From 7d9cb5d3a27ef7d80ca6f3b9e6a835d7e28bcb84 Mon Sep 17 00:00:00 2001 From: hokoi Date: Wed, 24 Apr 2024 02:31:25 +0000 Subject: [PATCH] C2: Add HKers articles, 0x27 Apr.24 --- ...2024-03-20-ai-geopolitics-and-framework.md | 172 ++++++++++++++ ...2024-03-26-uphold-north-korea-sanctions.md | 216 ++++++++++++++++++ 2 files changed, 388 insertions(+) create mode 100644 _collections/_hkers/2024-03-20-ai-geopolitics-and-framework.md create mode 100644 _collections/_hkers/2024-03-26-uphold-north-korea-sanctions.md diff --git a/_collections/_hkers/2024-03-20-ai-geopolitics-and-framework.md b/_collections/_hkers/2024-03-20-ai-geopolitics-and-framework.md new file mode 100644 index 00000000..4bbd95e7 --- /dev/null +++ b/_collections/_hkers/2024-03-20-ai-geopolitics-and-framework.md @@ -0,0 +1,172 @@ +--- +layout: post +title : AI, Geopolitics And Framework +author: Pia Hüsch +date : 2024-03-20 12:00:00 +0800 +image : https://i.imgur.com/XZfYH5g.jpeg +#image_caption: "" +description: "Disruptive Technologies Workshop: AI, Geopolitics and the Need for a New Analytical Framework?" +excerpt_separator: +--- + +_This workshop report summarises what impact AI has on geopolitics, whether there is a need for a new analytical framework to capture AI’s impact on international relations, and what we can learn from other technologies and their respective impact on geopolitical developments._ + + + +### Overview + +Policymakers are striving to understand the use, associated risks and benefits of AI technologies. The technologies are developing at pace and often involve highly technical details. Coumpounded by the persistent hype around AI, this complexity can make it challenging for non-specialists to understand AI’s impact, including in a geopolitical context. Yet, the need to respond to disruptive technological developments is not new: International Relations scholarship has often provided useful tools, frameworks or concepts to understand how such changes impact interstate relations. Can policymakers turn to such scholarship to provide valid analytical tools to better understand AI’s impact on geopolitics? This workshop report summarises the discussion of 10 scholars, debating what impact AI has on geopolitics, whether there is a need for a new analytical framework to capture AI’s impact on international relations, and what we can learn from other technologies and their respective impact on geopolitical developments. + + +### Introduction + +In November 2023, RUSI hosted an invitation-only workshop to discuss whether there is a genuine need for a new analytical framework in International Relations scholarship to grasp AI’s impact on geopolitics. RUSI convened a deliberately small number of leading International Relations scholars working on AI and other technologies to discuss the impact of AI on international relations, what can be learned from previous technological inventions on the interplay of technology and international relations, and whether a new framework or concept to analyse AI’s impact on geopolitics is needed. + +The workshop included 10 scholars and was chaired by Anthony Finkelstein, President of City, University of London, and a RUSI Distinguished Fellow. In addition to the findings from the workshop itself, invited participants were asked to fill out a survey in advance of the workshop (please see the Annex for the survey questions). Of the 10 participants who attended the workshop, six provided a survey response. An additional two responses were provided by those who were invited but did not attend. This workshop report relies on the contributions from both the survey and the workshop. All views expressed in the workshop and the survey are non-attributable. + + +### Context + +AI technologies, their risks and opportunities, as well as their regulation and ethical challenges, are highly debated topics in UK policy circles. This is particularly the case since the launch of the UK National AI Strategy, setting out the aim of making the UK an “AI superpower”, and in the context of the UK AI Safety Summit held in November 2023. Policymakers in the UK increasingly turn to questions of AI benefits, implications and risks, including its relationship with foreign affairs and international relations. + +Too often, however, it is difficult for policymakers and non-technicians to grasp AI’s novel implications for familiar fields like International Relations. This is partially due to the knowledge gap on how AI technology works and how it will develop. This gap exists between technology experts and those in the social sciences and policy circles. + +Are the tools and methods currently available adequate to frame and explain AI’s impact on international relations? Or are new ones required to capture AI’s implications for interstate relations? Only where there are adequate methods to understand and communicate such impact will non-technicians and policymakers be appropriately equipped to grasp and communicate the implications that follow from AI technologies for international relations. These might be considered decisively different or similar to those of existing technologies. Reaching such understanding is, of course, a necessary pre-condition for policymakers to design effective policy interventions for AI technologies that will allow countries such as the UK to secure a strategic advantage from AI by harnessing its advantages and mitigating any arising risks. + +Academic scholarship can provide suitable and widely applied frameworks and concepts to understand technologies’ impact on international relations – such as, for example, deterrence theory as it applies to nuclear weapons and their impact on international relations during the Cold War. Even where such theory’s ability to accurately capture a technology’s impact on international relations is debatable, it can nevertheless serve as a starting point of discussion. + +AI technologies are not a completely new topic in social sciences and International Relations. That said, the recent trend has certainly led to more academic attention to AI. Whereas much academic discussion has traditionally focused on ethical implications of so-called “killer robots” and the use of AI by lethal autonomous weapons systems (LAWS), scholars in the social sciences are now expanding their research to include areas such as AI governance and AI-enabled disinformation campaigns. + +RUSI’s workshop included International Relations scholars working on the implications of AI, or other technologies such as space or nuclear technologies, for international relations. Participants were invited to discuss three subject areas: + +1. AI’s impact on geopolitics (Part One). + +2. What can be learned from the way International Relations theory and scholarship has explained previous technological inventions (Part Two). + +3. Whether a new framework is needed to conceptualise AI’s impact on international relations (Part Three). + + +### Part One: AI’s Impact on Geopolitics and International Relations + +There was widespread agreement that AI has a noticeable and manifold impact on international relations as well as International Relations scholarship – not least because states are addressing issues of AI governance and risk management. The impacts have also been felt as AI potentially has an effect on interstate power dynamics. + +Examples of how AI impacts geopolitical dynamics included: + +- Applications in the military domain, including strategic stability, the laws and ethics of war, and the public perception of warfare. + +- Increased danger of digital authoritarianism. + +- Work in diplomacy, such as efficiency of consular work. + +- Normative challenges to existing values and considerations. + +- The race to be leading AI development, research and implementation, including through data collection. + +- The perceived need for international governance of AI technologies. + +#### Narrowing Down What and When Constitutes “Impact” + +Participants repeatedly debated the timeframe that applies to the question of AI’s impacts on geopolitics. The contemporary landscape differs from potential future scenarios given the rapid development of AI technologies. The assessment of what kind of development to expect and the capabilities AI technologies may develop, however, strongly depends on the taken approach: tech-optimist or doomsday scenario. The timeline envisaged is also relevant. One participant pointed out that “the actual impacts in the short, mid- and long term are somewhat unclear”. Even the question of what timeframe constitutes “the future” or “long term” is challenging. + +Timeline considerations also tied to questions on whether to focus on long-term, potentially existential, risks that largely rely on speculation or to focus on AI’s contemporary impact and potential harm. One academic pointed out that this discussion was now highly politicised, tied to narratives of US–China competition and other broader trends. They argued, however, that long- and short-term impact cannot be disintegrated so easily but that these questions are instead closely tied to political considerations underlying them. + +The political implications that follow from the narrative of distinguishing between long- and short-term impact were picked up by other participants. One scholar argued that such distinction is not contradictory. Nonetheless, it is vital to bridge the gap between various communities, each focusing on different types of risks (for example, the national security community and the military community). + +Especially when discussing long-term and existential risk of AI technologies, academics stressed the need to consider where the information underlying assumptions comes from. Who circulates what information with what kind of intentions? What vision of technology are they trying to sell? One participant found that this increased politicisation is making their job harder. Another academic also pointed to the lack of diversity among many technology companies. Many of these companies hold a lot of information and knowledge. They shape the discourse on the impact of AI, especially when it comes to discussing potential long-term and existential risks. They may do so in a one-sided way. Another participant added that technology companies often even determine what is labelled as AI, thereby holding additional power. + +All of these points on the different perspectives, the timeframe applied and the information underlying any assumptions shape the understanding of AI’s impact on geopolitics. + +#### The Approach of International Relations Scholarship to AI + +The discussion identified several areas of the impact of AI on geopolitics that are – to varying degrees – addressed in International Relations scholarship. For example, one participant’s introductory remarks argued that International Relations scholars primarily address the impact of AI by focusing on four areas of study. First, the influence of AI on the balance of power is primarily addressed in areas such as war studies or strategic studies. Second, issues of AI governance are analysed by a more diverse set of scholars driven by a shared sense that some form of global AI governance is needed. Third, the same scholar further remarked that ethics questions are often primarily looked at within a military context but should be considered more broadly. Finally, disinformation and social media are widely discussed in International Relations scholarship, particularly considering the impact of deepfakes, but research in this area is often inconclusive. + +The discussion on AI’s impact on geopolitics underlined the implications that different framings have, whether on the temporal framework applied, the community and the political environment that discusses AI’s impact on international relations, or the source of information such assessment is based on in the first place. These challenges, particularly the question of timeframes, were raised throughout all stages of the workshop. + + +### Part Two: Learning from Other Technologies + +AI technologies are by no means the first technological invention to impact international relations. From nuclear to space, and military inventions to maritime technologies, technology impacts many areas of interstate relations. Workshop participants therefore also debated how far AI technologies and their impact on geopolitics resemble that of other technologies or whether they pose unique, unprecedented challenges. + +#### How Different is AI from Previous Technological Inventions? + +Assessments of how far AI is “a gamechanger” differed among the participants. Again, varying timeframes applied to the question. On the one hand, some considered that AI, at least in the current context, primarily amplified existing challenges or power dynamics without fundamentally challenging interstate relations. Some participants tied the impact of AI on international relations to other technologies (for example, to quantum sensing or information communication infrastructure [ICT] and cyber technologies), pointing to possible similarities and interdependencies. One participant also argued that “AI has far more in common with earlier technological inventions than is often implied in the existing literature”, at least in its current form. This could, in theory, change if artificial general intelligence comes into existence. + +On the other hand, some participants found that the impact of AI is already groundbreaking. They stressed its ability to replace human factors as – unlike other technologies – it is a decision-making technology with “a degree of agency”. AI’s ability to not just replace motor skills – as was the case with previous technologies – but also “chiefly cognitive skills” was perceived as a decisive difference. As such, AI has the ability to change the quality of decision-making, with implications for the nature of international society and relations. + +More abstractly, as International Relations as a discipline concerns the study of interstate relations, not humans, AI fundamentally challenges this assumption, according to one discussant. Here lies the challenge to International Relations as a discipline. At the same time, it can also add to the discourse: while computer scientists focus on individual intelligence, International Relations scholars focus on collective social intelligence because the discipline is the study of groups, not the individual. As such, the field’s scholarship can make a meaningful contribution to often technology-dominated discussions on how the impact of AI on international relations is understood. + +#### What Lessons Were Learned from Other Technologies and Their Impact on International Relations? + +On lessons learned from other disciplines, including on how to deal with increased hype around new technological inventions, one participant remarked that in the area of space technology, camps form around “futurists” and those paying more attention to contemporary developments. While futurists primarily focus on potential technological inventions in the more distant future, possibly developed by engineers without guiding policy and strategy, those who are perhaps more grounded in pragmatism focus on the technologies that are actually being deployed. The participant remarked that a lesson learned from the space context is to “look away from the shiny stuff” and instead focus on where mass investments are being made and mass adoption is being advanced. A similar shift in attention in an AI context would contribute to moving away from the contemporary hype around AI and to guide non-technicians in navigating the technological landscape and seeing the bigger picture. + +Interesting lessons were also drawn in comparison to the development of nuclear technologies. A participant noted that the ownership of the development of AI – unlike that of nuclear weapons – lies with technology companies rather than states. This, for them, challenges the state-centric assumptions often underlying International Relations theory. + +Another comparison was made to the nuclear domain. Like the sanctions there, one participant expected future geopolitical considerations on AI development would likely include further sanctioning of semiconductors. This is already a powerful tool of US foreign and technology policy. + +Others stressed that AI technologies cannot be seen in isolation and that they do “not exist in a social vacuum”. Instead, AI technologies must be seen as a collection of technologies which are also linked to broader questions such as supply chain issues or labour market dynamics. + +While participants’ observations of how far AI technologies constitute a game changer or resemble previous technologies’ impact on international relations differed, some interesting parallels and differences were drawn. These highlighted the value of situating our understanding of AI in the broader context, both in relation to parallel political developments and dynamics around other technologies. + + +### Part Three: Applying Existing Theories and Frameworks to AI and the Need for a New Concept + +At the start of the workshop, participants were asked to place themselves on a spectrum ranging from “no new framework needed” to “new framework needed” to analyse AI’s impact on geopolitics (see Figure 1 for a rough indication). The allocations are merely indicators replicated from a whiteboard in the room and do not follow a scientific measurement. Nevertheless, they provide an overview of the different sentiments represented during the workshop. + +![image01](https://i.imgur.com/cjRyzgR.png) +_▲ Figure 1: Do We Need a New Framework to Understand AI’s Impact on Geopolitics?_ + +#### The Need for a New Framework to Capture the Impact of AI on International Relations + +As demonstrated in Figure 1, participants offered a wide range of perspectives and arguments on whether a new analytical framework in International Relations scholarship is needed to adequately capture and explain the impact of AI on international relations. + +Some thought that a new framework is needed to go beyond the descriptions of aspects of AI’s impact offered by existing theories and concepts. A new framework would especially need to address AI’s ability to perform cognitive tasks and its impact on political decision-making. One participant also deemed a new framework necessary to move away from the dominant perception of AI as an arms race between big powers, overlooking smaller and medium states as well as private technology companies, which are at the heart of AI development. Whether such a new framework would rely on existing concepts that needed updating and enhancing, including from an interdisciplinary perspective, or whether a new, comprehensive theory should be developed remained subject to debate. + +Others pointed to the many theories of International Relations scholarship that already apply to technological inventions more broadly. For example, the framing of the governance and technology lag, describing how technology develops faster than its respective governance, applies to an AI context. Another participant pointed to critical norm theory as a way to build on existing theoretical thinking on how AI technologies shape international norms. For specific areas such as trade and international political economy, the new trade theory was named as an example of an existing theory, adding insights to AI’s impact on geopolitics. Similarly, the theory of organisational reputation was given as an example of how an existing theory can “provide insights into why agencies react to and regulate disruptive innovations”. One scholar added that existing concepts from other disciplines such as neuroscience, psychology and philosophy are also useful tools in contributing to explaining AI’s impact on international relations. + +#### One Theory to Rule Them All? + +The discussion arguing in favour of one new concept or against it was far from binary. Instead, it was often a matter of the degree to which existing theories can adequately capture AI’s impact. Participants further questioned whether there can be one theory to address AI’s impact on international relations in the first place. While one participant pointed out that the big theories – realism, constructivism and institutionalism – each offer “valuable insights into AI and the impact it may have on geopolitics”, others stressed the move away from “the big ‘isms’”. Instead, there are many more nuanced, mid-level theories aiming to address aspects of International Relations. + +Indeed, one scholar argued that “no single theory, concept or framework can comprehensively and adequately describe, analyse and reflect on the various impacts of AI. Each theory in International Relations can, however, illuminate certain aspects, risks and opportunities of AI, but none can on its own discuss, analyse and reflect on it in a comprehensive manner”. Others agreed, stating that they did not think “that one single theory, concept or framework can fully capture the impact of AI technologies as they all have their own comparative strengths and weaknesses. For this reason, a multiple theory, concept or framework is the most analytically productive”. + +Some noted that a comprehensive approach would be desirable to accomplish a new, overarching theory, acknowledging the tremendous challenge of developing such a theory. Others argued in favour of basing work on existing theories and updating them in line with new developments. + +#### What Tool for What Purpose? + +The discussions on the need of a new framework or theory repeatedly linked back to questions of purpose, scope and intention. Participants discussed both what aspect of AI technologies a concrete framework should focus on but also what the purpose of International Relations scholarship is more fundamentally. Again, defining purpose also tied to the question of timeframes – whether a new theory would address the impact of AI on international relations now or in the future. One participant argued that, as it stands, existing concepts “have a lot to say” but that it is harder to predict future developments and how existing concepts would be able to keep up. + +With respect to the purpose of a new framework, participants asked why a framework is needed, and whether it is to better understand AI’s impact on geopolitics as opposed to drawing attention to previously unnoticed phenomena. One participant argued that, in some sense, International Relations scholarship “had a technology problem” – while technology was part of many considerations, it was never conceptualised as such. This status quo is now challenged, as new developments in AI technology arguably have the potential to fundamentally challenge how International Relations theories work. + +This linked to the broader and fundamental question of the purpose of International Relations theory. Participants critically discussed whether it is the purpose of International Relations theory to predict the future; a challenge some considered too great given that the “past and present are already difficult enough” to conceptualise. Others felt that it is indeed the idea of the discipline to predict geopolitics but that it has also been historically poor at doing so. This also raised the question of how far International Relations theory is contributing to preventing war or harm and whether that is its purpose and, if so, whether it needs to get better at doing so. + +Thus, how International Relations scholars understand their discipline and interpret existing theories heavily influenced their assessment of whether a new framework is necessary or feasible and, if so, what purpose it might serve. + + +### Conclusion + +The workshop identified that whether participants considered a new framework necessary to adequately capture AI’s impact on international relations was influenced by three key factors. + +1. What experts considered AI’s impact to be in the first place – and how unprecedented they found it compared to previous technological inventions. + +2. How far they believed existing theories in various fields can capture such impact and whether a single theory could ever do so. + +3. Experts’ assessment of how useful existing theories are also depended on what they considered the objective and purpose of both a new theory and International Relations scholarship more widely to be. + +The conversation repeatedly returned to themes such as the applicable timeframe to define the impact of AI, the definition of AI, and the bias of available information and their implications on scholars’ understanding of AI. These factors, the assessment of which varied depending on participants’ areas of specialism, were often considered underlying questions that need to be answered before a suitable framework can be developed. + +Further research could provide a fuller and more systematic understanding of AI’s impact on geopolitics but also help identify concrete examples of how far existing theories already capture various aspects of the impact of AI on geopolitics. Research could also provide a more detailed analysis of parallels and differences between AI and previous technologies and their impact on international relations. + + +### Annex: Survey Questions + +1. What impact do AI technologies have on international relations? + +2. To what extent does this resemble or differ from previous technological inventions? + +3. Can existing theory, concepts or frameworks in your field adequately describe the impact of AI technologies? (Please expand and include field and theory.) + +4. If applying existing theories does not work, why not? And what do new analytical frameworks need to offer to successfully reflect the impact of AI technologies on geopolitics? + +--- + +__Pia Hüsch__ is a RUSI Research Fellow in cyber, technology and national security. Her research focusses on the impact, societal risks and lawfulness of cyber operations and the geopolitical and national security implications of disruptive technologies, such as AI. Pia’s other research interests include the governance of cyberspace, election interference, cyberwarfare, and the relationship between law and technology, including cyber and AI. diff --git a/_collections/_hkers/2024-03-26-uphold-north-korea-sanctions.md b/_collections/_hkers/2024-03-26-uphold-north-korea-sanctions.md new file mode 100644 index 00000000..ebd0700c --- /dev/null +++ b/_collections/_hkers/2024-03-26-uphold-north-korea-sanctions.md @@ -0,0 +1,216 @@ +--- +layout: post +title : Uphold North Korea Sanctions +author: Alex O’Neill +date : 2024-03-26 12:00:00 +0800 +image : https://i.imgur.com/4WmT77u.jpeg +#image_caption: "" +description: "Upholding North Korea Sanctions in the Age of Decentralised Finance" +excerpt_separator: +--- + +_This paper aims to examine cryptocurrency mixers’ distinct technical, legal and regulatory dimensions and the challenges they pose to the sanctions regime. The paper provides detailed background information on North Korea’s cyber-criminal statecraft, focusing on North Korean actors’ use of mixers to launder illicitly obtained cryptocurrency._ + + + +North Korean actors have stolen billions of dollars over the past decade as part of a massive campaign to generate illicit revenue through cybercrime. In recent years, they have devoted particular effort to stealing virtual assets. The proceeds of these operations help fund the Kim regime’s ballistic missile programme and the development of more robust cyber capabilities, among other initiatives. North Korea’s cyber-criminal activities undermine UN sanctions and represent a distinct threat to international security. + +A US-led coalition has responded to North Korea’s exploitation of cryptocurrency by prioritising enforcement against the virtual asset platforms that facilitate money laundering, especially mixing services. Mixers enable users to obfuscate the origins of their cryptocurrency funds by commingling them in a large pool with other users’ assets. Recognising the key role non-compliant mixers such as Tornado Cash have played in North Korea’s cyber-criminal enterprise, US authorities and international partners have launched an aggressive crackdown. Authorities have supplemented their primary enforcement tools – sanctions and platform takedowns – with asset seizures, arrests and the adoption of new laws and regulatory measures. Over the past few months, governments have experimented with novel approaches to combating digital illicit finance, such as the possibility of designating all mixer transactions as suspicious by default. + +This paper forms part of a series of research projects funded by the US Department of State to understand and mitigate obstacles to UN sanctions implementation. It aims to examine cryptocurrency mixers’ distinct technical, legal and regulatory dimensions and the challenges they pose to the sanctions regime. The paper provides detailed background information on North Korea’s cyber-criminal statecraft, focusing on North Korean actors’ use of mixers to launder illicitly obtained cryptocurrency. It takes stock of the government response to date, concluding that while actions against non-compliant virtual asset platforms have been effective individually, the campaign’s overall impact on North Korea’s laundering capacity has been limited. It also seeks to grapple with the unintended consequences of interventions, some of which have yet to manifest fully. + +The paper offers 14 recommendations for policymakers and practitioners. The first cluster includes suggestions for broadening the current approach to countering North Korean mixer exploitation through unconventional partnerships and new conceptual frameworks. It advocates for empowering the disparate teams fighting cross-cutting North Korean cyber threats to collaborate more closely, and for expanding consideration of the second- and third-order marketplace effects enforcement actions may trigger. The next cluster focuses on cultivating stronger cooperative relations with the private sector. These recommendations emphasise nurturing the development of compliant blockchain privacy alternatives and tailoring government communications to the idiosyncratic virtual asset industry audience. The final cluster of recommendations focuses on raising global cyber security and anti-money laundering and counterterrorist finance standards. Achieving wider implementation of current best practices, with an eye toward augmenting them in light of emerging digital illicit finance risks, would substantially degrade North Korea’s ability to monetise cybercrime. + + +### Introduction + +North Korea’s innovative and highly motivated e-crime groups have emerged over the past decade as among the world’s most prolific cyber-criminals. Under the direction of the Kim regime, North Korean actors have pioneered a unique model that combines their technical acumen with the state’s experience in conducting illicit financial activities, honed over more than half a century, to cultivate a potent new revenue stream. The results speak for themselves. North Korea has stolen billions of dollars through electronic means from victims around the globe, including more than $3 billion in cryptocurrency. In 2022, North Korean groups accounted for roughly half of the nearly $4 billion stolen across the virtual asset ecosystem and a large portion of the funds taken from decentralised finance (DeFi) protocols, which have quickly become crypto hackers’ primary target. Following each theft, North Korean cyber-criminals steer their ill-gotten gains through a sophisticated laundering process and ultimately into state coffers. The profits from these operations fund much of Pyongyang’s ballistic missile programme, enable deeper investment in its cyber capabilities, bankroll slush funds for the North Korean elite, and help insulate the regime from the effects of sanctions. Through their direct and indirect effects, North Korea’s ongoing cyber-criminal activities pose an acute threat to international security and the global financial system. This paper explores North Korea’s use of these novel technologies to evade sanctions, considers the efficacy of states’ countermeasures, and provides recommendations on how authorities can further impede North Korea’s illicit cyber revenue-generating activities. + +Cryptocurrency mixers play a key role in the laundering process underpinning the North Korean cyber-criminal model. Mixing services, also known as tumblers, obfuscate the provenance and ownership of cryptocurrency funds by blending many users’ holdings together and disbursing each customer’s “mixed” funds to new addresses under their control. By obscuring the otherwise transparent trail of blockchain transactions, mixers make it harder for victims and law enforcement to trace stolen assets, let alone recover them, and help convert dirty cryptocurrency into more usable funds. Recognising these advantages, North Korean actors have enthusiastically incorporated mixers into their repertoire. Their heavy use of mixers presents both a problem and an opportunity: while these technologies protect a crucial revenue stream, North Korea’s reliance on mixers creates vulnerability to interventions that could significantly degrade their ability to monetise crypto theft. + +The US-led approach to countering North Korean mixer use is still taking shape. Thus far, the toolkit has mainly featured sanctions, platform takedowns, asset seizures, arrests and regulation, which authorities typically deploy simultaneously and in coordination with international partners. These tactics have proven effective across several cases, rendering certain major platforms much less functional and removing others from availability outright. All told, the ongoing campaign has reshaped key elements of the mixer landscape, and large recent asset seizures have generated a cautious optimism that law enforcement and private partners may be building their capacity to reclaim stolen funds. However, the strategic impact of these interventions on North Korea’s overall illicit finance capabilities is ambiguous, and even the successful platform takedowns may not prove to be enduring achievements. Moreover, the interventions have already triggered unintended consequences, the full scope of which remains to be seen. New platforms are emerging to fill the void predecessors have left, and the replacements may ultimately prove trickier to counter. The interventions have prompted cyber-criminals to adapt their operational procedures and spurred innovation