Hacked - Lazarus Laundromat
Episode Date: September 29, 2020Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
Somewhere on LinkedIn.
Cryptocom is hiring a systems administrator with 8 to 10 years of experience.
Cryptocom is one of the most widely known, used, and trusted cryptocurrency exchanges in Europe.
Founded in 2011 with low fees and the best execution prices, you can trade major cryptocurrencies like Bitcoin.
So a systems administrator gets this job offer on LinkedIn.
They've spent the last five or so years working behind the scenes on the upkeep,
configuration and reliability of a network
through which millions of dollars worth of cryptocurrency flows every single day.
They're very good at their job.
And from time to time, headhunters come knocking.
This one is from a competing firm, one of the big ones.
And the pay's pretty good.
They're reading the job details in a dock file with some weird permissions
because it's from Europe when...
Well, you can probably see where this is all going.
because the trouble is all around the world
in UK, the U.S., China, Germany, Russia, and South Korea,
other systems administrators and other big cryptocurrency exchanges
are getting this exact same message with the exact same job offer,
with the exact same word doc, with the exact same funky permissions.
It's a spearfishing attack, trying to harvest that system in men's data
so that the hackers can break into the cryptocurrency exchange
and steal a bunch of money.
Someone is going on a cryptocurrency crime spree.
And it's working.
Lazarus are the people behind this string of attacks.
And based on civil forfeiture complaints filed by the U.S. Department of Justice last month,
they have stolen over $250 million worth of crypto
from over a dozen virtual exchanges.
Not just LinkedIn spearfishing attacks, they've gone deep with these things.
In 2019, a major cryptocurrency conference was revealed as potentially being just one big honeypot to harvest data.
Lazarus operates on a scale and scope rivaled by a few other cybercrime operations.
By now.
We're all familiar with the idea of state-sponsored hacking for political purposes.
Surveillance, counterintelligence.
We know countries do this and we know the countries that do this.
But Lazarus, Lazarus is interesting because they raise this question.
What if a country used state-sponsored hacking to steal?
Like literally stealing money to enrich that country
in the same way that other countries steal information for political purposes.
This all brings us North Korea.
International econ experts estimate that around 15% of the North Korean foreign earnings come from crime.
A lot of it's cybercrime and a lot of that cryptocurrency.
And Lazarus, that hacking group, is the North Korean hacking syndicate behind among countless others.
The 2013 South Korean cyber attack, the 2014 Sony breach, and the 2017 Wanda Crime malware that infected over 300,000 devices worldwide.
But in the last few years, Lazarus seems to have narrowed their focus from big, bold political gestures to this vast but targeted cyber theft operation, bringing in hundreds of millions of dollars per year to the North Korean state.
To understand Lazarus, you need to not just understand their methods, but the economic sanctions that, depending on who you ask, either drive or are justified by all this cybercriminal behavior.
But before we get to any of that, we got to go back to our crypto systems admin, who just got spearfished with that sick job offer.
We got to go back to the country that hacked them.
Because the question isn't just, how do you steal a couple hundred million dollars in cryptocurrency?
The question is, how do you launder it once you've got it?
This is Lazarus Laundry, here on Hacked.
So question?
Answer.
This question I ask you a lot.
If you had effectively unlimited resources, how would you steal hundreds of millions of dollars worth of cryptocurrency?
Well, I think if I just looked at how people are stealing hundreds of millions dollars of cryptocurrency,
I would set up a crypto exchange and then just disappear with all of the crypto.
Oh, you're talking about the abscond with all of the other people's money type thing.
Yeah, the fake your own death, you know, move to Thailand model.
That's a pretty good one.
It's been working for the pyramid scheme kind of set up.
I feel like there's like, you know, 10 BBC articles about people that have done that.
You know, $200 million in cryptocurrency goes missing and founder is whereabouts, unknown.
Talk about a Madoff.
Yeah, kind of.
A little.
It's more of just like straight up theft where like Bernie Madoff is like a proper, you know, fraudulent scam.
Sure.
This is just give me your money and then I will just flee with it.
Yeah.
eventually I will just have so much that I won't be able to.
I feel like crypto attracts certain types of people.
And if you're listening to this and you're one of those people, don't take offense to this.
But I feel like crypto is just like drugs.
And I don't think the people that do drugs frequently have a lot of self-control.
And I feel the same way about people that trade crypto.
