North Korea's hackers take on cryptocurrency - The Lazarus Heist S2, Ep8 - BBC World Service podcast

[Geoff White] It's April 2022 in Silicon Roundabout, London's 

East End Tech District. Inside the offices of a cryptocurrency startup called Aztec Network, 

Jon Wu is flicking through a few job applications. [Jon Wu] Aztec Network is hiring aggressively, especially 

for great engineering talent as we build out our network. [Jean Lee] Jon's about to interview a job applicant 

on a video call. So he steps into a private booth so that he won't disturb his colleagues. The 

candidate's name is Bobby Sierra, and along with his resumé, Bobby has submitted a cover letter. [JW] And this cover letter was generally unexceptional, but it had a very unique sign-off, and the sign-off was: 

'The world will see a great result from my hands.' Which I thought was just very Bond-villainesque. 

It was really almost comical in how villainous it sounded. You know, you could imagine that being 

followed up with like a cackle or something. [GW] Jon's thinking, bit weird, but OK, let's meet the guy. [JW] And I initiated the call and kind of the first red flag was he didn't turn his camera on. [GW] It was also 

just really hard to hear Bobby. He was calling from somewhere incredibly noisy. [JW] Which, you know, again, 

is highly unprofessional. And what I noticed was it sounded not like he was at a café, but like he 

was in a call centre, like there were three or four other people in there also making calls or doing 

interviews, and so I asked him about that and he kind of began this very interesting dance where 

he would mute in order to hide the background noise, but he wasn't really clear when to unmute, 

and so we had these long silences where I'd ask him a question, he would stay muted, I would ask 

him to unmute, then he would stay unmuted, I'd ask him to mute again... and so it was kind of just this 

hilarious little dance that we were doing. [GW] When you ask the questions,

what kind of answers was Bobby Sierra giving? [JW] He gave some extraordinarily generic answers, things like he would say I'm a successful 

blockchain engineer, I will make you very successful, but some really glaring inconsistencies 

started coming up. His resumé said he was based in Canada, when I asked him where he was based he said 

he was based in Hong Kong. I asked him how long he had been in Hong Kong, he had a lot of trouble uh 

explaining that. [JL] Jon is from New York and says he knew a lot of Koreans growing up, and he thinks 

he detects a Korean accent in the stilted English that this mysterious Bobby Sierra is using. [JW] And so, that started to make the hairs on the back of my neck stand up a little bit, because I had 

been aware of some of Lazarus Group's activities, and I started to say, there's enough of these red 

flags piling up that there might be something more nefarious going on. And I felt uncomfortable 

enough at that point that I disconnected. [JL] Jon's about to find out that he had a 

pretty good reason to be suspicious. It seems the North Korean regime is trying to worm its way 

into the international cryptocurrency industry. [GW] Thanks to the crypto boom, there's a mind-boggling 

amount of money sloshing through this new world of finance. [JL] And that has caught the eye of North 

Korea's elite hackers, the Lazarus Group. [Music] From the BBC World Service, this is the Lazarus 

Heist, season two. I'm Jean Lee and I'm Geoff White. Episode 8: Bitcoin Bandits [GW] After his suspicious encounter with Bobby Sierra, 

Jon Wu hangs up the call feeling stunned. [JW] I'll never forget. I opened the door to our office 

in London and I just kind of announced to the room, "I think I just interviewed a North Korean 

hacker." [GW] Right! What was the reaction from the room? [JW] I mean, shock of course. And yeah, I think everyone was both 

highly entertained and a little nervous, to be like, man, we didn't think we were high enough profile 

for someone to try to gain entry, or we didn't think that we'd be a target. And I think that's 

kind of what victims always think, right? Little old me? Why would someone come after us? [GW] Just to finish off the story, by the way, you didn't offer Bobby Sierra the job then, in the end? [JW] No, unfortunately he didn't get the job. [GW] Jon can't be sure that Bobby Sierra is North Korean. He's got 

no way of actually knowing. But he just has this hunch about it. He can't figure out what a North 

