Treasury sanctions, DOJ charges two Chinese nationals for helping North Korean hackers

Two men helped Lazarus Group funnel cryptocurrency back to North Korea, according to the Treasury Department.
North Korea flag
The North Korean flag. (Getty Images)

The Departments of Justice and Treasury charged and sanctioned two Chinese nationals Monday for laundering stolen money obtained through a North Korean government-backed hack of a cryptocurrency exchange in 2018.

Specifically, the Treasury Department sanctioned Tian Yinyin and Li Jiadong for “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of” Lazarus Group, a hacking group the U.S. government has previously linked with the North Korean government, according to the Treasury Department release. The two also provided that support to a “malicious cyber-enabled activity.”

“Today, we are publicly exposing a criminal network’s valuable support to North Korea’s cyber heist program and seizing the fruits of its crimes,” Assistant Attorney General of DOJ’s National Security Division, John Demers, said in a statement.

The Treasury Department has previously singled out Lazarus Group for its heists. Last September, the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Lazarus Group and two sub-groups for their activities targeting Society for Worldwide Interbank Financial Telecommunication (SWIFT) and stealing cash and customer information from ATMs.


This is the first time the U.S. government is formally sanctioning Chinese nationals with assisting North Korean hacking targeted at cryptocurrencies, which can be especially useful in efforts to evade sanctions as they are harder to track than fiat currency.

“Proceeds from DPRK malicious cyber activities often end up at Chinese financial institutions … The Democratic People’s Republic of Korea (DPRK) trains cyber actors to target and launder stolen funds from financial institutions” the Treasury release says. “This revenue allows the North Korean regime to continue to invest in its illicit ballistic missile and nuclear programs.”

The sanctions are part of a sweeping U.S. government effort to thwart North Korea from evading sanctions. The Trump administration has previously sanctioned Chinese shipping companies and Russian company has also been sanctioned for allegedly helping North Korea skirt previous U.S. decrees.

“Today’s indictment and sanctions send a strong message that the United States will not relent in holding accountable bad actors attempting to evade sanctions and undermine our financial system,” Assistant Director of the FBI’s Investigative Division, Calvin Shivers, said.

The sanctions come amid programs meant to apply pressure to Pyongyang by exposing the regime’s hacking programs, which come amid denuclearization talks between the U.S and North Korea.


How the hack happened

After sending one employee at a cryptocurrency exchange a spearphishing email containing malware in April 2018, Lazarus Group was able to steal $250 million worth of virtual currencies. The malware gave Lazarus Group unauthorized access to customers’ personal information, including private keys used to access targets’ virtual currency wallets.

Tian then moved tens of millions of dollars of these funds through a newly added bank account to an exchange account he controlled, as well as to prepaid Apple iTunes gift cards.

Lazarus Group resorted to its well-oiled tack of using front companies to target cryptocurrency exchanges, the Treasury Department said, pointing out how the hackers used malware linked with an organization run by the North Koreans.

“In April 2018, the Lazarus Group leveraged previously used malware code from the now defunct cryptocurrency application Celas Trade Pro — software both developed and offered by the Lazarus Group registered website called Celas Limited,” the Treasury release says.


Overall, the incident amounted for “nearly half” of all of Pyongyang’s activity stealing virtual currency that year, according to Treasury. By 2019, the United Nations blamed North Korean hackers for $571 million in losses at five cryptocurrency exchanges in Asia between January 2017 and September 2018.

“The North Korean regime has continued its widespread campaign of extensive cyber-attacks on financial institutions to steal funds,” Treasury Secretary Steven Mnuchin said in a statement. “The United States will continue to protect the global financial system by holding accountable those who help North Korea engage in cyber-crime.”

As a result of the sanctions, any foreign financial institution or any individual who engages in some kinds of transactions with Tian and Li could be subject to penalties, according to OFAC. All of Tian and Li’s property or interests in their property in the U.S. should be blocked and reported to OFAC.

The announcement comes just hours after South Korea said Kim Jong-un launched two unidentified projectiles, the country’s first missile tests since last fall.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts