BRATISLAVA: In September 2020, a North Korean hacking group known as Lazarus broke into a small Slovakian crypto exchange and stole virtual currency worth some $5.4 million.
It was one of a string of cyber heists by Lazarus that Washington said were aimed at funding North Korea’s nuclear weapons programme.
Several hours later, the hackers opened at least two dozenanonymous accounts on Binance, the world’s largestcryptocurrency exchange, enabling them to convert the stolenfunds and obscure the money trail, correspondence betweenSlovakia’s national police and Binance reveals.
In as little as nine minutes, using only encrypted emailaddresses as identification, the Lazarus hackers created Binance accounts and traded crypto stolen from Eterbase, the Slovakian exchange, according to account records that Binance shared with the police and that are reported here for the first time.
“Binance had no idea who was moving money through theirexchange” because of the anonymous nature of the accounts, said Eterbase co-founder Robert Auxt, whose firm has been unable to locate or recover the funds.
Eterbase’s lost money is part of a torrent of illicit fundsthat flowed through Binance from 2017 to 2021, a Reutersinvestigation has found.
During this period, Binance processed transactions totallingat least $2.35 billion stemming from hacks, investment fraudsand illegal drug sales, Reuters calculated from an examinationof court records, statements by law enforcement and blockchain data, compiled for the news agency by two blockchain analysis firms. Two industry experts reviewed the calculation and agreed with the estimate.
Separately, crypto researcher Chainalysis, hired by U.S.government agencies to track illegal flows, concluded in a 2020 report that Binance received criminal funds totalling $770 million in 2019 alone, more than any other crypto exchange. Binance CEO Changpeng Zhao accused Chainalysis on Twitter of “bad business etiquette.”
Binance declined to make Zhao available for an interview.Responding to written questions, Chief Communications Officer Patrick Hillmann said Binance did not consider Reuters’ calculation to be accurate. He did not respond to requests to provide Binance’s own figures for the cases identified in this article. He said Binance was building “the most sophisticated cyber forensics team on the planet” and was seeking to “further improve our ability to detect illegal crypto activity on our platform.”
As Reuters reported in January, Binance kept weak money-laundering checks on its users until mid-2021, despite concerns raised by senior company figures starting at leastthree years earlier. In response to that article, Binance saidit was helping drive higher industry standards and the reporting was “wildly outdated.” In August 2021, Binance compelled new and existing users to submit identification.
With around 120 million users worldwide, Binance processescrypto trades worth hundreds of billions of dollars a month. The sector was hit by a sharp correction in May, its overall value slumping by a quarter to $1.3 trillion. Zhao said he saw “new found resiliency” in the market.
Meanwhile, his company is extending its reach intotraditional business, announcing a $200 million investment inmedia group Forbes this year and committing $500 million toTesla boss Elon Musk’s bid to take over Twitter. A Forbesspokesperson declined to comment. Musk didn’t respond torequests for comment.
The flow of illicit crypto through Binance, identified byReuters, represents a small portion of the exchange’s overalltrading volumes. Yet as policymakers and regulators, includingU.S. Treasury Secretary Janet Yellen and European Central Bank President Christine Lagarde, voice concern over the illegal use of cryptocurrencies, the trade demonstrates how criminals have turned to the technology to launder dirty money.
For this article, Reuters interviewed law enforcementofficials, researchers, and crime victims in a dozen countries,including in Europe and the United States, to assess theenduring impact of past gaps in Binance’s anti-money laundering rules.
Reuters reviewed detailed data about Binance clienttransactions on “darknet” sites – marketplaces for narcotics,weapons and other illegal items. Most of the data was provided by Crystal Blockchain, an Amsterdam-based analysis firm that helps companies and governments trace crypto funds. The data showed that from 2017 to 2022, buyers and sellers on the world’s largest darknet drugs market, a Russian-language site called Hydra, used Binance to make and receive crypto payments worth $780 million. Reuters cross-checked these figures with another analysis firm, which agreed with the findings.
In April, the U.S. Justice Department announced that U.S.and German law enforcement had seized Hydra’s servers. The U.S. indicted the servers’ alleged administrator for conspiring to commit money laundering and distribute illicit drugs. The site was closed down and the alleged administrator arrested by Russian authorities.
The data compiled for Reuters included crypto that passedthrough multiple digital wallets before reaching Binance. Forcrypto firms, such “indirect” flows with links to known suspicious sources are red flags for money laundering, according to the Financial Action Task Force, a global watchdog that sets standards for authorities combating financial crime. Money launderers often use sophisticated techniques to create complex chains of crypto transfers that cover their tracks, the FATF and the International Monetary Fund have said.
Hillmann, the Binance spokesperson, said the Hydra figurewas “inaccurate and overblown” and that Reuters was wronglyincluding indirect flows in its calculation.
Reuters then asked how Binance views its responsibility tomonitor its indirect exposure to dirty money. Hillmann repliedthat “what’s important to note is not where the funds come from- as crypto deposits cannot be blocked - but what we do after the funds are deposited.” He said Binance uses transaction monitoring and risk assessments to “ensure that any illegal funds are tracked, frozen, recovered and/or returned to their rightful owner.” Binance is working closely with law enforcement to dismantle criminal networks using cryptocurrencies, including in Russia, he said.
Reuters reviewed documentation from criminal and civilcases. A still open civil case in the United States alleges thatin 2020 Binance declined a request from investigators andlawyers, acting on behalf of a hacking victim, to permanentlyfreeze an account that was being used to launder stolen funds.
Binance, which disputes the U.S. court’s jurisdiction, confirmed to Reuters that it only put a temporary freeze on the account. Hillmann blamed a failure by law enforcement to submit a timely request via Binance’s web portal and then answer the exchange’s follow-up questions.
In Germany, police said investigators began seeing criminalsin Europe turn to Binance in 2020 to launder some of theproceeds from investment fraud schemes that caused victims, many of them pensioners, to lose in total 750 million euros ($800 million). The criminals’ use of Binance has not been previously reported.
Reuters reporting also reveals for the first time how NorthKorea’s Lazarus used Binance to launder some of thecryptocurrency stolen from Eterbase. A smaller portion of thefunds were laundered at the same time through another major exchange, Seychelles-based Huobi, which declined to comment.
After another heist in March this year, when Lazarus stoleover $600 million from an online game involvingcryptocurrencies, Zhao said North Korean hackers had transferred an unspecified amount of the funds to Binance. Hillmann told Reuters that Binance has identified and frozen more than $5 million and is assisting law enforcement with its investigation. He didn’t provide further details.
The United States sanctioned Lazarus in 2019 over cyberattacks designed to support North Korea’s weapons programmes, calling it an instrument of the country’s intelligence service – an accusation Pyongyang called “vicious slander.” North Korea’s mission to the United Nations did not respond to emailed questions. Blockchain researcher Chainalysis estimates that Lazarus stole crypto worth $1.75 billion by 2020 that mostly flowed through unidentified exchanges.
“THE HYDRA IS THRIVING”
Zhao, known as CZ, started Binance in Shanghai in 2017.Three months later, he unveiled a new strategy, on an internalchat group, for the company’s next phase of development. “Do everything to increase our market share, and nothing else,” Zhao wrote.
The priority, he said, was to ensure Binance overtook largercryptocurrency exchanges and fended off competition from smaller rivals. “Profit, revenue, comfort, etc, all come second.”
Asked to elaborate on this remark, Hillmann said, “NeitherCZ nor any other Binance business leader has ever suggested that increasing market share should supersede complianceobligations.”
Among the countries Zhao sought to expand in was Russia,which Binance described in a 2018 blog as a major market due to its “hyperactive” crypto community. A Reuters article in April detailed Binance’s efforts to dominate the crypto market there and how, behind the scenes, the exchange was building ties with Russian government agencies.
Binance has continued to provide limited services in Russiasince the country’s invasion of Ukraine this year, despiterequests from the government in Kyiv for exchanges to banRussian users as part of efforts to isolate Russia financially.Russia calls its actions in Ukraine a “special operation.”
Reuters’ new reporting following the April article showsthat many people who signed up to Binance in Russia weren’tusing it for trading. Instead, Binance became a key paymentprovider for Hydra, the giant darknet marketplace, according to the blockchain data compiled for Reuters, a review of Hydra user forums, and interviews with illegal drug users and researchers.
After it was set up in 2015, Hydra distributed narcotics onbehalf of drug dealers, all priced in bitcoin, to millions ofbuyers, mostly in Russia.
German police, in coordination with U.S. authorities, seizedHydra’s servers in Germany in April, closing the site down. TheU.S. indicted a Russian resident, Dmitry Pavlov, foradministering the servers. A week later, Russian authoritiesarrested Pavlov for allegedly dealing in drugs, a Moscow courtsaid, adding he had filed an appeal. Before his arrest, Pavlovtold the BBC he ran a licensed server company and was not aware it was hosting Hydra. Pavlov didn’t respond to messages from Reuters sent via his company.
The Justice Department, describing Hydra as “the world’slargest and longest-running darknet market,” said the site hadreceived in total around $5.2 billion in cryptocurrency. NeitherBinance nor any other payment provider linked to Hydra was named by the Justice Department, which declined to comment on Binance.
Hillmann told Reuters that Binance “works closely with lawenforcement to target the illicit drug trade daily.”
Sites like Hydra are only accessible on a clandestine partof the internet, known as the dark web, that requires a browser that hides a user’s identity.
As early as March 2018, Hydra users recommended on thesite’s Russian-language forums that buyers use Binance to make purchases, citing the anonymity Binance afforded its clients at the time by allowing them to register with just an email address. “This is the fastest and cheapest way I’ve tried,” a user wrote.
Cryptocurrency traders exchanged dozens of messages in 2021 and early 2022 about using Hydra on Binance’s own Russian community Telegram chat. “The Hydra is thriving,” wrote one last year.
Hydra transformed the narcotics market in Russia,researchers said. Previously, drug users tended to buy fromstreet dealers with cash. With Hydra, users selected substances on the site, paid the seller in bitcoin, and receivedcoordinates to pick up the “treasure” at a discreet location.Buyers, known as “treasure hunters,” found their purchasesburied in forests at the edge of town, hidden in garbage dumps, or stuffed behind loose bricks in abandoned buildings.
According to a report by the United Nations Office on Drugsand Crime, Hydra increased the availability of drugs in Russiaand drove a surge in demand for stimulants, such asmethamphetamine and mephedrone. Drug-related deaths rose by two-thirds between 2018 and 2020, figures from Russia’s state anti-drug committee show.
At the time of the U.S. and German operation to seizeHydra’s servers, the Drug Enforcement Administration, whichsupported the investigation, said the marketplace’s services“threaten the safety and health of communities far and wide.”The DEA referred Reuters to the Justice Department for further comment.
Aleksey Lakhov, a director at Russian charity foundationHumanitarian Action, which researches drug use, said he was“horrified” by how Hydra fuelled addiction. “During the days Iused drugs, you had to know someone at least” in order to obtain narcotics, Lakhov, a recovered addict, added.
Alexandra, a 24-year-old office manager in Moscow, startedbuying mephedrone and ketamine on Hydra in 2019 to help cope with her bipolar disorder. Several friends who used Hydra told her Binance was the safest way to pay dealers, Alexandra told Reuters, speaking on condition she be identified only with her first name. Some of them used fake personal information to open Binance accounts, she said, but she uploaded a copy of her passport. Binance never blocked or queried any of her payments.
Asked about her account, Binance said it was continuallystrengthening its know-your-customer capabilities.
The system’s anonymity made it easy to buy drugs on thedarknet, Alexandra said. “It was like buying chocolate in thestore.”
As her drug use became an everyday habit, she went dayswithout sleep, wracked by hallucinations and depression. “I felt like I was dying, and I liked that feeling,” she said.Eventually, she sought psychiatric help and received therapy.Since then, she just used Hydra to buy cannabis.
State Department reports from 2019 and 2020, withoutmentioning Hydra or Binance, warned that drug traffickers inRussia were using virtual currencies to launder proceeds. AState Department spokesman declined to comment on Hydra and Binance.
