Four United States government agencies collaborated in an investigation of North Korean hackers who targeted and stole over $250 million worth of various cryptocurrencies from two South Korean cryptocurrency exchanges in July 2019 and March 2020. A civil in rem forfeiture complaint filed on behalf of the United States on August 27th, 2020 seeks the forfeiture of 280 virtual currency accounts belonging to the hackers. Although the techniques used by the agencies to trace the stolen funds is impressive, the task of seizing the assets still remains and presents a unique problem.
The issue for seizing the cryptocurrency wallets involves two elements. First, seizing cryptocurrency abroad requires multiple legal hurdles to clear. Second, the property belongs to a country with tense political relations to the United States. The government is faced with the issue of enforcing a forfeiture against an almost untouchable entity.
The Attack & Investigation
The American agencies utilized a U.N. report by the U.N.’s Security Council to suspect North Korean hackers as masterminds of the attack. North Korean hackers previously attacked South Korean crypto exchanges to fund their regime’s weapons development program. With this information, the agencies used advanced tracing techniques to obtain and track the hacker’s transactions, wallet addresses, clusters on the blockchain, email and exchange accounts, and VPN addresses to confirm North Korean hackers were indeed behind the attack.
The investigation revealed an attack on an American exchange as well as the hacker’s attempt to bypass an exchange’s KYC requirement by entering passport information stolen from an American citizen. Tracing revealed the hacker’s attempts to utilize ‘chain hopping’, the conversion of one cryptocurrency to another, to muddle the transactional trail on the blockchain’s ledger. However, one VPN address was linked to a previous attack by the North Korean hackers, as were some wallet and cluster addresses. This link allowed the agents to pinpoint the location of the hackers and piece together the transaction puzzle. The final piece of the puzzle included Chinese over-the-counter exchanges (OTC), which laundered the funds for the hackers.
An Atypical Cryptocurrency Seizure
The goal of a cryptocurrency seizure pursuant to a forfeiture action is to obtain the private key to the digital wallet sought in order to transfer the funds to a U.S. government wallet. In recent crypto seizures abroad, agents were able to issue arrest warrants, seize laptops or notebooks with the private keys contained therein, and collaborate with foreign countries to post forfeiture notices, conduct raids, and make arrests. Unfortunately, these steps are unavailable to the government in the present case. The agents know the wallet addresses used by the hackers but have no way of obtaining the private keys since a search and seizure, arrest, and extradition has not, and is unlikely, to be made.
The United States is not incompetent in cryptocurrency seizures against entities that are ‘untouchable’ by the law. In the same month this complaint was filed, the Department of Justice successfully thwarted the funding scheme of multiple terrorist groups. With approval from a judge, federal law enforcement seized control of the al-Qassam Brigades’ website and diverted funds intended for the groups’ wallets to Bitcoin accounts controlled by the US.Unfortunately, an interception in the present case is impossible because agents traced the scheme after the fact.
The agents made it clear they apply a “persistent engagement approach to challenge our adversaries in cyberspace”  in order to protect the integrity of the international financial system. However, the problem remains: how will the government seize the 280 virtual currency accounts held by North Koreans? The United States faces the risk of failing to deliver on their message.
The civil forfeiture complaint requests “that due notice be given to all parties to appear and show cause why the forfeiture should not be decreed; that a warrant of arrest in rem issue according to law. . . ”. Given the nationality of the hackers and general history between the United States and North Korea, it is safe to assume cooperation, extradition of the hackers, and voluntary forfeiture of the property is impossible. The circumstances present an issue implicating cryptocurrency enforcement and international cooperation.
To seize the cryptocurrency, the government may need to utilize their international agreements and treaties on international crime. Relevant bilateral and multilateral agreements are the Budapest Convention on Cybercrime, Mutual Legal Assistance Treaties (MLATs), and United Nations treaties.
The Budapest Convention is the only global cyber-crime treaty, with over sixty signatories. Unfortunately, the treaty is under attack by Russia and China, who have successfully called for a movement to renegotiate the agreement in August 2020. The negations have overhauled the virtues of the agreement as Russia and China have attempted to implement questionable authoritarian ideals for cybercrime monitoring and enforcement. As these negotiations take place, relying on the agreement is no longer a viable option for the US.
Typically, a bilateral MLAT request for forfeiture would be made pursuant to consulting the Office of International Affairs. Following approval, the US would collaborate with the foreign nation to commence an arrest or forfeiture. In this case however, the United States does not have an MLAT with North Korea. If the request is made, and in the likely event it falls on deaf ears, the United States may need to petition the United Nations for assistance.