Korean hacker would hope to gain by applying for a job at his company. [JL] Then, about two weeks after 

interviewing Bobby, Jon finds out that the US government has issued a special report warning 

the tech industry to watch out for North Koreans applying for jobs. [JW] The way that North Korea does 

it, and this is the way the US Treasury explains, is that there are thousands, if not tens 

of thousands, of overseas North Korean IT workers who pose as western or foreign nationals 

in order to get hired for general tech companies, and of course because of the global shortage 

of tech talent, these people get hired, and they get hired at salaries much, much higher than they 

could earn domestically in North Korea. The North Korean government custodies whatever money they 

make as their wage, pays them out some tiny, tiny proportion, and then keeps the rest to fund North 

Korean WMD operations. And when I read this, I was immediately taken back to this interview. It felt 

very vindicating. [GW] The crypto Community was totally thrown by the revelations in this US report. It 

said that although many of these North Korean job applicants may not be hackers themselves, 

they sometimes work closely with North Koreans who are, and some of them had already used the 

privileged access they'd gained after being hired by a company to enable cyber intrusions. [JL] Jon's company facilitates cryptocurrency payments, and that means that at any one time, the company 

has control over large sums of its customers money. So it's entirely possible that Bobby planned 

to help North Korea's hacker thieves rob the company from the inside. Scarier still, if Bobby 

had been hired he could have been tasked with designing software to keep the company's systems 

secure from hackers, which would have been pretty ironic. [JW] You could in many hundreds or thousands of 

lines of code put in a critical vulnerability that only you knew about, and that would be hard to find. 

And so a North Korean supply chain attacker could keep that to himself and then at the right moment 

attack the known vulnerability and extract funds. [GW] Jon decided to take to social media to 

share his story. He was immediately flooded with responses. [JW] A lot of people had the same 

experience as me, interviewing potential North Korean IT workers. But the craziest story that 

I heard was, I was at a co-working space here in Brooklyn, and I ran into a friend of a friend, 

and he said, "Hey Jon, I read your Twitter thread, and did you know we had a North Korean on 

our payroll for six months." [GW] What?!

[JW] And I said, "How is that possible?" and he said, "well, we hired 

someone, they obviously operate under a pseudonym. And it wasn't until the FBI called us and 

said we have tracked your funds to a North Korean account. Did we realise that 

we needed to do a deep security review and identify every single person working for us?" And 

he said, "this person was our best engineer who's a member of our team, he was contributing a lot," 

and he was frankly sad to have lost this guy. [JL] And I'm sure the North Korean was sad to have lost 

the job. Remember, by this time, UN member nations were supposed to have rescinded all work visas 

for North Koreans. But US authorities believe thousands of North Korean IT workers still remain 

abroad, in China, Russia, Africa, and South East Asia. And that salary that Jon was offering is far 

more than the few hundred US dollars a month they might make back home. It's fascinating to 

get this glimpse of a person from North Korea figuring out not just the tech skills, but also 

the people skills required to pull something like this off. Imagine having to stay in character, 

pretending to be of a different nationality, with a totally different backstory, for six months. And 

it's this kind of criminal espionage that the US government is warning tech companies to be wary of. 

So clearly, this story could be one of many. [GW] How do you feel about this in hindsight then? 

I mean, sitting from where you are now, what's your overriding feeling? [JW] It all feels a little 

surreal, you know? Even just the statement: "some cryptocurrency employees are funnelling 

their wages back to nuclear weapons programmes." Even that just sounds completely absurd 

to say. Yeah, in general it makes me much more sceptical and paranoid about kind of not 

knowing where funds and code are coming from. [GW] All through the making of this podcast, Jean and I 

have been desperately wanting to speak to someone involved in North Korea's secretive hacking 

programme, and Jon Wu might have done just that without even trying. It's entirely possible that 