As reported by Reuters in its January investigation, aninternal document shows that Binance was aware of the risk of illegal finance in Russia. Binance’s compliance departmentassigned Russia an “extreme” risk rating in 2020 in anassessment that was reviewed by Reuters. It citedmoney-laundering reports by the U.S. State Department. Hillmann told Reuters Binance had taken more action against Russian money launderers than any other crypto exchange, citing a ban it imposed on three Russian digital currency platforms that were sanctioned by the United States.
Crypto flows between Binance and Hydra dropped sharply after the exchange tightened its customer checks in August 2021, the data from Crystal Blockchain shows.
“FINANCIAL FREEDOM”
For the past five years, Binance has allowed traders on itsplatform to buy and sell a coin called Monero, a cryptocurrency that offers users anonymity. While bitcoin transactions are recorded on a public blockchain, Monero obscures the digital addresses of senders and receivers. A Beginner’s Guide to Monero by Binance, available on its website, said such coins were “desirable for those seeking true financial confidentiality.”
Zhao has spoken in favour of “privacy coins,” of whichMonero is the most traded. During a 2020 video call with staff,a recording of which Reuters reviewed, Zhao said privacy waspart of people’s “financial freedom.” He didn’t mention Monero, but said Binance had funded other privacy coin projects.
Monero proved to be popular among Binance users. As of lateMay, Binance was processing Monero trades worth around $50 million a day, far more than other exchanges, according to data from the CoinMarketCap website.
Law enforcement agencies in Europe and the United Stateshave warned that Monero’s anonymity makes it a potential tool for money launderers. The U.S. Department of Justice, in a 2020 report, said it considered the use of “anonymity enhanced cryptocurrencies” like Monero “a high-risk activity that is indicative of possible criminal conduct.”
On several darknet forums that Reuters reviewed, over 20users wrote about buying Monero on Binance to purchase illegal drugs. They shared how-to guides with names like DNM Bible, a reference to darknet markets.
“XMR is essential to anyone buying drugs on the Dark web,”wrote one user on the forum Dread, referring to Monero’s ticker symbol. It isn’t possible to contact users through the forum so Reuters was unable to reach these people for comment.
Hillmann told Reuters there were “many legitimate reasonswhy users require privacy,” such as when opposition groups inauthoritarian regimes are denied safe access to funds. Binance opposed anyone using crypto to buy or sell illegal drugs, he said.
Hackers have used Binance to convert stolen funds intoMonero.
In August 2020, hackers hijacked a cryptocurrency walletbelonging to an Australian man named Steve Kowalski by tricking him into downloading malware, Kowalski said in a witness statement to Australian police. They withdrew the 1,400 bitcoin he held in the wallet, worth some $16 million at the time. Kowalski told police he had bought the bitcoin for $500,000 six years earlier and they were a significant portion of his assets.
Investigators hired by Kowalski traced most of his bitcointhrough a series of wallets to six Binance accounts, where thecoins were exchanged for Monero, according to testimony and blockchain analysis reports filed as part of an ongoing civilcomplaint Kowalski submitted last year against Binance inMiami-Dade County, Florida. Kowalski declined to comment.
Kowalski’s investigation showed that a U.S. softwareconsultant called Brandon Ng, then living in Florida, controlledmost of the Binance accounts. Ng testified to the court that acrypto trading partner, who he knew online only by the username MoneyTree, deposited the bitcoin in his Binance accounts.
MoneyTree, Ng said, paid him a 1% commission to convert thebitcoin into Monero on Binance and then transfer it back. Alawyer for Ng, Spencer Silverglate, said MoneyTree likely traded through Ng to shield his identity from Binance. Ng testified that he was not aware he was laundering stolen bitcoin.
MoneyTree did not respond to emails sent by Reuters to anaddress that Ng provided to the court. Silverglate, the lawyer,said Ng did not steal or launder Kowalski’s bitcoin and was an“innocent downstream trader.”
Ng’s Monero trading had earlier raised alarms at anothercrypto exchange called Poloniex, based in the United States,where he also had an account. In mid-2019, his Poloniex account was frozen after it was flagged for “high risk exposure” to money laundering due to Monero withdrawals totalling over $1 million, according to a summary filed with the court. Poloniex didn’t respond to a request for comment.