by both legitimate and illicit market actors that promises to catalyse further change. The tough approach to mixers has also exacerbated divisions between the public and private sectors over the character and trajectory of the virtual asset space, undermining efforts to make it less hospitable to criminality. As the strategy for countering North Korean illicit digital finance continues to develop, authorities will need to reckon carefully with the second-order effects of their actions and continually refine their approach. + +This paper forms part of a series of research projects funded by the US Department of State to understand and mitigate obstacles to UN sanctions implementation. It aims to examine the distinct technical, legal and regulatory dimensions of cryptocurrency mixers and the challenges they pose to the sanctions regime. The paper concludes a four-month research project, commencing in June 2023 and ending in September 2023, on the use of cryptocurrency mixers for illicit financial purposes by North Korean actors. The analysis is based on a close review of US government documents, such as indictments, sanctions designations, statements of policy and press releases; reports by the UN Panel of Experts on North Korea (“the Panel”); publicly available threat intelligence and blockchain analysis reporting from firms such as BAE Systems, Chainalysis, Elliptic and TRM Labs; and primary data that certain firms have collected on North Korean cyber operations and cryptocurrency transactions. The paper has also benefited from interviews with 16 experts in relevant fields, including compliance specialists, anti-money laundering and counterterrorist finance (AML/CTF) practitioners, leading figures in the cryptocurrency industry, threat intelligence and blockchain analysts, policy researchers, and multiple former senior officials from the US Department of the Treasury, the US Department of Justice and the National Security Council. + +The paper contains three chapters. Chapter I offers background on Pyongyang’s cybercrime programme, the factors that draw cyber-criminals to mixers and the countermeasures governments have started taking. Chapter II analyses government interventions to date, focusing on the Blender, Tornado Cash, ChipMixer and Sinbad actions. It identifies unintended consequences that government action may trigger and suggests possible strategies for mitigating them. Chapter III offers a series of policy recommendations for augmenting the current approach to countering North Korean mixers, building stronger cooperative relations with the private sector, and raising global cyber security and AML/CTF standards. The paper concludes by flagging areas for further research and reflecting on how this issue could evolve in the years to come. + + +### I. Background + +This chapter provides background information on North Korea’s cyber-criminal activities and explains why mixers have become appealing tools for money laundering. It also outlines the measures governments and international bodies such as the Financial Action Task Force (FATF) have undertaken in response to virtual asset crime. + +#### The North Korean Cybercrime Programme + +Cybercrime has quickly become an essential pillar of North Korean statecraft. In the mid-2010s, having already developed a capacity for destructive and espionage cyber activities, Pyongyang launched a global campaign of financially motivated intrusions whose early results prefigured an enormous return on investment. The 2016 Bank of Bangladesh heist, in which threat actors submitted fraudulent SWIFT requests to the bank’s accounts at the New York Federal Reserve, extracted more than $80 million and might have yielded 10 times more if not for a typo in the phoney wire instructions that exposed the ruse. In May 2017, the WannaCry ransomware affected several hundred thousand machines in at least 150 countries, demonstrating the ease with which hackers cloistered untouchably in faraway jurisdictions could commit digital extortion at massive scale. These and subsequent operations validated the idea that state-directed computer crime could pay quite handsomely. Over the past decade, North Korea has assembled a web of interlocking threat actor sets whose primary or secondary aims are to generate revenue, including the groups known as APT38, Andariel and the Lazarus Group, some of the world’s most active and successful e-crime syndicates. Their combined operations have generated several billion dollars for the Kim regime. That North Korea’s annual foreign trade volume, long its chief source of hard currency, has not surpassed $3 billion since 2019 underscores the impact of this new revenue stream. + +Among national cyber strategies, Pyongyang’s is unique. North Korea was likely the first country to generate illicit revenue via cybercrime, and to the extent that any other countries have experimented with cyber-criminal statecraft, North Korea remains by far its largest practitioner. Its threat actors have benefited from robust ties to the global underground, from hacker forums and off-the-shelf malware vendors to high-level network access brokers and transnational money laundering networks. North Korea’s repertoire comprises a wide range of activities typically associated with non-state criminals rather than state actors. Of these, theft from major enterprises is the most profitable, but by no means the only, core element. North Korean threat actors have launched ransomware campaigns, solicited fraudulent investments, hijacked other users’ processing power to mine cryptocurrency, stolen customer payment information from e-commerce websites, and programmed ATMs to dispense cash for collection by networks of money mules, among other pursuits. Capitalising on the prevalence of remote work and outsourcing since the Covid-19 pandemic, North Korea has steered many of its skilled programmers into freelance IT work, performing services such as web development and database creation for foreign companies under false identities – activities that would be legal if not for sanctions. The thousands of workers engaging in these activities, many of whom operate from Russia or China, cumulatively bring in millions of dollars per year. In addition to generating income, they may enable future compromises by planting malware in company systems or gathering data to inform social engineering schemes that involve deception of unsuspecting employees. Lesser North Korean cyber-criminals engage in petty e-crime, such as online gaming and casino scams, which are not lucrative individually but scale easily. + +The characteristics that distinguish virtual assets make them attractive targets for criminal exploitation. Having surpassed the trillion-dollar market capitalisation threshold in 2021 and remained near or above it since, the cryptocurrency space is awash with cash, the critical factor for opportunistic cyber-criminals, who follow the money above all. Market actors have often prioritised breakneck innovation and user growth at the expense of due attention to compliance and cyber security, leaving large pots of assets under-protected against highly motivated thieves. Users and investors drawn to the prospect of fast and high returns frequently exercise insufficient care in guarding against scammers. Criminals looking to fly under the radar benefit from the space’s emphasis on privacy and, in many circles, its scepticism or outright antagonism toward regulatory authorities and traditional compliance practices perceived as intrusive or burdensome. Instantaneous, borderless transactions enable malign actors to quickly abscond with ill-gotten funds, while decentralisation enables buck-passing with respect to compliance, investigation and victim support. The rapid rise of DeFi and the advances in decentralisation, speed and automation it heralds have increased virtual assets’ appeal to North Korean cyber-criminals in particular. As the US Department of the Treasury assessed in April 2023, “many existing DeFi services covered by the BSA [Bank Secrecy Act] fail to comply with AML/CFT obligations, a vulnerability that illicit actors exploit”. + +#### Embracing Mixers + +Mixers enable North Korean cyber-criminals to launder dirty cryptocurrency with increased speed and anonymity by blending their holdings together with those of many other users. Traditional mixers operate a custodial model, commingling user deposits in a large pool and then returning “clean” funds to their original owners, less a small fee. Relying on a central operator, however, presents counterparty risk and creates opportunities for compromise or law enforcement interdiction, as cases such as the ChipMixer seizure have demonstrated. To solve these problems, some newer mixers employ a non-custodial approach, in which smart contracts – blockchain-based programs that execute automatically when given conditions are met – tumble users’ holdings without ever placing them under a central operator’s control. Non-custodial mixers such as Tornado Cash offer enhanced security, reduce platform administrators’ direct involvement in daily operations, and greatly diminish the possibility of unauthorised asset seizure. While there are plenty of legitimate reasons for law-abiding cryptocurrency owners to wish to use these sorts of privacy tools, most mixers practise minimal compliance, if any, and many were designed explicitly to facilitate illegal transactions. As Chainalysis noted in a mid-2022 review of mixing services’ regulatory obligations, “We aren’t aware of any custodial mixers currently following [US compliance] rules”. + +![image01](https://i.imgur.com/jPaSjv9.png) +_Figure 1: Life Cycle of a Sample North Korean Mixer Transaction_ + +North Korean cyber-criminals have embraced using mixers to launder stolen funds, which now represents a core component of North Korea’s cryptocurrency theft protocols. According to Chainalysis, the percentage of ill-gotten North Korean cryptocurrency that flowed through mixing services grew from under 10% in 2018 to 65% in 2021. North Korean actors laundered more than $1 billion from at least 10 separate operations through Tornado Cash alone prior to the mixer’s designation in August 2022, including from the January 2022 Qubit hack and the June 2022 Horizon Bridge hack. They processed $20 million from the massive March 2022 Axie Infinity hack through Blender and several tens of millions from the aforementioned operations and others, like the September 2020 KuCoin heist, through ChipMixer. In 2023, North Korean cyber-criminals turned to alternative platforms, whisking funds from the Atomic Wallet hack through a new Bitcoin mixer called Sinbad and more than $60 million of Ethereum from Horizon Bridge through the Railgun privacy protocol. Employing a variety of mixers distributes risk across multiple platforms, but also reflects the need to replace services that have shut down. + +Most illicit actors use mixers in similar fashion – after all, the point is to blend in with the crowd – but certain characteristics mark North Korea’s use. For one, North Korean actors are among the largest mixer users in the world, accounting for 30% of the funds that sanctioned entities tumbled in 2022, behind only the Hydra darknet marketplace. They appear more inclined toward using mixers than most other cryptocurrency thieves, as less than 20% of the proceeds of non-North Korean cryptocurrency hacks flowed through mixers in 2022. According to Elliptic, illicit North Korean funds comprised 