Bobby Sierra, if he's really North Korean, knows North Korean hackers, went to school with them, and 

maybe even lives with them in a dorm overseas. And when I was speaking to Jon, hearing all about 

Bobby, I was itching to speak to him myself. So I asked Jon for Bobby's contact details, 

and he gave me the ID he was using on Telegram, a secure messaging app. So I thought, what the 

heck, let's give him a call now. I'll be honest, I was pretty sure this wouldn't work. Surely Bobby 

wouldn't be using this Telegram user ID any more. It was a classic investigative journalist 

wild goose chase. But then... oh my gosh it's ringing! Now, safety first: I made this call from 

a burner phone not connected to any of my real numbers or email accounts, so I wasn't risking 

any personal information if the phone got hacked. My call just rang and rang. I hung up. No goose for 

me. But then Bobby started typing. Here he is! "Hi, this is Bobby" on Telegram. So I'm going to send him 

a message and ask if he wants to talk. "Can we talk?" "Do you have any projects for me?" This is 

astonishing. Clearly, Bobby is still looking for work from this account. Next, he asked 

me to send him my LinkedIn profile, which was a bit hair-raising, because LinkedIn 

is one of the ways the Lazarus Group target their victims. But by this point, he 

knew my name, so I sent him my profile and a link to The Lazarus Heist podcast for good 

measure. "Nice" says Bobby Sierra, followed by "Cool". He's had a look at my LinkedIn profile and 

he thinks it's nice and cool. "What do you want?" Well that's the crux, isn't it? "I co-present 

a BBC podcast about North Korean hackers..." I put our question to Bobby. "Are you working 

for North Korea?" "Can I ask for your thoughts?" Hmm, no answer. This is where Bobby stopped 

texting back. I tried one more call, but he ghosted me. I heard nothing more from him. So 

close, and yet so far. And look, that shouldn't come as a surprise. I mean I had to tell him 

who I was, but I knew that risked scaring him off. So I didn't get the interview I wanted, but I 

did find out something fascinating. Apparently, North Korea's IT workers have become so brazen, 

so keen to break into crypto companies, that it seems they're hanging out on Telegram, where we 

can chat to them. Their drive to make money has become so ravenous they're increasingly having 

to come out of the shadows. [JL] And their tactics for breaking into crypto go well beyond trying 

their luck applying for developer jobs. They've had their sights on the world's crypto wallets 

for a while now, and in the middle of the night in September 2020, this was about to spell very 

bad news for one major cryptocurrency company. [GW] They say money never sleeps. That's the old Wall 

Street mantra. Finance is a 24/7 business and long hours come with the job, but surely there 

are limits? [Jing Cheung] About 4am in the morning Singapore time, I was awakened by a call, and surprisingly, 

it was one of our co-founders. In that call, he didn't talk much. He just said: "OK, something happened

we need you to come to the office immediately." [GW] This is Jing Cheung. Back in September 2020 when he received this 

painfully early wake-up call, he was working for a cryptocurrency company called KuCoin. [JL] Their head office is in Singapore, overlooking Marina Bay, that's the waterfront with all those futuristic 

hotels with rooftop bars and infinity pools, and KuCoin sounds like one of those 'work hard, play 

hard' kind of places. [JC] If you want, you can go to the gym in the office to have some exercises, then 

there are also some like gaming machines if you want to take a rest. [GW] What gaming machines have you got? 

I've got to ask! [JC] It's some like um computer games back in the 80s or 90s, the very old machines 

you can put the coins inside and play some old-fashioned games. [GW] Seems like a job with some 

pretty fun perks. But it doesn't sound like Jing's being called in at 4am by his bosses just to 

duke it out over a game of Street Fighter. [SFX Computer game: "You lose. Hahaha!"] [GW] KuCoin is a crypto exchange. You can sign 

up online and set up a digital wallet with KuCoin. It's basically a kind of bank account for 

crypto. Then you can use your dollars and pounds to buy cryptocurrencies like Bitcoin and Ether, plus 

a whole range of other crypto assets, as they're called, things like NFTs - non-fungible tokens, 

for example. [JC] In terms of the trading volume, for instance, currently uh the average daily volume 

on KuCoin is about five billion every day. [GW] So... 5 billion dollars, is that? [JC] Yeah, US dollars, yeah.