So eventually the people that are in crypto businesses, when you have that much drugs,
It's hard to say no to just taking them all.
You know what I'm saying?
It's a weird analogy, but I think you get the picture.
No, no, it tracks.
So you're saying that your first approach to this would be,
is there a way to get people to just consent,
like consentingly give it to me?
And then take it for myself.
Yeah, quote unquote, lose it.
Get hacked.
Whoops.
And then I guess, you know, if you wanted a lot of it,
instead of quantity over quality, maybe you go quality over quantity.
You know, you can target the exchanges.
You can set up your own exchange and just leave.
Or you can steal from other exchanges, you know, places where it's like a bank heist.
You know, an exchange has a lot of it on hand.
And if you can get access to it, you can take a lot of it.
You know, if I can spend my days cracking Jordan Blumen's Bitcoin wallet,
I might get, you know, $28 U.S. dollars worth.
But if I can get into a massive exchanges, you know, accounts, I probably can get millions of dollars worth.
Is that how you would go about doing it if you had like your level of resources or effectively unlimited resources?
If you had a nation's worth of resources to throw out the problem?
Yeah. You know, if you've got teams of, you know, hackers, quote unquote, unethical hackers who work for you.
Yeah, why not to steal it?
You can do quantity over quality and quality over quantity.
You can do it all.
So what do you do once you have it, though?
Faker on death and move to Thailand.
North Korea faked its own death and moved to Thailand.
I think they did that recently, didn't they?
Not moving to Thailand, but the whole figuring on death thing, I think came up.
Quality over quantity, quantity over quality.
According to a report published by the UN,
it is estimated that cyber attacks have earned North Korea
somewhere around 2 billion U.S. over the last three years.
Money that has largely gone towards nuclear and ballistic missile programs.
We're going to talk about that a little bit more later.
Cybercriminals on the Pyongyang payroll have launched attacks
going after two big buckets of potential revenue.
The first is crypto, which as Scott just explained,
means going primarily after crypto exchanges,
that kind of quality or quantity approach.
You see, even with vast man-hour resources,
It doesn't really make a ton of sense to go after individual wallet holders
when similar targeted attacks against admins on exchanges have potentially way greater yields.
Overall, between 2017 and 2018, at least 571 million was stolen in the hacking of five
cryptocurrency trading platforms.
So, you got north a half a billion crypto.
How do you launder it?
If I'm a nation that has a pile of stolen digital currency.
What am I going to do with it?
That's a great question.
You need to turn it into real money at some point
so that you can acquire things
on the international stage, weapons, equipment, infrastructure.
I'm not sure how you would launder money at that scale.
I'm going to tell you all about that, Scott.
Perfect. Thanks, Jordan.
As Scott said,
You need to turn it into real money at some point.
To explain how to do you.
do that. I'm going to have to do the one thing I promised myself I was never going to do on this show
or in life. And that is explaining what blockchain is. But these are unprecedented times. So,
a blockchain is essentially a chain of blocks containing information. The term was coined by researchers
in 1991, largely unused until Satoshi Nakamoto adapted it in 2009 to create the cryptocurrency
Bitcoin. Without getting into the weeds of what's contained,
contained inside of that block, which for those who are interested is a little bit of data, a hash for verification, the hash of the previous block.
To understand the blockchain in the context of cryptocurrency, really all you got to do is think about it like a public document.
Recording which wallets Bitcoin is moving from and to. It's a ledger. It's public and close to mathematically impossible to falsify.
If a Bitcoin gets moved from one place to another, it is visible, which makes laundering Bitcoin pretty tough.
You need to turn it into real money at some point.
So how does North Korea do it?
How, on a ledger that is engineered to be public, do they turn hundreds of millions of dollars worth of Bitcoin into dollars, pounds, euros, or yuan?
A brief aside before I dive into a lot.
I find cryptocurrency really interesting, but I'm not what I would call a crypto guy.
And I have a feeling there might be some crypto people listening to this.
I'm going off research, not experience, but I do love being told that I'm wrong.
So if you catch me confusing a concept, do not hesitate to reach out on Twitter at Hacked Podcast.
Let's get down to it.
Tactic 1. Peel Chain.
Our first laundering tactic called a peel chain is where to disguise the origin and destination of your stolen cryptocurrency.
You move that coin in rapid, automated transactions from one wallet to another, hundreds, if not thousands of times.
So, say you steal some crypto, the theft of which is publicly recorded on the ledger, which your victim can see.
To hide it, you start bouncing that coin insanely fast, automation fast, so many times between so many wallets and so many different places that it's basically impossible to keep track.
Now, this is kind of intuitive, but as many of you may notice, in order to do this,
you need hundreds if not thousands of accounts, across which you can bounce, which isn't really
a small operation.
You either need to be a country that can recruit an army of hackers or you got to use something
called a mixing service, also known as a Tumblr.
According to a very long and very technical research paper called an analysis of Bitcoin
laundry services, quote,
Bitcoin laundry services are open, like most modern technologies, to dual use.
They are employed by regular users who do not engage in any illicit activity and simply
want to improve on the anonymity features of Bitcoin.
On the other hand, they can also be used by cyber criminals for laundering ill-gotten gains
before exchanging them into traditional currencies such as dollars, euros, or sterling.
It is common for stolen Bitcoin and for ransom money to be processed by one or multiple
tumblers to reduce its traceability. In either scenario, Bitcoin laundry services play a central
role in the Bitcoin economy, but they've been relatively poorly studied, and their operation is
not well understood. Some bargain basement tumblers include darklonder, bill londer, and
coin mixer. The kind of bigger players accessible via Tor include AlphaVane Helix, but the report
really importantly concludes that almost all of them have some pretty big security issues
relating to either user privacy or coin safety.
And when they typically make their money by, say, taking one or two percent of all transactions,
if you are a state-sponsored hacking group, trying to launder 500 million in crypto,
you are peal chaining by hand.
Tactic number two, chain hopping.
Let's imagine you are trying to launder old-school currency, American dollars.
Option number one is traditional money laundering,
which is kind of a lot like the last tactic, peel chaining.
You're really just obscuring the nature of those American dollars by obscuring your origin.
But say you could turn those American dollars into a different currency altogether.
Say you could turn it into pounds or gold or real estate,
which you could then convert back into whatever currency you wanted to use totally clean.
This is chain hopping.
Instead of moving between currencies, you move between blockchains, which is to say, different
cryptocurrencies.
The stolen Bitcoin is converted into a different crypto, typically a less visible, more
anonymous, arguably murkier option like Monaro dash or Zcash.
Hop between enough different blockchains, enough times, and the trail goes cold.
So congratulations.
You've laundered $500 million in cryptocurrency.
You've got good, clean, internationally recognized Fiat currency you can use to fund ballistic
missile programs all day day.
But if you remember a little bit earlier, it is estimated that cyber attacks have earned North Korea
somewhere around 2 billion U.S. over the last three years.
500 million in crypto is kind of just a drop in a $2 billion bucket.
So where does the rest of that money come from?
And what do you do with it?
We'll get to that.
After this break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data.
and the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works
with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year.
year for major breaches, from sophisticated ransomware operators to AI-enabled attacks that
turned defenses on their head. Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before. But here's the thing. These incidents
aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a
live webinar on February 5th diving to the most impactful breaches of 2025. Their field CTO and
security leaders are going to unpack not just what happened, but why these attacks succeeded. And
most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are
responding, and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering. It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Well, compared to Singapore, Bangladesh's handling of its finances has become news fodder,
especially now that some hackers were able to steal $81 million from the country's central bank.
Well, should we just talk about how governments make money?
How do governments make money?
Taxes.
Literally like the only major source of income taxes, fines, I guess.
You know, there's a bunch of surcharges, things like that.
You know, your car registration costs so much.
But those are mostly cost recouping.
but the bulk of a nation's cash comes from tax base.
So, you know, private businesses, publicly traded businesses, you know,
obviously public employees, people that work for the government,
cost the government money, where private employees get paid
and a portion of their income, you know, goes to the government,
which then becomes general revenue to pay for government employees.
So taxes generally constitute most things.
Obviously, the more successful your economy is, the bigger your businesses, the more people get employed.
All of those things generate more tax revenue.
So most money comes from taxes.
Which is tricky in a country like North Korea.
Yes, that has probably very, very, very low international exports.
So that's another big thing about getting money into an economy is the higher your export.
are versus your imports, the difference there. You know, you've probably heard Trump complaining
about it in last election. The more exports you do than imports is essentially a net gain for your
economy. So that's a big key thing. And as a country like North Korea will probably, who has
one trading partner, China? I might be wrong on that. But I'm pretty sure they have one
trading partner probably has very little export.
I don't know a single product that anyone can buy in the world that's from North Korea.
