In September 2020, a North Korean hacking group known as Lazarus broke into a small Slovakian crypto exchange and stole virtual currency worth some $5.4 million. It was one of a string of cyber heists by Lazarus that Washington said were aimed at funding North Korea's nuclear weapons programme.
Several hours later, the hackers opened at least two dozen anonymous accounts on Binance, the world's largest cryptocurrency exchange, enabling them to convert the stolen funds and obscure the money trail, correspondence between Slovakia's national police and reveals.
Binance Had No Idea Who Was Moving Money Through Their Exchange
In as little as nine minutes, using only encrypted email addresses as identification, the Lazarus hackers created Binance accounts and traded crypto stolen from Eterbase, the Slovakian exchange, according to account records that Binance shared with the police and that are reported here for the first time.
"Binance had no idea who was moving money through their exchange" because of the anonymous nature of the accounts, said Eterbase co-founder Robert Auxt, whose firm has been unable to locate or recover the funds.
Eterbase's lost money is part of a torrent of illicit funds that flowed through Binance from 2017 to 2021, a Reuters investigation has found.
During this period, Binance processed transactions totalling at least $2.35 billion stemming from hacks, investment frauds and illegal drug sales, Reuters calculated from an examination of court records, statements by law enforcement and blockchain data, compiled for the news agency by two blockchain analysis firms. Two industry experts reviewed the calculation and agreed with the estimate.
Separately, crypto researcher Chainalysis, hired by U.S. government agencies to track illegal flows, concluded in a 2020 report that Binance received criminal funds totalling $770 million in 2019 alone, more than any other crypto exchange. Binance CEO Changpeng Zhao accused Chainalysis on Twitter of "bad business etiquette."
Binance declined to make Zhao available for an interview. Responding to written questions, Chief Communications Officer Patrick Hillmann said Binance did not consider Reuters' calculation to be accurate. He did not respond to requests to provide Binance's own figures for the cases identified in this article. He said Binance was building "the most sophisticated cyber forensics team on the planet" and was seeking to "further improve our ability to detect illegal crypto activity on our platform."
As Reuters reported in January, Binance kept weak money-laundering checks on its users until mid-2021, despite concerns raised by senior company figures starting at least three years earlier. In response to that article, Binance said it was helping drive higher industry standards and the reporting was "wildly outdated." In August 2021, Binance compelled new and existing users to submit identification.
With around 120 million users worldwide, Binance processes crypto trades worth hundreds of billions of dollars a month. The sector was hit by a sharp correction in May, its overall value slumping by a quarter to $1.3 trillion. Zhao said he saw "new found resiliency" in the market.
Meanwhile, his company is extending its reach into traditional business, announcing a $200 million investment in media group Forbes this year and committing $500 million to Tesla boss Elon Musk's bid to take over Twitter. A Forbes spokesperson declined to comment. Musk didn't respond to requests for comment.
The flow of illicit crypto through Binance, identified by Reuters, represents a small portion of the exchange's overall trading volumes. Yet as policymakers and regulators, including U.S. Treasury Secretary Janet Yellen and European Central Bank President Christine Lagarde, voice concern over the illegal use of cryptocurrencies, the trade demonstrates how criminals have turned to the technology to launder dirty money.
For this article, Reuters interviewed law enforcement officials, researchers, and crime victims in a dozen countries, including in Europe and the United States, to assess the enduring impact of past gaps in Binance's anti-money laundering rules.
Reuters reviewed detailed data about Binance client transactions on "darknet" sites – marketplaces for narcotics, weapons and other illegal items. Most of the data was provided by Crystal Blockchain, an Amsterdam-based analysis firm that helps companies and governments trace crypto funds. The data showed that from 2017 to 2022, buyers and sellers on the world's largest darknet drugs market, a Russian-language site called Hydra, used Binance to make and receive crypto payments worth $780 million. Reuters cross-checked these figures with another analysis firm, which agreed with the findings.
In April, the U.S. Justice Department announced that U.S. and German law enforcement had seized Hydra's servers. The U.S. indicted the servers' alleged administrator for conspiring to commit money laundering and distribute illicit drugs. The site was closed down and the alleged administrator arrested by Russian authorities.
The data compiled for Reuters included crypto that passed through multiple digital wallets before reaching Binance. For crypto firms, such "indirect" flows with links to known suspicious sources are red flags for money laundering, according to the Financial Action Task Force, a global watchdog that sets standards for authorities combating financial crime. Money launderers often use sophisticated techniques to create complex chains of crypto transfers that cover their tracks, the FATF and the International Monetary Fund have said.
Hillmann, the Binance spokesperson, said the Hydra figure was "inaccurate and overblown" and that Reuters was wrongly including indirect flows in its calculation.
Reuters then asked how Binance views its responsibility to monitor its indirect exposure to dirty money. Hillmann replied that "what's important to note is not where the funds come from - as crypto deposits cannot be blocked - but what we do after the funds are deposited." He said Binance uses transaction monitoring and risk assessments to "ensure that any illegal funds are tracked, frozen, recovered and/or returned to their rightful owner." Binance is working closely with law enforcement to dismantle criminal networks using cryptocurrencies, including in Russia, he said.
Reuters reviewed documentation from criminal and civil cases. A still open civil case in the United States alleges that in 2020 Binance declined a request from investigators and lawyers, acting on behalf of a hacking victim, to permanently freeze an account that was being used to launder stolen funds. Binance, which disputes the U.S. court's jurisdiction, confirmed to Reuters that it only put a temporary freeze on the account. Hillmann blamed a failure by law enforcement to submit a timely request via Binance's web portal and then answer the exchange's follow-up questions.
In Germany, police said investigators began seeing criminals in Europe turn to Binance in 2020 to launder some of the proceeds from investment fraud schemes that caused victims, many of them pensioners, to lose in total 750 million euros ($800 million). The criminals' use of Binance has not been previously reported.
Reuters reporting also reveals for the first time how North Korea's Lazarus used Binance to launder some of the cryptocurrency stolen from Eterbase. A smaller portion of the funds were laundered at the same time through another major exchange, Seychelles-based Huobi, which declined to comment.
After another heist in March this year, when Lazarus stole over $600 million from an online game involving cryptocurrencies, Zhao said North Korean hackers had transferred an unspecified amount of the funds to Binance. Hillmann told Reuters that Binance has identified and frozen more than $5 million and is assisting law enforcement with its investigation. He didn't provide further details.
The United States sanctioned Lazarus in 2019 over cyber attacks designed to support North Korea's weapons programmes, calling it an instrument of the country's intelligence service – an accusation Pyongyang called "vicious slander." North Korea's mission to the United Nations did not respond to emailed questions. Blockchain researcher Chainalysis estimates that Lazarus stole crypto worth $1.75 billion by 2020 that mostly flowed through unidentified exchanges.
The Hydra is thriving
Zhao, known as CZ, started Binance in Shanghai in 2017. Three months later, he unveiled a new strategy, on an internal chat group, for the company's next phase of development. "Do everything to increase our market share, and nothing else," Zhao wrote.
The priority, he said, was to ensure Binance overtook larger cryptocurrency exchanges and fended off competition from smaller rivals. "Profit, revenue, comfort, etc, all come second."
Asked to elaborate on this remark, Hillmann said, "Neither CZ nor any other Binance business leader has ever suggested that increasing market share should supersede compliance obligations."
Among the countries Zhao sought to expand in was Russia, which Binance described in a 2018 blog as a major market due to its "hyperactive" crypto community. A Reuters article in April detailed Binance's efforts to dominate the crypto market there and how, behind the scenes, the exchange was building ties with Russian government agencies.