[GW] $5bn dollars is a huge amount of money. [JC] Yeah, KuCoin is top five crypto exchanges in terms of like the 

overall performance. [JL] That kind of turnover makes KuCoin an attractive target. And that's exactly what 

Jing's worrying about as he rushes into the office. [JC] But in the taxi, I was thinking, like, what kind 

of things may happen uh so that I have to go to the office now? It must be something really bad. 

And for crypto exchanges, the worst thing that would happen would be like a security incident, like 

a hack. When I arrived at the office I saw most of the co-founders, they were already there, so I 

was thinking, it must be something really bad, because just like when you watch a like Marvel 

movie where all the superheroes are gathering, you all know the situation is very, very tough 

to deal with, right? That's when I know, OK, it was a hack, actually. [JL] KuCoin had been quick off 

the mark spotting the attack. It began at 3am Singapore time, an hour before Jing gets called in. 

And when he arrives, the emergency response is in full flow. [GW] The company security team are watching 

a bunch of abnormal transactions on the system. The company's wallets are being systematically 

emptied of all their crypto assets, the Bitcoin, the Ether, and everything else. Someone, somewhere, 

is trying to bleed the firm dry. Security staff are frantically transferring the remaining funds out 

of wallets that have been hacked and into secure ones that they hope are going to be beyond the 

hackers' reach. [JC] It's like a race with the attackers because at the same time, the attackers are still 

trying to get more funds out of the platform. [GW] The security team are gradually winning. By the time 

Jing reaches the office, they've moved most of their funds to safe havens. [JL] But when the dust settles,

they add up what was stolen, and it's a lot. Close to $300m of Bitcoin, Ether 

and other crypto assets, gone in minutes. As the sun's rising over Marina Bay in Singapore, 

Jing is focusing on how to break the news to KuCoin's customers. Jing works on the marketing 

team, so it's his job to help the company get the message out to their account holders that some of 

their funds may have been stolen. And he's going to have to do that pretty quickly, because customers 

have already figured out that something's up. [JC] When I arrived at the office, there were already some 

rumours out there saying that "OK, there's something wrong with KuCoin", and also we have a 

huge community on Telegram and Twitter, they have started to panic. [GW] How did they know? Well, it's 

partly because of how these cryptocurrencies work. Every time you use one, like buying something with 

Bitcoin, the transaction is written onto a publicly available online record called a blockchain. This 

is fundamental to how these cryptocurrencies work. Every currency's got its own blockchain, so it's 

not gone unnoticed by KuCoin users watching all this blockchain activity that someone's 

making giant transfers out of KuCoin's wallets. [JL] By this point in 2020, crypto exchanges had 

become a favourite target of hacking gangs around the world. There had been dozens of 

incidents like this, but what's happened to KuCoin is major. It's an eye-watering sum. So 

Jing rushes to get a company announcement up online, saying yes, KuCoin has been raided. An 

investigation is under way, please bear with us. [GW] As for that internal investigation, the first 

question is, how could this have happened? Well, KuCoin have never disclosed any details 

of exactly how the hackers got in, but we know that once they're inside, the hackers got hold 

of what's called the private keys to KuCoin's wallets, basically the passwords that unlock them. 

