The group has been accused of stealing more than half a billion dollars in crypto as far back as 2018, when cybersecurity vendor Group-IB claimed it had targeted 14 different exchange in two years. Monday's action specifically stems from the hack of an unnamed exchange in April 2018, according to a press release by the Treasury Department.
A separate in rem forfeiture document unsealed Monday shows the U.S. government is trying to seize the crypto held in 113 different addresses, alleging that the two defendants (who are explicitly named on page 21) laundered "a bulk of the stolen BTC."
Most of the proceeds from the hack were laundered through the use of "peel chains," a term the U.S. government is using to describe the act of sending crypto from one address to another, with some portion of the funds moving to a different address than the bulk in each transaction.
The defendants sold some of the crypto to U.S. customers and used a U.S.-based exchange for some transactions, according to the forfeiture document. A South Korean exchange is also implicated in the document.
A U.S. Department of Justice (DOJ) press release added further information, saying some of the laundered funds allegedly helped North Korean actors continue hacking campaigns against other financial industry participants. The release also alleged that North Korean co-conspirators are connected to "the theft of approximately $48.5 million" in crypto from a South Korean exchange.
The agency listed 12 addresses associated with Jiadong Li:
OFAC listed eight addresses affiliated with Yinyin Tian:
While thousands of bitcoin appear to have flowed through the listed addresses, the majority appeared to hold no bitcoin as of press time.
Monday's move is the third time OFAC has listed cryptocurrency addresses on its sanctions list. In 2018, the agency tied bitcoin addresses to a pair of Iranian nationals it accused of facilitating financial transactions related to ransomware. Last year, the agency also listed a litecoin address and additional bitcoin addresses affiliated with three Chinese nationals it charged with violating money laundering and drug smuggling laws.
According to the Treasury Department's press release, "North Korea's malicious cyber activity is a key revenue generator" for the nation. The country uses peer-to-peer marketplaces and exchanges with "negligible" know-your-customer controls, and crypto stolen by the nation can be used in a variety of ways.
"Given the illicit finance risk that cryptocurrency and other digital assets pose, in June 2019 the Financial Action Task Force (FATF) amended its standards to require all countries to regulate and supervise such service providers, including exchangers, and to mitigate against such risks when engaging in cryptocurrency transactions," the press release said. "The United States is particularly concerned about platforms that provide anonymous payment and storage functionality without transaction monitoring, suspicious activity reporting, or customer due diligence, among other obligations."
OFAC also deleted a number of Russian entities linked to the Independent Petroleum Company from its sanctions list in Monday's action.
UPDATE (Marc 2, 22:45 UTC): This article has been updated with additional information, including the U.S. government's forfeiture claim against 113 crypto addresses and the U.S. Department of Justice's press release.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.