70% of Railgun’s total receipts as of early 2023. In practice, North Korean cyber-criminals have fewer mixer options to choose from than less prolific outfits. As a general rule, the larger a mixer’s pool of assets and users, the stronger the anonymity it can provide; conversely, investigators are generally better able to trace dirty assets through a tumbling protocol with lower volume. Only a handful of platforms can accommodate tens of millions of dollars in North Korean-controlled cryptocurrency in one shot without becoming useless, and authorities can even “de-mix” transactions through certain larger platforms. North Korean launderers often add further layers of obfuscation by employing multiple mixers and bridging funds across blockchains, a practice known as chain-hopping. Of course, the end uses of North Korean virtual asset crime – supporting the regime’s nuclear weapons and ballistic missile programmes, among other purposes – distinguish it from operations whose perpetrators seek personal profit. Nonetheless, North Korea’s money-laundering methodologies largely overlap with those of other sophisticated cyber-criminals. + +#### Government Responses + +Having begun formulating AML/CTF frameworks for virtual assets in the decade prior, global regulators moved in the late 2010s to account for the emergence of mixers. The FATF, the international standard-setting organisation, updated its core recommendations in October 2018 to apply to virtual assets and virtual asset service providers (VASPs), and in June 2019 it adopted an Interpretive Note to Recommendation 15 detailing how its rules should apply to that ecosystem in practice. Accompanying guidance for implementing a risk-based approach to regulating virtual assets and VASPs expressed concern at “the rise of anonymity-enhanced cryptocurrencies (AECs), mixers and tumblers, decentralised platforms and exchanges, and other types of products and services that enable or allow for reduced transparency and increased obfuscation of financial flows”. The FATF subsequently identified mixer use as a “red flag” indicating users’ possible “intent to obscure the flow of illicit funds”. The FATF urges governments to ensure that VASPs can manage the risks associated with operating or transacting with mixers, and to ban providers that are incapable of or unwilling to do so. + +US and UK regulators have established similar frameworks. The US Financial Crimes Enforcement Network (FinCEN) issued a pair of documents in May 2019 to clarify VASPs’ obligations under the Bank Secrecy Act (BSA) and to warn that “FinCEN and US law enforcement have observed unregistered entities being exploited or wittingly allowing their platforms to be utilised by criminals in the United States and abroad to further illicit activity”. The FinCEN guidance asserts explicitly that mixers fall under the purview of the BSA, building on a 2008 administrative ruling that classified anonymising services as money transmitters and on 2013 guidance concerning virtual currency use and exchange. Importantly, these determinations oblige regulable VASPs to comply with key AML policies such as the Travel Rule, which requires financial institutions to convey certain information about funds they transmit. Heeding encouragement from the FATF and calls from its own National Crime Agency to address mixers “churning criminal cash”, the British government revised its AML legislation in 2022 and implemented the Travel Rule for virtual assets in September 2023. US and UK regulators are working actively with global partners to strengthen the framework governing anonymising technologies such as mixers and to achieve more robust implementation of AML/CTF standards. + +Mixers initially appeared on law enforcement authorities’ radar as facilitators for money laundering and internet crime, rather than as vectors of North Korean national security threats. In May 2019, the Dutch financial crime agency and Europol took down BestMixer, at the time one of the three largest mixing platforms, with Europol commenting that “the investigation so far into this case shows that many of the mixed cryptocurrencies on BestMixer.io had a criminal origin or destination”. Culminating an investigation launched the previous summer, the BestMixer intervention appears to have been the first such law enforcement action. In 2020, FinCEN levied a $60 million civil penalty against the primary operator of the Helix Bitcoin mixer for wilfully and systematically violating the BSA in the course of servicing more than three dozen illicit darknet marketplaces, a few months after his indictment on federal money laundering charges. In April 2021, US authorities arrested a dual Russian–Swedish national “on criminal charges related to his alleged operation of the longest-running bitcoin money laundering service on the darknet”, the Bitcoin Fog mixer, which achieved “notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement”. That summer, FinCEN assessed a $100-million penalty against BitMEX, a cryptocurrency exchange and derivative trading platform, for BSA infractions that included facilitating thousands of transactions with mixers like Helix. + +North Korea’s brazen string of cryptocurrency hacks in 2021 and 2022, as well as the high-profile Colonial Pipeline and JBS ransomware crises of 2021 and Russia’s full-scale invasion of Ukraine, prompted an evolution in how officials tend to view illicit mixer use, from a criminal tool to a direct national security threat. In October 2021, the White House launched the Counter Ransomware Initiative (CRI), bringing together dozens of governments to develop cyber-security and AML standards and to coordinate action against the perpetrators and facilitators of cyber-criminal extortion. The UK and Singapore have jointly spearheaded much of the CRI’s work on mixers, co-leading a working group on countering illicit finance in 2022 and the CRI’s policy arm in 2023. The US Department of the Treasury’s February 2022 National Money Laundering Risk Assessment, which includes a full sub-section on virtual assets and a sub-header therein on anonymity-enhancing technologies, names North Korean, Russian and Iranian threat actors as primary exploiters of those services, noting that “ransomware attacks … frequently stem from jurisdictions with elevated sanctions risk” and that “ransomware payments may … fund activities that harm US national security”. The Department’s April 2023 report, Illicit Finance Risk Assessment of Decentralized Finance, the most comprehensive government report on this topic at the time of writing, treats North Korean mixer use extensively, noting that “the DPRK … increasingly steals virtual assets from both centralized VASPs and DeFi services” and that North Korean cyber-criminals “are using DeFi services in the process of transferring and laundering their illicit proceeds”. The report offers in-depth suggestions for curtailing this activity by building regulatory capacity and expanding collaboration with foreign and private sector partners. + +Since early 2022, global authorities have dramatically ramped up efforts to disrupt North Korean illicit mixer use and experimented with new tools for doing so. The US Office of Foreign Assets Control (OFAC) issued its first-ever designation of a mixing service in May 2022, sanctioning Blender for obfuscating tens of millions of dollars in North Korean proceeds from the Axie Infinity heist. + +Asked a few months later about North Korea’s cyber activities, Anne Neuberger, US Deputy National Security Advisor for Cyber and Emerging Technology, commented, “Given that cyber is such a core driver of revenue, it’s something we must address … We’re doubling down and planning to do much more work to make it riskier, costlier, and harder for North Korea to gain funds that way”. The US government’s most prominent mixer action to date has been its August 2022 designation of Tornado Cash, which demonstrated OFAC’s ability to target platforms without a traditional centralised operating entity while also provoking much private sector ire, including well-funded legal challenges. Undeterred, US authorities revised and expanded the Tornado Cash designation and recently indicted two of the service’s alleged operators, one of whom was arrested in Washington state. Last year, international coalitions took down ChipMixer, whose servers and nearly $50 million in cryptocurrency holdings were seized by the German Federal Criminal Police, and Sinbad, which OFAC designated in November. In a noteworthy development, in October 2023 FinCEN proposed a new rule that would classify mixing as a transaction class of primary money laundering concern and impose substantial new record-keeping and reporting requirements on domestic participants. If implemented, the proposal would represent a novel exercise of the US Department of the Treasury’s authorities under Section 311 of the USA PATRIOT Act of 2001, with which it has previously targeted only individual foreign jurisdictions and financial institutions. + + +### II. Analysis + +#### Evaluating Interventions to Date + +This chapter takes stock of the US-led campaign against virtual asset mixers through its first two years. The first portion assesses seven major interventions against platforms and considers their overall impact on North Korea’s money laundering capacity. The second portion outlines the unintended consequences that actions against mixers can trigger, and explores possible mitigations. + +Viewed through the narrow lens of impact on the target platform, government interventions against mixers facilitating North Korean money laundering have achieved success. Blender shut down shortly after its designation, removing one of North Korean cyber-criminals’ favourite options for mixing Bitcoin. Indeed, Chainalysis reports that roughly 90% of the funds North Korean actors mixed in Q2 2021 passed through Blender. ChipMixer likewise ceased operations following the Germany- and US-led intervention, and Europol anticipates that the four servers and seven terabytes of data seized in the takedown will catalyse further investigations. In the more complicated case of Tornado Cash, the OFAC designation has resulted in a transaction volume decrease of over 80% as of late 2023, shrinking the platform’s pool of mixable funds and in turn significantly degrading its effectiveness at obfuscating asset movements, especially for larger-volume users. According to Chainalysis, after the designation “Tornado Cash … saw drops in inflows from virtually every category” of sender, including funds from thieves and sanctioned entities. As a portion of the total funds North Korean cyber-criminals mixed, Tornado Cash flows declined to under 25% in Q4 2022, following four consecutive quarters of these actors’ pushing essentially all their stolen cryptocurrency through Tornado Cash at some point in the laundering process, which typically involved bridging and layering with other services. Western authorities have arrested two of Tornado Cash’s three alleged “principal” co-founders and in August 2023 unsealed a remarkably detailed indictment indicating that the men deliberately sought to create a “haven for criminals to engage in large-scale money laundering and sanctions evasion”. On an individual basis, these tactics have proven potent, removing or seriously compromising platforms North Korea has relied on to launder dirty virtual assets. Considered together, they have reshaped the cryptocurrency mixer