After that, it's playtime. [JL] So that's the how figured out. As for who did it, and more urgently, where the 

funds have gone, KuCoin quickly calls in some help from the big guns. [GW] They send a message to one of 

the world's top crypto investigators, someone on the other side of the world, in Washington DC, 

where it's the middle of a sunny afternoon. [Erin Plante] So, I was at a family picnic and I got a message 

that there's been close to $300m stolen from an exchange. So I sit down in the 

grass, I pull out my phone, and start to look at it. You can start to piece it together, and you can 

see the funds flow real time as they're moving, and you just start chasing them. [GW] This is Erin Plante, 

vice president of investigations at Chainalysis. That's one of the world's leading crypto tracing 

firms. Just like banks have forensic investigators who track money down, Chainalysis does the same 

with crypto, using those publicly available blockchain records. [JL] Erin and her colleagues help 

law enforcement trace the illicit crypto funds of some of the world's worst criminals. [Erin Plante] We care about 

wallets that are controlled by terrorists, wallets controlled by child abuse offenders, wallets 

that are controlled by sanctioned individuals. [JL] This is amazing work, and it's helped police around 

the world put some really terrible people in prison. [GW] Not all superheroes wear capes. And it can be 

hard for Erin to explain to her friends and family exactly what it is she does all day. [EP] Everyone says, you do what? I thought you... I thought you fixed printers?! Nobody really 

understands cryptocurrency. [GW] And it's this non-plussed response she's dealing with at the family 

picnic in her local park, when she gets the message from KuCoin. Erin opens up some

Chainalysis software on her phone that allows her to trace the movement of cryptocurrency in real time. [EP] When some major event happens, we jump right in. There's a lot of scrambling, 

because you want to stop the movement of funds as quickly as possible so that you have 

a chance of getting them back. [GW] Were the other guests a bit bemused by this, did you have 

to explain, "by the way, I'm chasing $300m and yes, I will have another sandwich?!" [EP] Exactly! That's exactly what happens. And I've got two kids, and they were running around, 

and they try to grab at your phone because they want to watch Peppa Pig on YouTube and you're 

snatching it back, "I'm chasing 300 million dollars!" [Laughs] [JL] You might be thinking, if you manage to steal 

a huge amount of cryptocurrency, surely the first thing you want to do is to convert it into 

dollars or pounds, or any other regular currency? [GW] Well yes, that is the end goal here. It's called 

cashing out. But it's actually pretty difficult. There are only a few crypto exchanges in the world 

where massive trades like this are possible, and most of them are reputable, they're not in the 

business of enabling crooks, so they'll be on the lookout for suspiciously large trades 

that could be the stolen KuCoin funds. [JL] So this makes cashing out pretty 

darn hard, but not impossible. [EP] If they're stolen by a sophisticated hacker, 

which in this instance KuCoin most definitely was, they follow a very complex laundering path. [GW] In the moments after the hackers took control of KuCoin's crypto wallets, they began moving the funds 

through hundreds and hundreds of other wallets. Each wallet's got an address: a string of letters 

and numbers. It functions a little bit like a bank account number. Using her crypto tracing software, 

Erin can see the funds shooting from one address to another. The hackers have automated this process, 

so it's all happening at lightning speed. [EP] There's a lot of adrenaline and a lot of excitement. It's a 

little bit of a police chase, where you're trying to follow the car that's flying down the 

highway, trying to catch it while it's making, you know, deviations off of the off-ramps and through 

tunnels, and it's all digital, so it's all happening immediately, in real time. [GW] But as the hackers send 

their funds careening around the digital highways and back alleys of the crypto world, they're going 

to need more than speed to shake off Erin and her colleagues. [JL] So they also try swapping the stolen 

funds into different cryptocurrencies, just as you might convert stolen dollars into euros or 

pounds to make it harder for tracers to keep track. It's like the hackers are changing the licence 

plate on the getaway car and slapping on a new paint job. [GW] But Erin's tracking software is pretty 

sophisticated. These swaps aren't going to be enough to throw her off the scent. And the hackers 

likely know this, so they step it up a gear and pull a trick which makes all that swapping look 

like a picnic. And erin, who's actually at a real picnic, is watching, as the hackers send the stolen 

funds into something called a cryptocurrency mixer. [EP] Mixers are a really popular laundering technique, 

which are, if you think about it, you put a bunch of dollar bills on the table and you just sort of, 

you know, flail them all around with your hands and they all mix together, then you take out a dollar, 

you don't know if the dollar you put in is the same one you take out. [GW] Let's explain a bit more. Imagine 