The answer to my earlier question, as to where the other 1.5 billion in cybercrime revenue
comes from, it's pretty obvious.
If not cryptocurrency, it must be normal currency, stolen from the normal place we normally keep it.
Banks. Banks all over the world.
Targeted by the hackers in Lazarus and Bureau 121, a part of the reconnaissance general bureau of North Korea's military, essentially the in-house alternative to the arms-length Lazarus.
Over the last couple years, all of these different groups of hackers all under the umbrella of North Korea, have aimed their crosshairs at a core system in international business called a Society for Worldwide Interbank Financial Telecommunication, or Social.
Swift. This system, Swift, has been around since the 1970s. It's used in 11,000 financial institutions
in more than 200 different countries to process tens of millions of dollars of transactions per day.
This purportedly is how North Korea managed to steal all of that money from Bangladesh mentioned
in the clip at the start of this section. This is how they've managed to steal 1.5 billion
from banks around the world over the last five years.
It wouldn't really be worth talking about how they launder that money
because it's normal money, so the answer is money laundering.
But then, like a week before this episode came out,
who boy did some shit pop off in the world of normal money laundering?
And wouldn't you know it, North Korea is right there in the middle of it.
A leak of U.S. Treasury documents has linked Australian banks
to billions of dollars in suspected money laundering.
The Big Four and several other Australian banks
are mentioned in hundreds of times in the documents dubbed the Finsen files.
Shared by the International Consortium of Investigative Journalists,
the documents detail money flows worth over $2.5 trillion
suspected of being the proceeds of crime or corruption.
That was from Australia's ABC News, hence the focus on Australia's banks,
but essentially, September 21st, 2,500 leaked documents.
most of which were exchanged between banks and the U.S. authorities over a 17-year stretch
revealed some pretty startling insights into how criminal organizations launder money through banks.
The most startling, or at least startling depending on how numb the current state of the world has you feeling,
is how aware banks are when they're being used to launder money,
and how very cool with it they are if it's enough money.
HSBC allowed criminals to move millions of dollars of stolen money around the world, even after it had learned from U.S. investigators, that it was a scam.
J.P. Morgan allowed a company to move more than a billion through a loaned account without having any idea who owned it, but most importantly for our purposes, the FinCand docks reveal that North Korea carried out an elaborate money laundering scheme for years, using a string of shell companies, with help from Chinese companies, moving money through prominent.
banks in the U.S.
The answer to the question of how
North Korea launderes money is by
putting it in the same bank you use.
Banks like banks
in Luxembourg?
I think that that's
just
sad reality, that's how a lot of
corporations operate. And I guess you
could look at the North Korean government as a form
of corporation, or at least their theft.
They're trying to reduce
essentially when the whole, I don't know if you remember,
would have been about six years ago,
somebody from, I believe it was PWC in Luxembourg,
leaked, they were negotiating private taxation deals
with the Luxembourg government on behalf of major corporations.
And essentially, if you headquartered,
moved your money into Luxembourg,
giving them a higher economy and all the rest of this jazz,
they would essentially sign a sole tax agreement
for IKEA. So IKEA would have its own tax act that was drafted and negotiated, which is something
you don't see anywhere, really. But if you're a company that's as large as IKEA and has operations
in every business, or in every country, reducing your global taxation becomes a huge part of it.
Some jurisdictions are tax-friendly, some are not. It's why you see states like,
you know, Delaware.
Delaware is a state, right?
Yeah, we're Canadian.
That have these, you know, economic incentives to try and bring head offices there
because they want those businesses to relocate into their jurisdiction so they get increased
tax revenue, but to bait them in, they'll reduce their taxation rate.
you know so it's the fact that taxes are now a market uh market negotiated thing your tax rate
is a really bad thing for societies in my mind because what you're seeing is is even though a
business can operate in a jurisdiction access its commodities take out its revenue it will still pay
employees there which will then feed the local tax system but the larger corporate taxation will
quickly be shuffled off and moved to somewhere else where there's a lower tax rate.
And then if you want to talk about like headquartering offices,
why would you put your headquarter of your business in a place that had a 35% corporate tax
when you could put it somewhere that has a 2% corporate tax?
And it's like, you know, that becomes a market factor
that corporations have to take into consideration to deliver the highest value to their shareholders.
And then boom, you've got crazy tax acts in Luxembourg.