landscape. + +![image02](https://i.imgur.com/B1bRseB.png) +_Table 1: Notable Interventions Against Mixers_ + +Still, in some cases governments have fallen short. Despite its reduced functionality, Tornado Cash continues to operate because it runs on smart contracts that authorities are unable to seize or shut down directly, as they could a centralised server or custodial entity. Some users, including North Korean actors, have continued engaging the platform to obscure illicit fund trails, albeit in lesser amounts. This situation reveals a major limitation on authorities’ ability to counter decentralised, smart contract-based mixers, and raises questions about whether measures against similar platforms will be effective in the future. The first action against such an entity, the Tornado Cash designation, has also suffered from a lack of clarity, which generated marketplace confusion as to the extent of the restrictions and liability for interacting, even unwittingly, with the service. These issues and the aforementioned court challenges prompted OFAC in November 2022 to de-list the platform and redesignate it under a broader justification, as well as to publish answers to market actors’ frequently asked questions. + +Beyond the complexities of the Tornado Cash case, several other interventions that met the core goal of taking a malign service offline did not accomplish secondary goals such as arrests or property seizures. The operators of ChipMixer and Blender remain at large, and reports indicate that the administrator of the latter may have absconded with as much as $22 million in Bitcoin and remains involved in operating dirty mixers. While multimillion dollar virtual asset seizures impose heavy costs on criminals and may help compensate their victims, few have accounted for more than a small fraction of the total amount the illicit actors in question are known to have processed or taken in profits. These shortcomings should not take away from the altogether impressive results that government interventions have achieved against mixing platforms themselves. + +![image03](https://i.imgur.com/L8pIIu0.png) +_Table 2: Tactical Outcomes of Notable Interventions Against Mixers_ + +The ultimate strategic outcome of authorities’ campaign to disrupt North Korean revenue streams by pursuing dirty mixers remains to be seen, but initial indications have been somewhat discouraging. Every intervention so far has achieved degradation of the target platform, only for replacements or reincarnations to quickly absorb much of its transaction volume. A prominent blockchain investigator privately described the Tornado Cash designation, whose bite on the platform itself has been evident, as a “blip” for North Korean cyber-criminals, who adapted quickly by re-routing illicit asset flows through other service. + +Elliptic reported in February 2023 that Sinbad, one of the preferred tumblers of North Korean threat actors from late 2022 until its designation last November, was very likely a relaunched version of Blender. In fact, as discussed at length in the next section, taking down a platform may prompt users to shift not just to comparable substitutes but to more powerful anonymising tools. Considering the abundant alternatives and the ease with which developers can launch a new mixer, it has become apparent that compromising individual platforms may not have an enduring effect on the mixer ecosystem’s overall capacity. It is plausible that these interventions have delayed cash-outs to North Korean actors and raised transaction costs, and authorities have managed to interdict small but non-trivial North Korean illicit fund movements. These actions have injected a degree of uncertainty into the laundering process, demonstrating that stolen funds are always vulnerable and forcing cyber-criminals to engage with platforms of unknown pedigree. Nevertheless, the campaign so far has not substantially impaired North Korea’s ability to mix cryptocurrency. With this conundrum in mind, FinCEN’s October 2023 proposal that mixing be classified as a transaction category of primary money-laundering concern is especially intriguing. Could targeting mixing transactions as a class have greater impact than going after facilitators one by one? Whether through this type of action or other means, authorities may need to broaden their approach in order to curtail North Korea’s monetisation of cyber-criminal statecraft. + +#### Reckoning with Unintended Consequences + +Unintended consequences can undermine or even reverse achievements in the fight against North Korea’s digital illicit finance. For example, intervening may require authorities to expose sensitive capabilities such as the ability to trace funds through reputedly opaque technologies or to secure cooperation from a state or platform regarded as hospitable to criminals. Revealing valuable sources and methods may prompt cyber-criminals to adapt by shifting away from compromised partners and improving operational security. In 2017, for example, US and European law enforcement took down AlphaBay, a massive darknet marketplace for illegal goods and services of all kinds. A few years later, the platform relaunched with stronger security protocols designed to prevent such disruptions, including a requirement that users transact only in the “anonymity-enhanced” Monero cryptocurrency as well as a decentralised hosting system that purports to defend against seizures and infrastructure compromises. A related drawback is that shutting down platforms that authorities have quietly infiltrated reduces visibility into malign actors’ fund movements and evolving tactics, techniques and procedures. Several blockchain analysts from firms that work with governments expressed concern in interviews that the Blender, ChipMixer and Sinbad actions, among others, had shuttered key windows into North Korean criminals’ activities, which they argued could leave authorities less well positioned to track and act against future activity. + +Taking out non-compliant platforms may simply push bad actors further into the shadows of the underground, where they can be harder for law enforcement to reach. A few days after the AlphaBay intervention, administrators of BitMixer – then the most popular tumbler – shut down their platform too, citing the realisation that truly anonymising Bitcoin transactions was impossible, and encouraging illicit-minded users to switch to anonymous-by-design privacy coins instead. Blockchain analysts and government officials report significant difficulty tracking privacy coins, whose utility to North Korean actors seems to be constrained more by impermanent challenges such as low liquidity and exchangeability than by any inherent operational shortcoming. Troublingly, use by North Korean actors of privacy coins, especially Monero, and privacy-enhanced operating systems like TRON, a favourite of terrorist groups, has grown sharply in recent years. Beyond mixers, North Korean threat actors have increasingly turned for laundering solutions to technologies like privacy wallets, which enable users to participate in obfuscating procedures known as CoinJoins. As with decentralised mixers like Tornado Cash, CoinJoins involve non-custodial transactions, meaning privacy wallets are not vulnerable to disruption or seizure in the way that centralised platforms such as Blender or ChipMixer are. Providers such as Wasabi Wallet and Samourai Wallet have facilitated North Korean money laundering after major heists, such as the $281-million KuCoin exchange hack in September 2020, and strike many investigators as substantially more difficult to crack than the mixers that authorities have dismantled so far. On the whole, while shutting down a dirty mixer or rendering it ineffective may be a short-term tactical victory, the net strategic result may be to induce North Korean cyber-criminals to pivot toward more hardened protocols, exacerbating the challenge overall. + +Interventions may cause detrimental second-order impacts in the broader virtual asset ecosystem. Popular mixers and illicit marketplaces can be highly profitable to run, and the unexpected shutdown of a market leader creates a tremendous incentive for other actors to offer replacement services in order to meet the unfulfilled user demand. Reviewing the effects of an important recent action, analysts at TRM Labs commented, “The vacuum left by Hydra’s takedown resulted in a veritable ‘Cambrian explosion’ in [darknet markets], with at least a dozen illicit projects having surfaced in its place”. Elliptic found in late 2022 that the Tornado Cash designation had led to an analogous situation, and identified several new or as yet relatively unknown platforms that had begun competing for suddenly available market share. In addition to Sinbad, North Korean actors have passed tens of millions of dollars of virtual assets from recent heists through Railgun, a decentralised privacy protocol that purports to serve professional investors but which FinCEN considers a mixer. Although less established services tend to have lower throughput and fewer users, limiting the privacy benefits they can provide, dispersal across multiple nascent platforms may make it harder to build a complete picture of North Korean activity. Similarly, targeted bans or punitive measures levied against specific entity categories may spur responsive innovation outside the scope of the action. This phenomenon might manifest as a negative or a positive: developers could seek to build compliant solutions or to innovate around the letter of the law just enough to avoid punishment. Other possible market effects include spooking developers into offshoring – moving to more permissive jurisdictions beyond the reach of responsible authorities – and, counterintuitively, enhancing sanctioned actors’ capabilities by raising the prices criminal facilitators can command, thereby attracting more sophisticated partners to enter the marketplace. + +In an industry where relations between authorities and developers are often particularly antagonistic, aggressive measures against virtual asset platforms risk further alienating the private sector and intensifying the misalignment that undermines efforts to combat North Korean cybercrime. Since market actors drive digital financial innovation and serve as the gatekeepers of the virtual asset marketplace, building an ecosystem inhospitable to crime will depend at least as much on private sector buy-in as on government intervention. While widespread industry adoption of standards such as Know Your Customer would go a long way towards curbing malign activity, sustained apathy or resistance to cyber security and compliance will only worsen endemic cybercrime. In other words, whatever an enforcement action’s short-term outcome, the private sector’s response may shape much of its net effect in the long run. Accordingly, while authorities must react firmly to threats and misconduct, officials should be mindful of how industry is likely to perceive their actions, and seek to shrink the gulf between the public and private sectors. Moreover, the fact that most mixer users are not criminals means that interventions inflict collateral damage on law abiding customers. Just as they do for criminals, enforcement actions may restrict ordinary users’ access to mixers, reduce their efficacy, or raise the cost of using them. Chainalysis has determined that, since early 2022, the proportion of mixed funds originating from illicit sources has grown, which may increase the