I've stolen some Bitcoin. I know investigators are hunting for them, trying to get them back, so for 

a fee, I put my coins into an online mixer service, where they're jumbled together with other people's 

coins. Now, not everyone using this mixer service is necessarily a crook. The appeal of crypto for a lot 

of people is anonymity. So a dissident group in a oppressive country might use a mixer to hide their 

funds, for example. But let's say I am a hacker. The mixer runs a program that randomly shuffles all my 

stolen coins with a bunch of other coins, jumbling up the dirty ones with the clean ones, and then it 

issues me a new crypto wallet containing the same amount of crypto that I put into the mixer, but 

not the stolen ones that I threw into the pile. Mixers make it really hard for Erin to keep up. She 

can see the hackers moving stolen KuCoin funds into mixer services with names like Chip Mixer 

and Tornado Cash, but it becomes much, much harder for her to establish which of the many payments 

coming out of these mixer wallets is going to the KuCoin crooks. [JL] And the KuCoin hackers can 

repeat this process as many times as they want. [EP] Every time they hit a mixer, it's that much harder 

to trace. You need really advanced capabilities and software, it's not an easy process. [GW] Can you not contact them and say,

"by the way, don't shuffle that money around, that's stolen money." Are 

they receptive to those calls? [EP] They... tend to not be.

[GW] Right! [EP] So, most of the mixers, at least in the US 

law, are classified as unlicensed money services businesses, so they're not fully illegal by any 

means, but they are starting to be looked at as illicit services. Crypto enthusiasts will say 

that there are legitimate purposes for mixers, some people just don't want their identity to be 

potentially known on the blockchain, but the amount of illicit funds that go through mixers, not 

just stolen funds, but ransomware and all kinds of other illegal activity that you want to stop, 

mixers play a role in all of that. [GW] Yeah, it's interesting isn't it, there's a sort of philosophical defense 

of them, after all the whole point of this is it's meant to be anonymous. [EP] Exactly. And I know people 

that will put their funds through mixers before they, you know, pay for something on Amazon. They just, they 

believe in the anonymous nature of cryptocurrency, but there is a need to stop the illicit 

activity that these mixers play a role in. [JL] It's at this point, when the KuCoin funds are 

being jumbled up again and again through mixers, that Erin notices something very telling. 

An important clue about who the hackers are. [GW] The funds are being sent through the mixes in 

very specific amounts before being moved around in a very familiar pattern. Erin's seen this 

pattern before, in the work of one particular hacking gang. One she's come up against 

multiple times. The Lazarus Group. [EP] Any time there is a hack of a crypto exchange, especially 

these days, when North Korea has been so prolific, we sort of immediately start to at least try 

to rule them out as a suspect. [JL] Cryptocurrency is the cutting edge of money. Even people who spent 

their lives in finance can struggle to get their heads around it. But yet again, the sophisticated 

hackers of the Lazarus Group are making stealing and laundering crypto look like child's play. [GW] North Korea has never admitted to

any involvement in the KuCoin theft, and has consistently denied 

any association with the Lazarus Group. The BBC approached the North Korean embassy 

in London for a response to the allegations raised in this season of the podcast, 

we never got a reply. But Erin's pretty confident that it's the Lazarus 

hackers who are behind the KuCoin heist. [JL] But can she claw any of the stolen crypto back? 

