A Guide to Anti-Money Laundering for Crypto Firms

OFAC Sanctions North Korean Hackers Over Crypto Theft

Sanctions Crypto Latest News

The US Office of Foreign Asset Control (OFAC) is expanding its sanctions regime to cover additional alleged North Korean wallets, following the hack of blockchain game Axie Infinity’s Ronin bridge, which saw the theft of around $600m in cryptocurrency.

OFAC has added three Ethereum addresses to its Specially Designated Nationals and Blocked Persons (SDN) list, in addition to a previous listing tied to what is thought to be one of the world’s largest decentralized finance (DeFi) hacks. It is believed all three addresses had received sizable inbound transfers of stolen currency from the originally sanctioned wallet.

DeFi – financial services provided on public blockchains –  is increasingly being used for scams and money laundering as the volume of transactions it deals with increases. 

The hack saw an attacker gain control of validators’ nodes to forge withdrawals of cryptocurrency which was then laundered through other addresses with layering and mixing used to try and disguise the source of funds.

Layering is one of the biggest anti-money laundering (AML) typologies associated with crypto – and within this, mixing is a key tactic used by illicit actors to try and disguise the source of funds. Mixing, or tumbling, involves blending various transactions across several exchanges, making transactions harder to trace back to a specific exchange, account, or owner.

According to OFAC, the Ronin bridge hack may have been tied to a North Korean hacker syndicate called Lazarus Group. Lazarus Group is thought to have been involved in other major crypto and ransomware hacks and is associated with the North Korean state. It is alleged that cryptoassets stolen by Lazarus Group may be used to fund the state’s nuclear and ballistic missile programs. 

Evading Economic Sanctions

North Korea (DPRK) has tried different ways to evade global economic sanctions, including the use and exploitation of designated non-financial businesses and professions (DNFBPs) to move money illicitly. A report from the UN Security Council says cyber actors working for the DPRK stole a total of $400m worth of cryptocurrency in 2021, through seven intrusions into cryptocurrency exchanges and investment firms.

A US citizen, Virgil Griffith, was in April sentenced to five years in prison and a $100,000 fine for helping North Korea evade sanctions, by speaking at a cryptocurrency conference held in the country. 

“Griffith and his co-conspirators provided instruction on how the DPRK could use blockchain and cryptocurrency technology to launder money and evade sanctions,” said the US Department of Justice.

The risks of crypto and ransomware being used to circumvent sanctions has become a growing problem for US regulators, with FinCEN sharing SAR filing data to raise awareness of the issue. 

For sanctions professionals, there are wider takeaways beyond this immediate case concerning North Korea. Sanctions are becoming the default tool of Western statecraft, as the appetite for military action remains low in many countries. 

This is currently happening with Russia, and there is a good chance that we will see more ‘rogue’ states that are subject to sanctions resorting to measures like these to fund their economies, and disrupt countries they see as penalizing them. Sanctions professionals need to keep across the latest developments to minimize their risk exposure.

The case also highlights the increasing need for firms to understand the intersections between cryptocurrency and traditional finance, in order to pinpoint the risks at these moments. 

To keep up with the latest developments in North Korea, compliance teams should review the reports issued annually by the UN Panel of Experts, with a particular focus on the ‘finance’ section.

Explore the latest on the evolving use of sanctions and geopolitics in our new guide.

The US Office of Foreign Asset Control (OFAC) is expanding its sanctions regime to cover additional alleged North Korean wallets, following the hack of blockchain game Axie Infinity’s Ronin bridge, which saw the theft of around $600m in cryptocurrency. OFAC has added three Ethereum addresses to its Specially Designated Nationals and Blocked Persons (SDN) list, in addition to a previous listing tied to what is thought to be one of the world’s largest decentralized finance (DeFi) hacks. It is believed all three addresses had received sizable inbound transfers of stolen currency from the originally sanctioned wallet. DeFi – financial services provided on public blockchains -  is increasingly being used for scams and money laundering as the volume of transactions it deals with increases.  The hack saw an attacker gain control of validators’ nodes to forge withdrawals of cryptocurrency which was then laundered through other addresses with layering and mixing used to try and disguise the source of funds. Layering is one of the biggest anti-money laundering (AML) typologies associated with crypto - and within this, mixing is a key tactic used by illicit actors to try and disguise the source of funds. Mixing, or tumbling, involves blending various transactions across several exchanges, making transactions harder to trace back to a specific exchange, account, or owner. According to OFAC, the Ronin bridge hack may have been tied to a North Korean hacker syndicate called Lazarus Group. Lazarus Group is thought to have been involved in other major crypto and ransomware hacks and is associated with the North Korean state. It is alleged that cryptoassets stolen by Lazarus Group may be used to fund the state’s nuclear and ballistic missile programs. 

Evading Economic Sanctions

North Korea (DPRK) has tried different ways to evade global economic sanctions, including the use and exploitation of designated non-financial businesses and professions (DNFBPs) to move money illicitly. A report from the UN Security Council says cyber actors working for the DPRK stole a total of $400m worth of cryptocurrency in 2021, through seven intrusions into cryptocurrency exchanges and investment firms. A US citizen, Virgil Griffith, was in April sentenced to five years in prison and a $100,000 fine for helping North Korea evade sanctions, by speaking at a cryptocurrency conference held in the country.  “Griffith and his co-conspirators provided instruction on how the DPRK could use blockchain and cryptocurrency technology to launder money and evade sanctions,” said the US Department of Justice. The risks of crypto and ransomware being used to circumvent sanctions has become a growing problem for US regulators, with FinCEN sharing SAR filing data to raise awareness of the issue.  For sanctions professionals, there are wider takeaways beyond this immediate case concerning North Korea. Sanctions are becoming the default tool of Western statecraft, as the appetite for military action remains low in many countries.  This is currently happening with Russia, and there is a good chance that we will see more ‘rogue’ states that are subject to sanctions resorting to measures like these to fund their economies, and disrupt countries they see as penalizing them. Sanctions professionals need to keep across the latest developments to minimize their risk exposure. The case also highlights the increasing need for firms to understand the intersections between cryptocurrency and traditional finance, in order to pinpoint the risks at these moments.  To keep up with the latest developments in North Korea, compliance teams should review the reports issued annually by the UN Panel of Experts, with a particular focus on the ‘finance’ section. Explore the latest on the evolving use of sanctions and geopolitics in our new guide.

Originally published April 29, 2022, updated May 6, 2022

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2022 IVXS UK Limited (trading as ComplyAdvantage).