red 
South Korean cryptocurrency exchange Bithumb recently suffered a hack that resulted in the loss of around $30 million in various cryptoassets. The theft has recently been linked to Lazarus, a hacking group linked to North Korea that has also been blamed for other attacks, including the WannaCry ransomware.
Here we explore the destination of stolen funds from Bithumb and how funds from such attacks are laundered.
Searching for stolen Bithumb funds
Bithumb’s “hot wallet” was registered that it was compromised on June 20, 2018, allowing attackers to take control of assets including bitcoin, ether, and golem, along with a number of other currencies and tokens (detailed in the table below).
Stolen property, as registered by Bithumb
Elliptic’s software combines publicly available cryptocurrency blockchain data with a proprietary dataset of addresses known to belong to various entities, and transaction analysis capabilities that reveal further addresses belonging to these actors. We can use this software to trace where the attackers sent these stolen funds. Here we focus on stolen bitcoin, but the same principles could be used to track other assets.
However, in order to do this, we first need to identify which funds were stolen. Bithumb processes thousands of withdrawals every day on behalf of its clients, so we need to distinguish between stolen funds and legitimate withdrawals.
Bithumb suspended deposits at approximately 00:53 UTC on June 20 and immediately began transferring all of its assets to “cold” wallets to prevent further losses. Therefore, we can assume that the theft took place shortly before this.
In the days leading up to the discovery of the hack, the fee paid for the vast majority of transactions from addresses belonging to Bithumb ranged from approximately 0.0001 BTC to 0.03 BTC, and was usually a value with a few decimal places, for example 0.003961 BTC.
However, on June 19, most of these transactions switched to using a fee of exactly 0.1 BTC – fees significant due to their size and the fact that only one decimal place is used. This could indicate that these transactions were not regular Bithumb withdrawals, but rather theft of funds. During June 19 and 20, 400 transactions of this type sent funds from Bithumb to a single bitcoin wallet composed of 70 addresses. This wallet received a total of 1,993 BTC from Bithumb – close to the 2,016 BTC reported as lost.
What happened to these funds? They all ended up on one cryptocurrency exchange – more on that later.
So we have approximately the amount that was reported stolen transferred from Bithumb, around the time of the hack in about 400 transactions using a fee amount that is not typical of typical withdrawals, all into one wallet.
One explanation for this could be that Bithumb realized they were compromised and was sending their assets to a wallet they knew was safe. However, it is unlikely that they would transfer these funds to another exchange, where they would no longer be under their control, as happened here. It is far more reasonable to assume that these transactions represent funds stolen by hackers. The attackers may have used a large fee to ensure a quick transfer of bitcoins from Bithumb addresses.
These “stolen” funds remained inactive in the suspected hacker’s wallet for more than a month, before being sent to a so-called cryptocurrency exchange. YoBit. A total of 1,993 BTC was transferred to YoBit over 68 transactions, between August 2nd and August 6th. Such a deposit pattern is often seen when an individual seeks to circumvent stock market anti-money laundering controls, including limits on their transactions.
YoBit is a Russian-based cryptocurrency exchange that allows its users to trade between US dollars, Russian rubles and a range of cryptocurrencies. Fiat currency can be moved to and from YoBit using a number of payment processors, including Payeer, AdvCash and PerfectMoney. Bithumb was registered to work with some exchanges to recover stolen funds, but it is unclear if this has been achieved for funds sent to YoBit.
Therefore, it seems likely that most (if not all) of the bitcoins stolen from Bithumb were sent to a Russian exchange, perhaps to be laundered and converted into other crypto assets or fiat currency.
Shortly after the incident, the Bithumb hack was linked to the hacker group Lazarus. Threat intelligence company AlienVault described as this group has previously used malware and a delivery method likely used to compromise Bithumb in other attacks. This would not be a new tactic for Lazarus: they have been involved in numerous cryptocurrency thefts in South Korea, including $7 million previously stolen from Bithumb in 2017.
Other cyberattacks linked to Lazarus include the WannaCry ransomware attack, the 2014 Sony attack, and the $81 million Bangladeshi bank robbery in 2016. The Lazarus group itself has strong ties to North Korea, with its tactics seemingly targeted in raising money for a regime crippled by sanctions. This was almost confirmed by the US Department of Justice, which released indictment in September 2018 that attributed the attacks to agents of the North Korean government.
Without regulation, many exchanges are safe for money launderers
The Bithumb hack could therefore give us insight into how North Korean agents launder cryptocurrencies obtained through cyberattacks. In this case, the stolen bitcoins were sent to a Russian cryptocurrency exchange, where they could be converted into fiat currency or another cryptocurrency.
Russia is reported to have helped North Korea evade international sanctions in the past. A Russian exchange could therefore be a natural choice for North Korean cyber attackers to help repatriate the proceeds of their activities. On the other hand, Yobit may simply have been chosen because of the weakness of its KYC and AML controls, which makes it easier to launder funds.
Cryptocurrency derived from other attacks linked to Lazarus and North Korea has been laundered by other methods. For example, the Wannacry ransomware funds were sent to exchanges such as Switzerland-based Shapeshift, which has not identified its customers. This exchange was used to convert the funds into monero, a privacy-focused cryptocurrency that is much harder to trace than bitcoin. Shortly after the release of the US indictment implicating North Korea in the Wannacry attack, Shapeshift announced introduction of customer identification requirements.
Many exchanges around the world still allow their users to convert between crypto assets or into fiat currencies, while having little or no anti-money laundering procedures. Jurisdictions such as United States of Americathe EU and Japan have introduced regulation to force certain cryptocurrency companies to implement measures such as customer identification and transaction tracking. However, in most of the world such regulation does not yet exist, so cryptoassets can still be exchanged and transferred relatively anonymously and without a trace.
Cryptocurrencies can be transferred across borders and long distances with ease. Incidents such as the Bithumb theft and the WannaCry ransomware illustrate why regulation must be coordinated globally to ensure that the proceeds of cybercrime, including those committed by nation-state actors, cannot be laundered.