Binance dealt with Ng differently. Kowalski’s privateinvestigators and lawyers contacted Binance soon after thetheft, before Ng converted all the funds, and repeatedly askedBinance to permanently freeze Ng’s accounts, their writtencommunications show. The letters, filed with the court, alsoaccuse Binance of not responding to police requests to securethe assets for the duration of their investigation.
Binance imposed a seven-day freeze on the accounts, but then lifted it, allowing Ng to exchange the stolen bitcoin for Monero over several months. In his response to Reuters, Hillmann said law enforcement failed to request a permanent freeze via Binance’s web portal within the seven-day period and then didn’t answer the exchange’s follow-up questions.
A Binance investigation team member told one of the privateinvestigators in a message that “while it is highly likely thepaths leading to this account are malicious,” Binance could not prove the accounts were “created to facilitate laundering.” When the investigator persisted, the team member scolded him for “several issues with your tone.”
In a submission last December to the court in Florida,Binance said the case should be dismissed as the court did not have jurisdiction over the company. To determine the matter, the judge has granted discovery, a process where parties request documents from each other.
Hillmann told Reuters that Binance investigates allallegations of misconduct on its platform and takes appropriate action if its investigators uncover wrongdoing.
Eterbase, the Bratislava-based exchange hacked by the NorthKoreans, sought Binance’s help, too.
After news of the hack by Lazarus, Zhao tweeted on Sept. 9,2020: “Will do what we can to assist.” But when Eterbase emailed Binance’s support centre, a Binance team member said they could not share any account data without a law enforcement request, according to communications between the two firms seen by Reuters.
Eterbase submitted a criminal complaint to Slovakia’sNational Crime Agency. In June, 2021, the agency wrote toBinance requesting information and saying the funds were stolen by “anonymous attackers united under the Lazarus hacking group.”Binance replied that it could not identify accounts connected to the hack. In July, after another, more detailed police request, Binance sent the agency records on 24 accounts, adding they had been empty for over nine months as “the assets have instantly been traded.”
Hillmann said Binance fully cooperated with requestsreceived from Slovakian authorities and helped them to identify the relevant accounts.
The records, reviewed by Reuters, showed the only personalinformation Binance held on the account holders was their email addresses, many of which were based on misspelt well-known names, such as “bejaminfranklin,” the American founding father, and “garathbale,” the Welsh soccer player. The hackers used virtual private networks to obscure their devices’ locations, the records show.
Within around 20 minutes of opening most of the accounts,the hackers passed an unspecified “security check” allowing them to withdraw crypto, according to the account records. Each account then converted portions of the stolen funds into just under two bitcoin, the withdrawal limit at the time for a basic account without identification.
After the hack, Eterbase stopped its operations and laterfiled for bankruptcy. Auxt, the company co-founder, said thelosses meant Eterbase could no longer cover its expenses. “The hack killed our business,” he said. Victims of the hack are yet to be reimbursed.
“BLACK HOLE”
In private, Zhao has bemoaned that Binance needs to carryout checks on its customers. During the 2020 video call, Zhaotold staff that know-your-customer rules were “unfortunately a requirement” of Binance’s business.
At times, the compliance team struggled with its workload.In a message to staff in January 2019, Zhao asked otherdepartments to help the compliance team run background checks due to an “overwhelming” number of new users.
According to a group chat among Binance staff, thecompliance team sometimes approved accounts with inadequate documentation. A team member complained to colleagues that one user was able to open an account by submitting three copies of the same receipt from a meal at an Indian restaurant. Hillmann said Binance’s know-your-customer checks are now “highly sophisticated” and that it views such rules as both “mandatory and welcome.”
Current and former police officials in five countries toldReuters that criminal groups were among Binance’s growingcustomer base in recent years.
In late 2019, Konrad Alber, a retired family lawyer inGermany, invested most of his savings on a trading platform he found online. He told Reuters he hoped it would supplement his small pension and allow his wife to stop working to support their life in a village in the Black Forest.