Well, at the end of this high-speed digital chase, she has lost sight of some of that 300 million 

dollar haul, but not all of it. [GW] And she's spotted something very interesting indeed. Some of 

the stolen KuCoin crypto is now sitting in a digital wallet that Erin and her colleagues 

already have their eyes on. [EP] Funds flowing from previous hacks that are known to be North Korea, 

flowing from the KuCoin hack as well into the same deposit addresses. [GW] Right, OK. So effectively, 

if you've got one bank account and money from lots of different crimes goes into that one bank 

account, it's likely whoever owns that bank account committed all the crimes, or at least benefitted from them all. [EP] That's exactly right, yeah. [GW] Erin can see the stolen funds, but she can't get at them. Crucially, 

cryptocurrency is decentralised. That means there's no banks or governments or authorities 

in charge of it. Unlike traditional bank accounts, the wallets controlled by these hackers 

are much, much harder to seize or get frozen by law enforcement. The hackers seem to have won. [JL] Except, the hackers, remember,

want to cash out the funds. It's no good stealing hundreds of millions 

of dollars of crypto if you can't spend it. If the North Korean regime wants to use it to buy 

components for bombs and missiles, or maybe even luxury items like Mercedes cars or Rolexes, for 

the most part they're going to need old-fashioned money. And Erin says the Lazarus Group's preferred 

currency to cash out into is Chinese yuan. [GW] So, the final hurdle for the hackers is to find 

a crypto exchange they can rely on to switch their stolen funds into, say, yuan. Now, having 

listened to The Lazarus Heist for as long as you have, it won't surprise you to learn that there 

are a lot of Wild West crypto exchanges out there where anything goes, no questions asked. Ultimately, 

Erin hopes that the hackers will mess up and send some of the illicit gains to an exchange that's 

more above board. [EP] And you quickly call them and say, these funds have hit your exchange, can 

you please freeze them while law enforcement processes the legal paperwork to actually 

get the funds back. [JL] Sometimes it works, sometimes it doesn't. Erin can see the stolen crypto sitting 

there in a wallet controlled by the hackers, and now it becomes a game of patience. And Erin says 

the Lazarus Group hackers are very patient indeed. [EP] Their goal is to sit on on the funds until there 

are no more eyes on the funds and then they'll start to cash them out. And then they'll typically 

sort of wait, and they'll move a little bit, and it'll kind of sit there for a bit, 

and then they'll move up, you know, say, um 50 Bitcoin, or you know some amount that if 

it gets seized, it's not the whole package. [GW] So they're testing different escape routes for this?

[EP] They do. [GW] And if the funds get stopped, they think, oh that escape hasn't 

worked, we'll try a different one? [EP] Yep, and then they'll go back through

and try to obfuscate again. [GW] In the KuCoin case, Erin and her Chainalysis 

colleagues were ultimately able to trace a lot of the funds to a helpful reputable exchange. 

Who knows why exactly the Lazarus Group made the mistake of moving the funds there; perhaps they 

thought they'd outfoxed her. Wrong. [EP] So, the KuCoin funds, I believe it was about 80% that was returned. It was a 

significant retrieval and it was through a service that ultimately complied and returned the funds to 

KuCoin. So we are having more and more success. [JL] But the KuCoin case is still an outlier. Erin says 

it's still more likely that stolen crypto is never recovered. [EP] It's more likely that the funds go, and disappear. [JL] And we should not forget that in KuCoin's case, sure, a lot was recovered. But 16% of the stolen 

money was lost. That's a whopping 45 and a half million US dollars, way more than the Lazarus 

Group made with their ATM jackpotting schemes and the bank of Valletta hack put together. [GW] It's also worth mentioning that KuCoin was insured against losses like this, and fortunately, they say, 

no KuCoin customers lost any money. [JL] But $45m goes a long way in North Korea. Plus, 

as we've said, this isn't the only crypto heist attributed to its hackers. [GW] In fact, if you add up 

the totals of all the crypto heists blamed on the Lazarus Group to date, as of when we recorded this, 

it comes to a jaw-dropping $3.2bn. The North Korean hackers have earned way more from 

crypto than they ever got from traditional bank hacks. [JL] In fact, they're said to be responsible 

for the largest crypto theft ever recorded. In March 2022, North Korea's hackers were accused 

of targeting a popular online game called Axie Infinity. The crypto assets stolen were worth well 

over $600m. [EP] And if you actually think about this in the dollar amount, some of this, 

we put into dollars at the time the funds were stolen, so hacks that occurred in 2018 when the 

