North Korean Foreign Trade Bank Rep Charged for Role in Two Crypto Laundering Conspiracies

On April 24,  the U.S. Department of Justice unsealed two federal indictments in the District of Columbia charging a North Korean Foreign Trade Bank (“FTB”) representative for his role in money laundering conspiracies designed to generate revenue for North Korea through the use of cryptocurrency. 

The first indictment charges Sim Hyon Sop (“Sim”), a North Korean national, with conspiring with three over-the-counter (“OTC”) traders, Wu HuiHui (“Wu”), a Chinese national, Cheng Hung Man (“Cheng”),  a Hong Kong British National living in Hong Kong, and an unknown user of the online moniker “live:jammychen0150" (“Chen”), to launder stolen cryptocurrency and use the funds to purchase goods through Hong Kong-based front companies for the benefit of North Korea. A concurrent sanctions action was taken by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) Sim, Wu, and Cheng.

With these actions, OFAC and DOJ are pulling back the curtain on how North Korea cleans the money it steals. This is also the first time information has been publicly released showing how North Korea’s crypto thefts are used to purchase goods that sustain the regime.

One of the enduring challenges for actors who steal cryptocurrencies is the successful conversion of the proceeds from crypto to fiat currencies. This process has become  progressively harder as the use of advanced blockchain intelligence tools proliferates and while wider adoption of anti-money laundering controls by cryptocurrency businesses grows globally, making it harder to conceal illicit funds. As we have observed from previous cases, while North Korean actors tend to be less concerned with security and anonymity than non-state cybercriminals, they still seek to convert their illicit gains into Dollars, Euros, and Yuan as sellers of petroleum, missile components, and tobacco, typically don’t accept cryptocurrencies as payment.

OTC brokers, like Wu and Cheng, are key links who facilitate the conversion of funds from crypto into traditional currencies. They can open accounts at large crypto exchanges and funnel those exchanged funds into traditional banks under cover of high-volume OTC trades, or other trading activity.

Once in the traditional financial system, these funds begin a convoluted journey through accounts held in the names of offshore trading firms in obscure jurisdictions - often those with strong secrecy protections and lax supervisory processes. 

China, North Korea’s biggest trade partner, Russia, and a handful of other smaller jurisdictions are among a small group of jurisdictions where North Koreans are able to operate, despite promises to enforce UN sanctions on North Korea. In this case, both brokers named in the actions are based in Chinese territories. 

As detailed in DOJ’s press release:‍

“[The indicted parties] conspired to launder stolen cryptocurrency and then used those funds to purchase goods through Hong Kong-based front companies on behalf of North Korea. Sim directed these payments, which were made in U.S. dollars, through “Jammy Chen.” “Jammy Chen” then recruited Wu and Cheng, both of whom were OTC traders, to find sham front companies and facilitate the payments to avoid U.S. sanctions against North Korea.”‍

Continued investments by exchanges in their compliance and investigations teams are making the laundering of stolen funds by OTC brokers more difficult. Wu Huihui, one of the targets of these actions, had his accounts restricted by Binance’s investigations team in 2022. Wu documented his frustrations on Twitter. At the time, Wu claimed ignorance as to why Binance might have decided his account was high-risk.

These actions have also exposed the intersection of North Korea’s traditional trade-based money laundering networks, especially its banks, in cleaning and spending the funds North Korea’s hackers have stolen. Sim Hyon-sop is a representative of KKBC, a key North Korean bank and subsidiary of its Foreign Trade Bank (FTB), which has overseen essential elements of North Korea’s money laundering networks. In its press release, OFAC revealed Sim is now based in Dandong, China, a city that has played an essential role for North Korea’s trade and financial networks for decades.

Prior DOJ/FBI actions targeting FTB and KKBC, North Korea’s trade banks, explored in great depth the functioning of North Korea’s illicit financial networks, revealing that  these networks depend on non-North Korean nationals establishing companies and financial accounts. Historically, these facilitators were often businesses with direct, traditional trade relationships with North Korean partners. Now, with the rise of crypto and the headline-making thefts perpetrated by North Korea’s hackers, they must transit through facilitators like Wu and Cheng.

According to information released by the DOJ, Sim has also helped to manage the flow of funds back to North Korea from North Korean software developers working surreptitiously with foreign customers:‍

“Sim also allegedly conspired to launder funds generated by North Korean IT workers who obtained illegal employment in the tech and crypto industry. These IT workers used fake personas to get jobs, including jobs at U.S.-based companies, and then asked to be paid in cryptocurrencies, such as stablecoins like USD Tether (USDT) and USD Coin (USDC), which are pegged to the U.S. dollar. After receiving payment, they funneled their earnings back to North Korea through Sim.”

This evolution in remote, semi-licit software work emerged after the expulsion of many North Korean software teams after limitations on overseas North Korean workers were imposed by UN resolutions. 

TRM’s own investigations suggest these kinds of software development projects are highly lucrative for the North Korean regime and pose unique dangers, often allowing North Korean programmers access to sensitive information which can be used to hack the projects they work for. 

The graph below shows the flow of the biweekly salary of one North Korean IT worker and hacker which TRM Labs has been tracking to the address publicly revealed yesterday to be controlled by Sim Hyon-sop on behalf of FTB/KKBC.  

Over the course of the last year we have seen North Korean cybercriminals attack cryptocurrency businesses at unprecedented speed and scale. According to TRM analysis, 2022 was a record-setting year for crypto hacks, with about $3.7 billion in stolen funds. Attacks against DeFi projects were particularly common, with approximately 80 percent of all stolen funds, or $3 billion, involving DeFi victims. About half of that total is attributable to North Korea alone. With this week’s DOJ and Treasury actions we are beginning to see authorities lift the veil on the way these stolen funds are laundered on and off-chain. Most notably we are seeing authorities focus on the off ramps to ensure that DPRK cybercriminals are not able to convert funds to more usable fiat currencies. We are likely to see a continued effort by authorities against Asia-based OTC brokers and other exit points for hacked and stolen funds.

For much more on DPRK cyber activity check out TRM Talks and TRM’s library of Insights on North Korea.