risk to non-criminal users of violating sanctions or of having their assets caught in a seizure. Regrettably, until platforms with the will and capacity to perform sufficient compliance emerge – some do appear to be in development or in preliminary stages of deployment – infringement on ordinary users will likely remain a necessary cost of fighting North Korean cybercrime. As is practicable, authorities should seek to minimise these impacts and mitigate their actions’ negative unintended consequences overall. + +Conversely, authorities should seek to encourage favourable knock-on effects. Actions designed to target North Korea may impose costs on other malign actors, including some outside the traditional cyber-criminal set. Financially motivated North Korean groups interact regularly with other elements of the global digital underground to purchase malware kits and network accesses, arrange digital infrastructure and cash-outs, and exchange technical know-how. In the course of their operations, threat actors across borders rely on an overlapping suite of tools and platforms, of which mixers are just one prominent example. According to the US Department of the Treasury, “OFAC’s investigation also identified Blender’s facilitation of money-laundering for, among others, Russian-linked malign ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab”. Blender likewise processed funds from the massive Russian-language Hydra marketplace, which authorities took down a month before the US Department of the Treasury designated Blender. Criminal filings against ChipMixer describe it as “one of the most popular mixing services used by ransomware operators”, darknet markets, and even Russia’s GRU (Main Intelligence Directorate), whose operators used mixed Bitcoin to surreptitiously purchase infrastructure for hosting malware. Prominent dirty mixers and the North Korean actors who engage heavily with them share additional nexuses with illegal weapons and narcotics distributors, counterfeiters, purveyors of exploitative sexual material, and countless other criminal enterprises whose architects have gravitated toward virtual assets and digital privacy technology. These groups’ convergence of interests and tradecraft creates an opportunity for authorities to strike at multiple malign actor sets simultaneously. + + +### III. Recommendations + +This paper offers 14 recommendations for policymakers, national security practitioners, regulatory agencies and law enforcement working to counter North Korean cyber-criminals’ abuse of mixing services. The recommendations fall into three interrelated categories: broadening the approach to countering mixer exploitation through unconventional partnerships and new conceptual frameworks; building stronger cooperative relations with the private sector; and raising global cyber security and AML/CTF standards. + +#### Broadening the Approach to Countering North Korean Mixer Exploitation + +__1. Institutions responsible for countering malign cyber operations should reduce barriers between teams focused on state-level and criminal threats, as well as strengthen collaboration between nation-state-specific teams.__ + +A core theme of this paper is that the lines between state and criminal activities in cyberspace and between disparate threat actor sets have become increasingly blurred. Government agencies around the world have often struggled to keep pace with these cross-cutting threats; former practitioners report burdensome delays in interagency processes, difficulty sharing information across institutions and inefficient allocations of scarce technical resources. Authorities should adjust to these trends by promoting further integration between teams responsible for state Advanced Persistent Threats, ransomware groups, virtual asset exploitation and traditional e-crime. Doing so would empower practitioners to more effectively identify and respond to overlapping threats, such as collaboration between North Korean and Russian-speaking cyber-criminal groups, as well as to capitalise on opportunities to achieve multiple victories in one fell swoop. + +The US Justice Department has taken laudable steps to de-silo its approach to cyber-criminal threats, having recently merged the National Cryptocurrency Enforcement Team into the Computer Crime and Intellectual Property Section and established the National Security Cyber Section (“NatSec Cyber”), which seeks to promote “Department-wide and intragovernmental partnerships in tackling increasingly sophisticated and aggressive cyber threats by hostile nation-state adversaries”. It could be beneficial for national financial, cyber security and regulatory authorities, as well as international partnerships countering malign cyber activity, to consider forming analogous ad hoc task forces with wider mandates and more adaptable capabilities. + +__2. Practitioners should incorporate a robust analysis of potential unintended consequences as a standard element when planning any mixer intervention.__ + +Practitioners would benefit from adopting an expanded standard assessment of the potential second- and third-order effects of a proposed mixer action. Practitioners might consider: + +- Whether the target platform can be easily relaunched or reconstituted elsewhere. + +- The operational security adaptations the action is likely to trigger among cyber-criminals. + +- The replaceability of the service being targeted. + +- The likely alternatives cyber-criminals will adopt, and those platforms’ vulnerability to surveillance and disruption. + +- The extent to which the action’s success depends on industry cooperation, and the likelihood that market actors will cooperate. + +- The action’s probable effects on legitimate financial technology innovation. + +- Collateral damage to non-criminal virtual asset holders. + +__3. When taking action against mixers, authorities should seek out opportunities to make arrests, seize assets and operational infrastructure and instigate favourable knock-on effects, with an eye toward achieving enduring impact on malign actor groups.__ + +Actions against non-compliant mixers that remove key personnel and their resources from the field are more likely to have staying power. As the Blender and Sinbad cases reveal, motivated cyber-criminals can circumvent designations and takedowns rather nimbly. With arrests and infrastructure seizures, not to mention financial asset confiscation, authorities prevent threat actors from re-engaging in malign activity as easily and may glean useful intelligence. Targeting platforms and facilitators that service multiple malign actor sets can boost the return on investment of a single action. + +__4. Policymakers and law enforcement should invest in better understanding developments in the virtual asset space and their implications for national security.__ + +Building on the Illicit Finance Risk Assessment of Decentralized Finance, the US Department of the Treasury should launch a standing Virtual Asset Risk Board modelled on the Emerging Technology Board the US Department of Justice envisioned in its 2022 Comprehensive Cyber Review. Such a board should meet regularly and produce biannual reports analysing the economic and national security implications of developments in the virtual asset space. UK bodies such as HM Treasury and the Financial Conduct Authority should explore establishing a similar organ with a particular focus on the robust domestic virtual asset industry. + +As discussed below, offices charged with countering North Korean digital illicit finance, such as OFAC and FinCEN in the US, and the Office of Financial Sanctions Implementation (OFSI) in the UK, should increase engagement with the private sector, which is naturally better positioned to track the cutting edge of advances in virtual assets and DeFi. Tapping more deeply into the expertise of investors and developers would usefully complement national security practitioners’ points of view. + +#### Building Stronger Cooperative Relations with the Private Sector + +__5. Regulators and financial authorities such as the US Department of the Treasury and HM Treasury should nurture the development of compliant virtual asset privacy solutions.__ + +Officials should encourage the private sector to bring to market new platforms that can offer enhanced privacy for cryptocurrency holders without blindly enabling money laundering. Providing clear guidance on what is or is not permissible, as well as meeting with investors and developers, would reassure upstanding market actors who otherwise might not risk their energy and capital on projects they fear will not be approved or, worse, could lead to their arrest or designation. + +The widespread availability of compliant solutions would further mark the use of non-compliant platforms as an AML/CTF red flag and likely reduce the fund volume travelling through them, making it more difficult for bad actors to disappear in the crowd. + +__6. Authorities with mandates to intervene against virtual asset platforms, especially OFAC, FinCEN and the US Justice Department, should more clearly delineate the behaviours that will prompt enforcement action.__ + +Justified or not, many virtual asset industry stakeholders, including some former senior government officials who now work in the private sector, have perceived US authorities’ enforcement approach as capricious and heavy handed. For the enforcement “deterrent” to work, authorities must make clear what malfeasance or inaction constitutes punishable bad behaviour – as distinct from the lesser legal and regulatory shortcomings that seem usually not to result in serious penalties in this burgeoning industry – as well as show that genuine good faith effort to avoid such bad behaviours will be rewarded with greater patience and leniency. While this issue appears most pronounced in the US, the lesson is applicable to all jurisdictions. + +__7. Regulators and national security practitioners should tailor their communications to the virtual asset industry on North Korean cybercrime by reframing the issue in economic terms.__ + +When encouraging market actors to comply with regulations and cooperate with law enforcement, authorities should frame North Korean digital illicit finance as a threat to the survival and prosperity of the virtual asset ecosystem, rather than as a “national security” issue, or a matter of right and wrong. Those kinds of appeals may ring hollow or simply not register, especially to users and developers based outside the relevant authority’s jurisdiction and to those who view government as an adversary. Emphasising that compliance and transparency benefit market actors’ economic interests is likely to yield more enthusiastic cooperation. + +__8. As is practicable, governments should channel messaging to the virtual asset private sector through prominent senior officials, rather than practitioners.__ + +Authorities should issue more communications on North Korean cybercrime through high-level officials. Participants in the virtual asset industry are more likely to encounter and appreciate the gravity of these kinds of statements when they come directly from principals and senior deputies in speeches or media engagements than when they come from more obscure, technical or impersonal routes, such as the official channels of national security organs. + +__9. Regulators and national security practitioners should institutionalise dialogue with the virtual asset industry and adapt to market actors’ preferred communication channels.