Yeah, and if a bank will move those kinds of mountains to reduce the tax burden on a corporation's gains,
why wouldn't they do the same thing for our countries?
I guess regardless of how that corporation or country got it.
Yeah, they're going to charge fees and do all kinds of things that make sure that it's in their best interest
because they're looking up for their shareholders and their employees and, you know, their profits.
We've been zooming out throughout this episode, right?
First we chatted about how North Korea engages in cybercrime to steal and launder cryptocurrency,
then how they engage in cybercrime to steal and launder normal currency.
And I think it makes sense to conclude on the bird's eye with the kind of the highest elevation,
how North Korea engages in all form of crime outside the bounds of cyberspace and why they do it.
Because cybercrime, all two billion of it, is again.
and just a drop in an even larger bucket,
especially when you end up looking at all the money that ends up flowing through that laundromat
they've engineered in conjunction with the legitimate banks around the world outlined in the FinCEN documents.
North Korea makes a lot of its money through crime.
They've been making cash over fist counterfeiting other country's currencies since like the 1970s.
Between 77 and 2003, more than 20 North Korean diplomats, agents, and trade officials
have been implicated, detained, or arrested in drug smuggling.
operations, mostly amphetamines and opiates produced in the country with the knowledge of the government.
We've got human trafficking, we've got counterfeit pharmaceuticals and drugs and arms trading,
and here's the thing.
Countries do illegal shit for profit all the time.
It was novel at the start of the episode when we were talking about cybercrime specifically,
but as I said, zoom up far enough and the lines start to get blurry.
What's relevant here is just how much.
Much North Korea does it.
To the point that it's one of their chief exports.
And with just how effective cybercrime is proving for them,
how likely they're to do it more and more and more.
The question, all of this brings us to, is why?
And the short answer is sanctions and the behavior that those sanctions resulted from.
Push someone far enough into a corner, this is what they do.
But that doesn't really capture the sanctions.
the entire picture. I think the other big difference for North Korea is that, you know, being that
they are the friendless kid on the playground, there's not a lot of aid flying their way, where other
countries who might start starving probably still have other friends who will feed them.
And, you know, I think that there's, just given current situations and stuff, I think there's a
pretty good global understanding that there's going to have to be a lot of give and take between different
places and geographies and stuff.
You haven't seen a ton of it yet, so hopefully we do.
But I think North Korea is in kind of a world of their own.
You know, North Korea essentially has no friends.
They have no trade partners.
They have no economic activity.
They probably have very little exports.
They're in a unique situation where everybody hates them already.
Why would they care?
You're not going to see the United States government start stealing cryptocurrency from other countries
because they want to keep the world somewhat in order.
They need to keep trade up.
They need to keep those exports coming from America to other countries,
and sanctions will quickly limit those.
So with North Korea, when you've already got it sanctioned up,
really, I guess, a better parallel to this is like,
is North Korea stealing bread to eat?
Do you have nothing to lose and something maybe to gain?
Yeah, they're not an economic,
super power. They're not even an economic power. And they're essentially starving, literally.
So I think the more powerful, essentially what I'm saying is if you're privileged enough to be
powerful, you can get away with a lot more. And North Korea is not very privileged.
Why still cryptocurrency when you can steal land?
Exactly. Or whatever you want, steal elections. Yeah, we got a country that did some stuff
that pissed everybody off, so everybody puts sanctions on them. So they get really, really, really
desperate because there's sanctions on them, so they start doing worse stuff so we put more
sanctions on it's just like, yeah, it's the prison loop. Yeah, it's a prison loop. A hundred percent,
yeah. North Korea is a lifetime offender who can't break the cycle. Thanks for listening,
everybody. If you like the show, show your love on Patreon, patreon. Patreon.com slash hacked podcast
or get in touch on Twitter at Hackt Podcast. It's been a pretty crazy time here in the
with some different projects.
So there's a lot of me chit-chat in this one.
Tried to keep it pretty focused research-wise,
but we did end up covering a pretty unwieldily set of topics,
trying to get in all the stuff.
We thought was interesting about this story.
Hope you learned something.
Thanks, as always, for listening.
And thank you to our new patrons in September.
I'm talking about you, Sean McNeil,
talking about you, Christian Lassen,
talking about you Zarin Stone, fucking great name, Zarin.
Talking about you, Zach Bennett.
What a bunch of cool people.
Thanks for listening.
And as always, be sure to share the show.
Catch in the next one.