Bitcoin price was, you know, ten thousand dollars of Bitcoin is now worth so much more than that. [GW] At the time of recording this podcast, the value of Bitcoin is about $28,000 or 

thereabouts, but it fluctuates all the time, and this has now become part of the game of laundering this 

stuff. Trying to cash out at the right time when the crypto market is peaking. It's mad to think 

that these hackers, working for socialist North Korea, are starting to become highly effective 

crypto speculators. Do we know how much is sort of left floating about in the cryptocurrency world, 

you know, in bits of wallet somewhere, that they're struggling to cash out, or that they're waiting to 

cash out? [EP] Yeah, so we we have eyes on all of their wallets that we knew about, about half of that 

right now is sitting in wallets that they haven't been able to cash out, and we have eyes on those 

at all times. [GW] So as soon as they, kind of, try and do something with those wallets with that money in it, 

you're going to be all over them like a like a bad rash, as they say. [EP] Yeah, we will aim to stop it. Our 

investigators have alerts set on all of them, so our investigators are going to know, whether it's 

the middle of the night or you're at the family picnic. You'll often see stolen funds that are 

are clawed back years after they've been stolen. [GW] US authorities are also looking for ways to 

tackle this theft. They've chosen to target cryptocurrency mixers. [JL] It's not possible just 

to take these mixers down. They're decentralised, meaning that no one person or commercial entity is 

in control of them. So the US government resorts to putting US Treasury sanctions on two mixers 

that are both very popular with the Lazarus Group: Blender and Tornado Cash. [GW] After those sanctions came in,

one of Tornado Cash's alleged developers was arrested in the Netherlands. 

He's currently awaiting trial. He's accused of facilitating money laundering and making 

large profits from the Lazarus Group's crimes. [JL] The second mixer, Blender, shut down pretty much 

immediately in the wake of US sanctions, or at least, it appeared to. Crypto analysts claim it 

just rebranded and re-emerged under a new name: Sinbad. [GW] And Erin says that Sinbad is now the 

Lazarus group's favourite crypto laundering service. Another crypto tracing firm says 

the group's already washed $100m there. [JL] This will be a long cat and 

mouse game, and the Lazarus Group shows no sign of slowing down its targeting of the crypto 

world. [GW] And with billions of dollars up for grabs, it's clear the crypto market will continue to be 

their favourite hunting ground for some time yet. [JL] It's frightening to me to think about this hidden, 

billion-dollar crypto slush fund, because I know where they're going to spend it. In recent 

years, despite strict UN sanctions, North Korea has still managed to get what it wants 

to build its nuclear weapons programme. This is where investigators say that so much of these 

hacking proceeds, from the Bank of Bangladesh to KuCoin, are ending up. [GW] It's time to look at 

how Pyongyang spends its ill-gotten gains and meet the investigators who try to stop them. [Clip] Nuclear programmes are the most secret, most closely guarded things anywhere. I'm just like a regular 

lady that's never even set foot in North Korea and I'm figuring it out. [JL] That's next time, in the 

final episode of The Lazarus Heist. [Music: The Lazarus Heist theme, by Jambinai] The Lazarus Heist is an original podcast from the BBC 

World Service. I'm Geoff White, and I'm Jean Lee. Our producer is Viv Jones. Our original 

music was composed by Magnus Fiennes and Lee il-woo from the South Korean band Jambinai. Thanks 

by the way for all your messages about the series so far, we've really enjoyed reading 

them all. Do keep letting us know what you think. What's been your favourite bit, your 

favourite story? Let us know, and do leave us a rating and review, and tell all your 

friends about us too. And don't forget to follow and subscribe, so you can hear next 

week's finale as soon as it drops. You can also spread the word on social media using 

the hashtag #LazarusHeist. Thanks for listening.