March 4, 2020 | Policy Brief

U.S. Sanctions and Indicts Chinese Enablers of North Korean Cyber Theft

March 4, 2020 | Policy Brief

U.S. Sanctions and Indicts Chinese Enablers of North Korean Cyber Theft

The U.S. government sanctioned and indicted two Chinese nationals on March 2 for helping North Korea launder the proceeds of its cybertheft operations. In its indictment, the Justice Department (DOJ) showed how Pyongyang’s evasion of sanctions depends on the exploitation of Chinese financial institutions, whose efforts to prevent illicit activity are visibly deficient.

Monday’s sanctions and indictments targeted Chinese nationals Tian Yinyin and Li Jiadong for helping North Korea to illegally transfer over $100 million in stolen cryptocurrencies between July 2018 and April 2019. Tian and Li allegedly laundered funds that hackers with North Korean backing stole from an unnamed cryptocurrency exchange in April 2018.

According to DOJ’s indictment, Tian and Li would convert cryptocurrency into fiat currency through accounts at Chinese banks. Tian and Li both operated virtual currency accounts at a pair of virtual currency exchanges, which the DOJ indictment labelled VCE-A and VCE-B. These exchange accounts were linked to accounts at ten traditional Chinese banks, which the indictment listed by name. One of Tian’s virtual currency accounts was linked to an account at China Guangfa Bank that “received approximately 491 deposits from VCE-A for 233,889,970 CYN (approximately $34,504,173.43).”

Similarly, Li linked his VCE-A account to nine Chinese banks, which included one of the country’s largest, the Agricultural Bank of China. DOJ furthermore divulged how “these bank accounts received approximately 2,000 deposits from (Li’s) VCE-A for 229,282,960.97 CYN (approximately $32,848,567).” As these figures illustrate, Tian and Li shared a common tactic of using several hundred small deposits to launder stolen funds.

Both policy makers and compliance officers at banks worldwide should be aware of such suspicious activity involving traditional bank accounts linked to virtual currency accounts. Moving forward, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) should consider issuing an advisory notice for banks and virtual currency exchanges that highlights red flag indicators from relevant cases such as that of Tian and Li. In addition, FinCEN should hold cryptocurrency exchanges to the same anti-money laundering standards it applies to money service businesses.

This incident also provides another clear example of the Chinese government’s failure both to enforce sanctions and to ensure the due diligence of its financial institutions. Washington should therefore continue investigating the ten Chinese banks involved in Tian and Li’s transaction for other suspicious activity linked to North Korea. Senior U.S. officials should also provide direct warnings to Beijing, since the blindness of its banks likely reflects political guidance from above.

Lastly, now that one set of cyber theft and money-laundering techniques have been exposed and compromised, Treasury and Justice should work to anticipate how North Korean hackers may adapt their operations. Despite its nominal pursuit of diplomacy, Pyongyang continues to engage in a wide range of hostile behaviors that demonstrate a lack of interest in resolving differences peacefully.

Mathew Ha is a research analyst focused on North Korea at the Foundation for the Defense of Democracies (FDD), where he also contributes to FDD’s Center on Economic and Financial Power (CEFP) and Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew, CEFP, and CCTI, please subscribe HERE. Follow Mathew on Twitter @MatJunsuk. Follow FDD on Twitter @FDD_CEFP and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Blockchain and Digital Currencies China Cyber Cyber-Enabled Economic Warfare North Korea Sanctions and Illicit Finance