The United Nations’ mutual legal assistance treaties cover most major federal offenses. After demonstrating probable cause, the government may request, through the U.N., that North Korea seize and forfeit the wallets. However, the same issue with the MLATs apply to the U.N. legal assistance request. North Korea is neither a signatory of a MLAT with the U.S. nor a U.N. member state. The only hope for success with the U.N. treaty is that political pressure from exposing the North Korean’s crime or a threat of sanctions could induce forfeiture.
Perhaps if no funds are realized from the action, an important lesson is. As the United States continues to pursue crypto crime, the government may want to revisit their treaties and legislation to create a framework for crypto crimes so a roadblock like the present case is avoided.
Reevaluating & Manipulating Existing Legal Frameworks
The similarities between the present situation and previous forfeiture actions against North Korean property reveals the need for the government to revise their legal framework for international cybercrime enforcement. Additionally, existing legislation may serve as a guide for implementing new legislature for cyber and crypto enforcement.
In a previous complaint seeking forfeiture from a North Korean, the government was able to use the PATRIOT Act’s correspondent banking provision to seize the assets of a North Korean held in Chinese banks, as the Chinese banks had correspondent accounts in the U.S. The correspondent banking provisions provides that funds deposited into a foreign financial institution which has a correspondent account in the U.S., are deemed to have been deposited in the U.S. correspondent account, and any seizure or arrest warrant in rem may be served on the foreign financial institution.
Parallels exist between the two forfeiture actions. The cryptocurrency in this scheme, after being stolen and transmitted through American exchanges, was deposited in a Chinese OTC exchange. The funds in both forfeiture actions were transmitted through accounts in the U.S., used to fund the North Korean regime, and held in Chinese financial institutions.
Currently, the Act’s provision would not apply to this attack because cryptocurrency and exchanges lack the legal status equivalent to currency and banks. If the legal status of cryptocurrency and exchanges were revised, the government may be able to seize assets from the Chinese exchange. Ultimately, the similarities of the circumstances may provoke a desire to establish a crypto equivalent to the Act’s correspondent provision to establish a legal framework for seizing cryptocurrency abroad.
The circumstances of the forfeiture action reveal the need to establish a comprehensive legal framework for enforcing cyber and crypto crime on the international scale, as present agreements are ineffective. The PATRIOT Act’s correspondent banking provision may offer inspiration to model new legislation for the purpose of pursuing cyber and cryptocurrency crimes as they become more prevalent. The display of the government’s tenacity towards cyber-crime and tracing skills was proven, but given the nature of the circumstances, this may be the only accomplishment by the government in this case.
Freeman Law represents clients in the Dallas-Fort Worth area. Our team is also skilled in legal and regulatory issues related to blockchain technology and cryptocurrency. As these areas continue to evolve, the related legal matters will meld with more traditional computer intrusion and cybercrime issues. Freeman Law recognizes this; we are dedicated to staying at the forefront as these emerging technologies continue to revolutionize social and economic activities. In this respect, we combine our knowledge base in more traditional cyber-related litigation with a unique white-collar and accounting background—and a position as a thought leader in the evolving blockchain and cryptocurrency space—to provide a distinctive brand of cutting-edge legal representation. Schedule a consultation or call (214) 984-3000 to discuss your cybersecurity concerns.
 United States v. 280 Virtual Currency Accounts, No. 20-2396 (D.C. Cir. Filed Aug. 27, 2020).
 Id. at 5-6.
 Id. at 17.
 Supra note 1, at 20.
 Shirley U. Emehelu, A Shot in the Dark: Using Asset Forfeiture Tools to Identify and Restrain Criminals’ Cryptocurrency, 66 DOJ J. Fed. L. & Prac. 81, 91 (2018).
 See United States v. 2013 Lamborghini Aventador LP700-4, No. 1:17-cv-00967-ljo-sko, 2018 WL 3752131 (E.D. Cal. Aug. 8, 2018).
 Supra note 1, at 22.
 Neal B. Christiansen & Julia E. Jarrett, Forfeiting Cryptocurrency: Decrypting the Challenges of a Modern Asset, 67 DOJ J. Fed. L. & Prac. 155 (2019); See also Jack de Kluiver, International Forfeiture Cooperation, 61 U.S. ATTY’S BULL., no. 5, 2013, at 36.
 Kluiver, supra note 8.
Contact Dallas Internet and Cyber Crimes Lawyers.