundering cash out operations that have
been attributed to Lazarus Group. So for lots of different reasons, there's a bit of a question
mark over Coincheck. Look, that attack is still being investigated. Japanese police are still all
across it. Coincheck still, I believe, working with law enforcement to check into it. So there
may be news on that. There may be movement on that. And, you know, the Lazarus Group story just
keeps developing and developing. So keep a watching brief on that. But for the moment, I'm not sure
whether I'd add Coincheck's $530 million to my tally of suspected Lazarus Group cryptocurrency
wins. Okay, so we'll put a question mark on whether or not North Korea robbed Coincheck.
But then in September 2020, there was another big robbery at another crypto exchange.
This is the TACON Qcoin, another cryptocurrency exchange, based I believe in Singapore, this one.
And this was various different types of cryptocurrency assets. So some of it was in
Bitcoin, some in some really obscure types of cryptocurrency, crypto asset. Some ERC-20 tokens were taken,
some stable coins. So it's a mix, a mixed bag of stuff once the hackers got in. Because once they
get in, it's not just one wallet they have access to. If they've got this kind of blanket backdoor
access, you know, they've got access to the entire safe and whatever's in there. So they start pulling
out this money. If you toss it all up, certainly at the time,
this would be worth about $275 million.
$275 million.
And this one is firmly attributed to being North Korea.
It has all the signs of what previous North Korean crypto heists look like,
as well as the laundering techniques they used after.
Now, as if that wasn't enough,
March 2022, we saw a new record for the largest cyber heist ever.
This time was on the Ronin Network.
The Ronin Network is, well, it's hard to describe.
There's this NFT game called Axie Infinity,
which is like one of the first NFT games out there,
and it's also one of the most popular. And to play it, you need to one of the first NFT games out there. And it's also one
of the most popular. And to play it, you need to deposit your money into this Ronin network.
So there's a lot of money tied up in this bridge network.
The Ronin bridge in the middle is the conduit. And like any conduit for money,
particularly these new types of money, these new crypto assets, it's a target for the hackers.
They seem to have discovered some vulnerability here. They were able to take over different nodes in the Ronin bridge and steal what was valued at the
time was $625 million, which I just think we need to take a step back. And I mean, that is, I think
I'm going to go out on a limb here and I've been trying to get people to call me out on this, but
I think it's from what I can remember, that is the largest single amount of money stolen in a single hack of all time, I think. He's right. $600 million is the largest
heist ever. It beats the biggest bank robberies, the biggest exit scams, even the biggest crypto
heists. And yeah, many security researchers have attributed this attack to be the work
of the Lazarus Group once again. and if we add all this up,
it brings the crypto heists alone to somewhere around $2 billion.
And that's not even adding up all the bank robberies they've done.
$2 billion stolen by North Korea.
All this is happening.
It's confidently being blamed on North Korea. Has North Korea taken credit for any of this is happening, it's confidently being blamed on North Korea.
Has North Korea taken credit for any of this and said,
yeah, we did do that, or what's their stance here?
No, North Korea has denied any connections to any of these hacks at all.
The sort of official publication in North Korea,
which is sort of as close as you get really to a government spokesman,
certainly that I know of, has said that these are effectively smears by the US government and its allies trying to besmirch
the good name of North Korea. So no, they've denied all of it. There is one point I'd raise
though, which is sort of speculative and a bit off my patch, but I sort of think of this from a kind
of geopolitical diplomacy point of view. If it is the case that North Korea has got this sort of $2 billion that they've stolen,
if the investigators are right in their accusations,
and if North Korea are having this immense trouble laundering it,
which from what we talked about, you know, over this podcast,
I think that's fair to say,
there's money sort of sitting out there that if North Korea one day confessed to it,
if it is indeed them, they could sort of
maybe offer to repatriate it. And at this stage, it'd be worth even more potentially than when
they stole it. Could that become part of a sort of diplomatic negotiation in the future, a sort of,
you know, an amnesty, like when criminals sort of, you know, try and use returning their assets
to try and bargain for a lower sentence? Could it somehow form some part of the diplomatic negotiations? As I say, this is outside my remit as a tech journalist, but I do
wonder whether someday this could form part of it. And there is precedent for that. I mean,
North Korea had, according to the US government, money in a bank, a $25 million worth of money
in a bank in Macau. And that money was frozen when the US government
took action against that bank.
And that frozen money in that bank in Macau
became a sort of bargaining chip around the negotiations
around nuclear weapons and so on.
North Korea said, look, we want that money back.
