There have been so many recent multimillion-dollar cryptocurrency thefts that it’s easy to lose track. Organized crime, bad cybersecurity, financially motivated spies, and colorful criminals of all kinds have made so many headlines that even huge heists can go mostly unnoticed by the public.
But sometimes the government is able to get it back. Last week, the United States seized $500,000 in cryptocurrency from alleged North Korean hackers who got that money by extorting American medical organizations. That’s just a drop in the bucket considering the grand total: the IRS alone seized $3.5 billion in cryptocurrency in 2021.
But how exactly does seizing cryptocurrency work?
What happens first when the cryptocurrency is stolen?
Skilled criminals know they need to make dirty money clean. Money laundering is the age-old act of making the capital gained from illegal activity look as if it has no connection to the crime itself, so that the money can then be used freely.
“I’d say the laundering is more sophisticated than the hacks themselves,” Christopher Janczewski, who was a lead case agent at the IRS specializing in cryptocurrency cases, told MIT Technology Review previously. More than $8.6 billion was successfully laundered through cryptocurrency in 2021.
Unique among nations, North Korea has used theft of cryptocurrency as a means to fund its financially isolated regime. Pyongyang uses cryptocurrency to get around the restrictions imposed upon it and pay for anything from weapons to luxuries.
The tactics are always evolving. A “peel chain” moves cryptocurrency through thousands of transactions to obfuscate the source and destination. “Chain hopping” crosses blockchains and currencies. “Cryptocurrency mixers” take transactions from anyone and then pay out in different wallets or even different currencies in an effort to disconnect the deposits and withdrawals.
All of this is meant to throw off investigators.
How does law enforcement follow the money?
The US government has invested significantly in blockchain surveillance and analysis tools.
Companies like Chainalysis, TRM Labs, and Elliptic sell software to track and analyze the cryptocurrency ecosystem. Governments have heavily bought into this nascent industry as a way to unmask hackers stealing, laundering, and cashing out of illicit cryptocurrency.
For example, TRM Forensics is a product designed to trace cryptocurrency transactions across 26 different blockchains, graph the flow of funds, and identify the wallets where the coins ended up. Similarly, Chainalysis Reactor provides ongoing surveillance of different cryptocurrency assets so a customer, like a US government agency, can know if a specific wallet belongs to a darknet market, a high-risk cryptocurrency exchange, or an online casino.
The output will include neat sets of data visualizations ready for government investigations and, eventually, court prosecutions. But no amount of tracing by software will actually get the money back.
How does the government actually seize the money?
“Tracing is just one tool in the toolbox,” says Ari Redbord, a former federal prosecutor and currently the head of government affairs at TRM Labs. “Then they have to use police work for the end of the rainbow. Some of it is just great investigative work.”
There are three basic ways the US government can lawfully access and seize funds.
The largest single seizure in US history came just this year, when the Justice Department took hold of $3.6 billion in cryptocurrency allegedly stolen during the 2016 hack of Bitfinex, a virtual currency exchange. This case was, in key ways, much simpler for American police because two arrests of US residents were made in Manhattan.
Blockchain analysis found that the stolen currency was moved, after a long but unsuccessful attempt to launder the cash, to accounts controlled by a suspect. Police got a search warrant for the suspect’s cloud storage account, which contained an encrypted file. The file was decrypted and found to contain 2,000 cryptocurrency addresses and private keys. Almost every wallet was linked directly to the Bitfinex hack. Law enforcement received a seizure warrant and took the money into the government’s possession—and arrested two suspects.
The cryptocurrency ecosystem has a reputation in the popular imagination as a Wild West.
But the truth is that, in a bid to do business and make money in wealthy nations, exchanges and other cryptocurrency businesses have become vastly more compliant with Western law enforcement over the years.
After meeting probable-cause and burden-of-proof requirements, law enforcement can get seizure warrants for any illicit funds that eventually land on compliant exchanges—and many funds eventually do. Law enforcement will then work with the crypto business to move the funds to a government-controlled wallet or freeze them.
“Another method is that the adversary or a member of their conspiracy cooperates and provides private keys to the government as part of a plea negotiation or cooperation to benefit them in some way,” says Gurvais Grigg, who was assistant director of the FBI before becoming an executive at Chainalysis.
The third possibility is to compromise the target’s security—which can happen in numerous ways.
“When you’re talking about a country like North Korea or Russian cyber criminal organizations, it can take years of building out networks of confidential informants and working with other governments, even those that aren’t always friendly to us,” Redbord says. “One piece is potentially hacking into a server or machine or, frankly more likely, just great police work.”
For hackers outside the United States, the task is trickier. An arrest can be impossible if the suspect is in a country that doesn’t cooperate with Washington, so prosecutors focus elsewhere.
“Good prosecutors understand that a criminal prosecution is only one part of the larger investigation and results in these types of cases,” says Redbord, who was a prosecutor for 11 years. Instead, the focus is the money.
The other aspects are regulation, politics, and diplomacy. There are several notable “rogue areas” around the world that don’t comply with international anti-money-laundering rules, Grigg says, including North Korea and Iran, “but those parts of the world are becoming smaller and smaller islands.” There are two reasons for that. If you’re a business, compliance means you have a chance to access the world’s richest markets; if you’re a nation, it means your own lawful orders can be honored in return.
What comes next?
As governments become better at surveilling and seizing cryptocurrency, hackers and criminal tactics continue to evolve.
Mixers offer a popular tactic these days. Mixers take in funds from various origins, pool them together, and then send funds back out at random as a way to obfuscate their source and ultimate destination. Although there are numerous reasons one could use mixers, their chief customers have always been criminals and hackers.
According to a recent report from Chainalysis, mixers have moved over $50 million monthly on average this year, twice as much as last year. Blockchain analysis firms are hustling to tackle the problem and reliably “demix” the funds, but for now, mixers remain a go-to tool for criminals.
The US Treasury Department has opted for another, more immediate approach: in May 2022, the US issued the first sanctions against a cryptocurrency mixer. This one was allegedly used to launder cryptocurrency following a $600 million theft by North Korean hackers.
“The last thing we’ve seen is the increase in the multiplicity of attacks,” Griggs says. “Think of thousands of wildebeests crossing a river at once so that crocodiles can only get a few. Attackers have flooded the zone with an increased number of attacks, potentially in the hopes of making it difficult for authorities to catch an individual actor.
“The problem is that investigators can link what appear to be disparate attacks back to a central command, and in some cases this might make it easier for the government to prove a large conspiracy.”
The efforts to track, freeze, and seize the funds will only become more important. And it’s just as certain that billions will continue to slip through the cracks. Just before news of the US seizure against North Korean hackers made headlines, another group from North Korea launched an international ransomware hacking campaign.