The platform, called Grandefex, promised to “unleash” hismoney’s potential through a sophisticated algorithm. In anemail, a sales representative told Alber, who had littleinvesting experience, that he could double any deposits within a year. Over 18 months, he wired almost 35,000 euros toGrandefex’s bank accounts.
Then, last June, when he asked Grandefex to pay him hisexpected profits, he discovered his money had been transferred to Binance, emails and bank account records show. Alber begged Grandefex by email to return his funds, telling their finance department he had a “mountain of debt” and was suffering a “nervous breakdown.”
In response, Grandefex told him, “You will simply notreceive your money.”
Reuters’ emails and calls to Grandefex went unanswered. InJune 2020, Germany’s regulator said the platform wasunauthorised and ordered its closure.
Grandefex was one of a string of fake trading websites setup by organised crime groups that have scammed some 750 million euros from European citizens, many of them pensioners, according to German, Austrian and Spanish authorities. Six people involvedin police investigations into the scams told Reuters that thegroups, which operate call centres in Eastern Europe, haveshifted to laundering their gains through crypto exchanges,particularly Binance.
Hillmann said Binance is tackling investment fraud byidentifying victims and suspects, and whenever possible,freezing criminal proceeds.
A Vienna-based non-profit organisation, the European FundsRecovery Initiative, which supports victims of investment fraud, has received around 220 complaints from people whose stolen savings were converted into crypto. Almost two-thirds lost money that was funnelled through Binance, totalling 7.4 million euros, said the initiative’s co-founder, Elfi Sixt. Other investment frauds targeting people in Turkey, Britain and Pakistan also used Binance, authorities have said.
Police officers and lawyers told Reuters that it is harderfor fraud victims to recover lost funds when they pass through a crypto exchange. In many countries, consumers can ask their banks to freeze or reimburse stolen funds. Binance requires victims to sign non-disclosure agreements as a condition for temporarily freezing assets and insists on the direct involvement of law enforcement to process claims, according to its website.
Sixt said she has followed this process to no avail. “I’venever succeeded at getting money back from Binance.” Asked about this, Hillmann didn’t directly respond.
Alber, the retired lawyer, sent a letter to Binance, butsaid he never heard back. In June 2021, the 67-year-old reported the theft of his savings and their transfer to Binance to local police. The prosecutor’s office in the nearby town ofBaden-Baden said his case remains under investigation. Binance said it had no record of Alber’s letter.
At a police station in the Lower Saxony city ofBraunschweig, the state cyber crime unit is investigating asimilar scam that used Binance. Chief Inspector Mario Krause,two of his investigators and the prosecutor leading the probedetailed the case to Reuters.
Last October, the unit coordinated with Bulgarianauthorities to raid a call centre in the capital Sofia, whichpolice said ran hundreds of fake online trading platforms.
They obtained evidence, reviewed by Reuters, including adatabase showing the operators had taken in deposits totalling 94 million euros. Videos police seized from an employee’s phone depicted what Krause described as a “Wolf of Wall Street” atmosphere at the call centre. Staff rang gongs and popped champagne bottles when they secured big deposits. A scoreboard showed which employee had raked in the most money each week. They partied on yachts and private jets.
In a statement at the time of the raid, the prosecutor’soffice said one suspect was arrested. The case prosecutor,Manuel Recha, told Reuters the organisation’s leaders are stillat large. The company that ran the call centre, Dortome BG, did not respond to requests to comment.
During the investigation, the cyber unit sought to tracewhere the stolen funds ended up.
Investigators tracked the money through many layers of bankaccounts to Binance and another exchange, U.S.-based Kraken,police said. By the time Binance and Kraken provided accountrecords, the police said the funds had been withdrawn or sent to a “mixer,” a service which anonymises crypto transactions by breaking them up and mixing them with other funds. The personal information held by both exchanges on the accounts was often fake or stolen from victims, the officers said.
Kraken told Reuters it has “bank-grade” customer checks androbust tools to prevent fraud. Kraken disputed that customerinformation provided to Braunschweig police was fake, saying“every indicator we have suggests these accounts were used by legitimate clients.”
The Germans’ money trail went cold.
Krause said his team was struggling to make progress. “We’researching for a way out of the black hole,” he said.