__ + +In the spirit of expanding efforts to meet with legitimate virtual asset investors and developers, bodies such as OFAC, OFSI, the US Securities and Exchange Commission and the Financial Conduct Authority should send more officials to speak at virtual asset conferences and appear on podcasts and livestreams – influential platforms that rarely feature government perspectives. The public engagement strategies developed at the US Cybersecurity and Infrastructure Security Agency and the Office of the National Cyber Director, whose top leaders regularly headline both industry and grassroots events, could serve as a model. Authorities should also increase efforts to host industry stakeholders in government facilities, particularly those who are actively seeking to create compliant anonymity-enhancing platforms. + +#### Raising Global Cyber Security and AML/CTF Standards + +__10. Regulators and cyber security officials should work with the private sector to establish an Information Sharing and Analysis Center (ISAC) for the virtual asset industry.__ + +Cyber security officials should engage private sector stakeholders as well as the architects of successful ISACs, such as those serving traditional finance and the North American electric grid, to help conceptualise and implement one for the virtual asset industry. To help assuage market actors’ concerns about revealing potentially sensitive customer information, officials should inform would-be ISAC participants of their special rights and liability protections under the law. Accomplishing the creation of such a body – which experts have suggested – will require champions in both government and the private sector. + +__11. Financial authorities should continue efforts to build global AML/CTF capacity and advance implementation of FATF standards, and political leaders should renew their support, especially for the virtual asset Travel Rule.__ + +Recognising that cyber-criminals and money launderers frequently exploit gaps in financial regulatory regimes, increasing global AML capacity and patching loopholes remains a fundamental component of any strategy for countering North Korean malign activity. Without the resources, technical expertise and will to perform monitoring and enforcement, even the most robust regulatory frameworks are toothless. + +According to the FATF’s latest implementation report, “jurisdictions are making limited progress implementing the FATF’s requirements on [virtual assets] and VASPs”, and “many jurisdictions seemingly do not know where to start when it comes to regulating the [virtual asset] sector for AML/CFT”. Of the 98 jurisdictions the FATF assessed in mid-2023, just 25 are largely or fully compliant. With respect to the FATF’s virtual asset Travel Rule, only 62 jurisdictions have adopted or are in the process of adopting the policy, while 127 appear to have taken no action towards implementation. Actual enforcement of the Travel Rule is presumably even less common. + +Several RUSI projects have highlighted opportunities for tightening regulations and building capacity. + +__12. The FATF and the governments spearheading the campaign against North Korean digital illicit finance should explore ways to expand lower income countries’ access to cyber security and blockchain analysis tools.__ + +North Korean cyber-criminals and money launderers often take advantage of countries that struggle to prevent illicit financial activity and cyber intrusions within their borders. Governments leading the charge against North Korean malign activity should seek to expand global access to the technical training and advanced software packages required to track illicit virtual asset flows and to protect computer networks. They should consider purchasing or subsidising those services for countries that cannot afford them at the required scale, in addition to encouraging firms to provide their services at reduced cost. Authorities should also conduct more capacity-building exchanges and expand partnerships with the private sector to train more international practitioners. + +__13. Regulators and cyber security authorities should encourage or require market actors to adopt industry-standard security practices, especially code audits.__ + +In 2022 alone, TRM Labs documented more than 100 major cases of cryptocurrency theft involving code exploits, which take advantage of vulnerabilities in a virtual asset platform’s architecture, or protocol attacks, which “target weaknesses in the underlying protocol or business logic of a cryptocurrency system”. The Wormhole and Qubit hacks, which led respectively to $325 million and $80 million in losses, are two recent examples of these kinds of compromises. Authorities should strongly encourage, and consider requiring, virtual asset firms to invest in robust cyber security practices, offer “bug bounties”, and engage third parties to perform thorough code audits before bringing a protocol to market. + +__14. Authorities should establish resource centres covering security and compliance best practices, incident response procedures and other important information for virtual asset developers.__ + +At present, far less official guidance is available to entrepreneurs looking to start a virtual asset business than to those in better established industries. Publishing basic resources that emphasise security and compliance in the virtual asset industry could go a long way towards raising standards. In addition, providing incident response templates – particularly instructions on who to contact in the event of an intrusion, which many local police teams are not equipped to handle – would encourage more victims to engage with authorities and enable swifter reactions. + +#### Further Research + +As governments devote growing attention to virtual asset crime, a number of critical topics remain understudied. One blind spot involves early-stage technologies that have not yet received much scrutiny. Under the current paradigm, in which market actors function as the primary drivers of innovation, authorities are stuck playing catch-up as potentially risky platforms and practices come rapidly into being. Further, most of the detailed, up-to-date commentary on developments in virtual assets is aimed at prospective users or investors, rather than at legislators, regulators, law enforcement officers or national security practitioners. Of the security-focused research in this area, some of which has been quite impactful, nearly all projects look retrospectively at events from months or years prior. Given the pace of development in this space, officials would benefit greatly from a more proactive approach on the part of researchers. What new virtual asset technologies and platforms are emerging, and what are their implications for AML/CTF and national security? It would be especially valuable to assess the privacy-enhancing services that have appeared since the Blender and Tornado Cash designations in 2022, such as Privacy Pools, and whether they may help resolve the privacy/security dilemma. Researchers can also contribute by helping translate into policy terms the complexity of important new technologies and practices, which can require specialised knowledge to understand fully. These efforts help create a window into the rather insular virtual asset developer community, building the familiarity of officials and informing their decision-making. + +The murky legal picture surrounding virtual asset technology is another area in need of additional research. Scholars and practitioners studying international security, cybercrime and digital finance often have no formal training in law and may be insufficiently prepared to evaluate the field’s novel legal questions. In many cases, there exists no legal basis for classifying these technologies, let alone taking action to address them in real-world contexts. Indeed, several former senior US Department of Justice and Treasury officials expressed concern that new technologies and practices could seek to exploit legal grey areas, such as outdated definitions of financial institutions and legal persons subject to sanctions, or to operate beyond the current scope of government authority. Are OFAC and OFSI, law enforcement, regulators and other relevant agencies properly equipped to handle virtual asset technologies that may pose security or money-laundering risks? Do they, or will they, require new legal authorities in order to continue fulfilling their mandates? In light of FinCEN’s recent proposal to increase scrutiny of mixers under its USA PATRIOT Act powers, do governments possess capabilities for virtual asset AML/CTF that have gone undiscovered or underused? Moreover, what standards should guide officials who are navigating dual imperatives to counter urgent national security threats without infringing excessively on legitimate expression and privacy interests? These questions demand thoughtful, evidence-based answers to supplement the cacophony of op eds, lawsuits and social media posts that have so far made up much of the public discourse, which has often been dominated by participants with vested interests in resolving the debate one way or another. RUSI and other outlets have offered valuable initial efforts, but more research is sorely needed. + + +### Conclusion + +Having stolen more than half a billion dollars from the virtual asset ecosystem in 2023, North Korean cyber-criminals represent a serious ongoing threat to global security. Mixing platforms such as Tornado Cash, Blender, ChipMixer and Sinbad have played a critical role in North Korean actors’ laundering of illicit cryptocurrency, enabling them to funnel ill-gotten gains into the Kim regime’s nuclear weapons and ballistic missile programmes. Although ordinary thieves and scammers are ubiquitous in the virtual asset space, North Korean cybercrime is distinguished by its sheer scale and ultimate beneficiaries. The industry’s indefatigable pace of innovation, along with the complex entanglement of malign actors and legitimate users, has only served to compound the problem facing authorities. + +Since early 2022, governments have redoubled efforts to curtail these dangerous practices, intervening directly against non-compliant mixers through takedowns and designations, whilst investing in the teams responsible for countering virtual asset crime. Taking stock of the past two years of aggressive action, authorities should be heartened by their impressive victories against individual dirty platforms, but concerned about North Korean cyber-criminals’ adaptiveness, not to mention unanticipated second-order effects in the dynamic virtual asset marketplace. Moving forward, governments should seek to broaden their approach to countering North Korean digital illicit finance through unconventional partnerships and new conceptual frameworks to cultivate stronger cooperation with the private sector and to raise global cyber security and AML standards. + +--- + +__Alex O’Neill__ is a national security researcher who studies emerging technology, cyber threats and illicit finance. His current work focuses on North Korea’s financially motivated cyber operations and ties to the Russian-speaking cybercriminal ecosystem. Until 2023, Alex was an Associate at the Harvard Kennedy School’s Belfer Center for Science and International Affairs as well as Coordinator of the Belfer Center’s Korea Project, where he co-founded and led the North Korea Cyber Working Group for three years.