Treasury Sanctions Cryptocurrency Exchange, But International Enforcement Still Lacking

The U.S. Department of the Treasury in May sanctioned a major digital-currency mixer, Blender.io, which North Korea has used to launder $20.5 million in funds stolen from a gaming-focused blockchain project known as the Ronin Network. While Treasury’s move deserves praise, inconsistent international enforcement of anti-money laundering (AML) protocols has left hackers with multiple outlets capable of laundering their illicit funds, thereby undermining U.S. sanctions against Pyongyang.

In April, the FBI attributed a hack of the Ronin Network, which powers the game Axie Infinity, to the North Korea-affiliated Lazarus Group, which generates illicit funds for Kim Jong Un’s regime through cyberattacks. That same month, Treasury sanctioned the digital wallet where the Lazarus Group had stashed $620 million in stolen cryptocurrency. Treasury’s subsequent sanctions against Blender.io revealed one platform the Lazarus Group used to launder those funds.

North Korean hacking groups have repeatedly targeted cryptocurrency exchanges to steal funds to prop up the Kim regime. In the last two years alone, these hackers have pilfered over $1 billion worth of cryptocurrency. Once the hackers have stolen the funds, they use another exchange or a mixer to launder the money.

Cryptocurrency exchanges and mixers based around the world often have laxer AML protocols and less stringent financial compliance procedures than traditional financial institutions based in the same jurisdictions. Digital-currency mixers, in particular, are useful to hackers because they anonymize transactions by mixing various types of cryptocurrencies to obscure the funds’ provenance.

Taken together, Treasury’s sanctions in April and May prohibit U.S. entities from transacting with one digital wallet and one mixer — the digital-currency equivalent of one bank account and one financial institution — in an attempt to prevent the Lazarus Group from converting cryptocurrency funds into fiat currency through U.S.-based exchanges. Treasury first sanctioned the Lazarus Group in 2019, but neither that step nor Justice Department indictments against state-sponsored malicious cyber groups appear to have changed Pyongyang’s risk calculus. Moreover, recent press reports indicate Lazarus is still transacting with other mixing services despite Treasury’s sanctions.

The decentralized nature of digital-currency exchanges allows North Korean hackers to continue moving money around the world despite being cut off from the traditional banking system. While other unilateral U.S. sanctions against illicit actors often have ripple effects across the international system as markets and financial institutions excommunicate sanctioned entities in reaction to Washington’s moves, the same has not happened in the digital-currency space. Thus, while the sanctions against Blender.io are an important signal that Washington will hold cryptocurrency companies liable for illegal activities, they are not a significant blow to Pyongyang’s money laundering efforts. Until cryptocurrency exchanges and mixers abide by AML compliance protocols, North Korean hackers and other malign groups will continue to exploit this loophole in the global financial system.

Over the long term, Washington will need to work with international partners to extend banking standards to exchanges in their jurisdictions. Multinational AML bodies, such as the Financial Action Task Force, have begun to provide guidance on AML compliance for the virtual-asset sector. However, there are still gaps in the international regulatory system.

In the meantime, Washington must also continuously encourage cryptocurrency service providers around the world to screen their customers against relevant international sanctions lists, and share information with these providers and traditional financial institutions on the strategies illicit actors use. For example, at the start of the Russia-Ukraine conflict, the Financial Crimes Enforcement Network (FinCEN) warned financial institutions to expect increased malicious Russian cyber activity aimed at enabling sanctions evasion. FinCEN also identified red flags to assist in detection. This sort of public-private collaboration, along with greater international collaboration, will be key to long-term success.

Jiwon Ma is a program analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor is a cyber research analyst. For more analysis from the authors and CCTI, please subscribe HERE. Follow the authors on Twitter @jiwonma_92 and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.