And maybe our nuclear negotiations will, you know,
will be affected by whether you give us that money back.
In the end, by the way, they got the 25 million back
and kept testing nukes and testing missiles.
So I guess North Korea won that poker game in the end.
But could this stolen cryptocurrency money, this $2 billion,
form part of some negotiation or diplomatic solution in the future?
I don't know. I'm going out on a limb there,
but I think it's an interesting question to consider.
Now, if you recall, the US has indicted
a North Korean named Park Jin-hyuk for the attacks on Sony and the Bangladesh Bank. But since then,
the US has indicted more people involved with these cyber heists. Yes, there have been multiple
indictments around the crypto heists. So there were the two Chinese individuals I talked about
earlier who were accused of helping North Korea launder stolen cryptocurrency through bank accounts in China, and also through iTunes gift cards, bizarrely. Also, in addition
to Pak Jin-hyuk, the individual who was indicted in September 2018 for Sony WannaCry and the
Bangladesh bank heist, the US have now added accusations against two other people, and they
are John Chang-hyuk and Kim Il-ho, who, callback to earlier in the episode,
the US says is the real name of Tony Walker and Julian Kim, the man who was responsible for
setting up Marine Chain. So according to the US government, Tony Walker and Julian Kim, this chap
who was, you know, going on Skype and asking people to kind of help invest in this weird boat
coin, marine shipping, cryptocurrency thing, was actually Kim Il,
an operative of the North Korean government.
So again, you can go on the FBI's
Cyber's Most Wanted list
and take a look at all the pictures
of Kim, Pak, and John,
and take a look at them.
I wonder, will it ever stop?
This seems to be working very well for North Korea,
so I don't see any reason why they would stop.
Are they just going to keep on stealing from people forever?
North Korea is trapped in this loop, right?
They desperately want to stay at the international table.
They want to negotiate with the United States.
How does a country of 25 million people that's desperately poor,
you know, like Burkina Faso saying they want a meeting with, you know, Joe Biden.
Why on earth would he meet with Burkina Faso?
Well, if Burkina Faso had a nuclear weapon,
well, then you'd meet with Burkina Faso.
That's the argument.
So North Korea are like,
we are, our only way in to power is nukes.
And that's the decision they've made.
Nukes means they get hit with sanctions,
means they have no money. But they need money to keep the nukes going. So the decision they've made nukes means they get hit with sanctions means they have
no money but they need money to keep the nukes going so how do you get the money well then you
steal it and then you get hit with more sanctions so you're still short of money so you steal it
you're just in this loop this awful chronic grinding loop and what's at the heart of it all
is nukes because nukes is their way to stay at the international table that's what's motivating
north korean society it's what's motivating, you know, according to the investigators,
all the computer hacks and so on. It's grinding, and the people, of course, in the wheels of that
grinding are North Korea's 25 million citizens who, of course, live in absolute poverty, because
when the government gets any money, they just spend it on nukes and missiles and propping up the leadership and the cadre of people.
Cryptocurrency is a wild place to be a player in right now.
You should expect to be attacked.
If it isn't by teenagers trying to break into your email or swimswap you,
then it might be by scammers or people phishing you to try to get into your crypto wallet.
And if you're a company with large crypto holdings, then you are probably on North Korea's radar.
And when you're being targeted by a nation-state actor,
that's a serious amount of defenses that you should be putting in place.
It's a hard game to play in right now.
But listen, all the stories Jeff shared with us today,
they're all in this book,
which he just published called The Lazarus Heist.
And it's great. It's wonderfully written and researched and goes into great detail about all of what the
Lazarus group has been up to. But what we talked about in this episode is just one chapter in that
whole book. So if you want to hear more about all the craziness that North Korea is doing,
go check out this book, The Lazarus Heist. A big thank you to Jeff White for coming on the show and telling
us about the stories he's been investigating. And I recommend his book, The Lazarus Heist. I have an
affiliate link for it in the show notes. This is also the second time I've had Jeff on the show.
So if you want to hear another episode with him, go back to episode 72 called The Bangladesh Bank
Heist, or even go back
to episode 71 where I interview a North Korean refugee to talk about the information monopoly
that the government has on North Korea. This show is made by me, the brave little CPU,
Jack Recyder. Sound design was created by the memory intensive, Andrew Merriweather. Editing
helped this episode by the defragged, Damien. And our theme music is by the smoking Breakmaster Cylinder.
Oh, I have this great joke I'm working on about documentation,
but it's not done yet.
This is Darknet Diaries. We'll see you next time.