Week 7: What can be done about North Korean Cryptocurrency use?

Last week we committed to focus the rest of our project on addressing North Korea’s use of cryptocurrency to evade sanctions.

After deciding this, we found ourselves in need of a map of North Korean cryptocurrency use. We began with a simple diagram of how North Korea attains, holds, and uses cryptocurrencies:

We discussed this mapping with several experts and its general framing seems to hold up. One key point of discussion, however was around the relative magnitudes of each of these buckets. Most people seem to think cryptocurrency mining is unlikely to be a major source of North Korean revenue as the mature coins require more and more processing power to produce marginal returns. Processing power, moreover, requires electricity, which in turn requires fuel. Being in short supply of the latter, mining is likely unfeasible for DPRK. Some cryptocurrencies, like Monero, are designed to reduce the specialized computing advantages of other coins but it still remains likely that mining is not a major source of North Korean revenue (although it can still be useful for laundering pseudonymous coins into more anonymous coins as discussed below).

Additionally, the universe of actors ready to spend or receive cryptocurrency on goods and services is relatively limited. One of our big questions going forward and one we’re not sure we’ll be able to answer is whether North Korea has developed partners willing to accept or send cryptocurrency in exchange for goods and services (such as refined petroleum being acquired through ship-to-ship transfers). More information on this subject would help us prioritize the levying of sanctions on entities facilitating these transactions and the eventual conversion of cryptocurrencies into fiat currencies that likely follows. (It is important to note that North Korea has also received cryptocurrencies in the past as part of ransomware attacks like WannaCry, but these attacks have so far resulted in little actual currency transfers despite their more significant economic damage).

Instead, we are proceeding on a rough assumption that North Korea is primarily attaining cryptocurrency through theft and primarily converting it to fiat currencies through exchanges. We will continue to evaluate both of these conclusions as we proceed.

Our next step was to hypothesize ways the US can interfere with North Korean cryptocurrency use, so we adapted our map:

We quickly received feedback from several interviews that trying to address the general cryptocurrency security practices that North Korea is exploiting is unlikely to be fruitful. Many of the exchanges and wallets North Korea is attacking have little incentive to prioritize security and some of them are engaged in shady practices themselves. While improvements in industry practices around security are important, we are unlikely to greatly influence them at any noticeable scale.

Instead, many of our interviewees directed us to looking at exchanges on the backend, where North Korea is likely exchanging cryptocurrency for fiat currency through some third party. These third parties are influenceable and this led us to our first idea for a potential MVP (and reviving a past MVP): creating a blacklist.

Unlike for our previous blacklist idea, we are not concerned about any run-away effects of legitimate businesses refusing to deal with North Korea in this space because it would be in US interests if North Korea was completely forced out of the cryptocurrency world and into fiat currency transactions for increased transparency. Thus, we propose developing and publishing a black list of exchanges found to have facilitated the exchange of North Korean cryptocurrency for fiat currency to disincentivize others from working with them.

There is an additional complication here, however, as there are multiple reports that North Korea has increasingly used more anonymous cryptocurrencies, like Monero, to launder Bitcoin and other pseudonymous coins to reduce their traceablility. This might undercut the ability of US actors to identify exchanges for listing, although we have heard conflicting things about the difficulty of tracking different cryptocurrencies. This is an area for further investigation.

We also developed an alternate MVP around the idea that US negotiators might find it useful to suddenly ratchet up pressure on North Korean cryptocurrency use at key moments in negotiation. We are still developing ideas around this theory but are considering something roughly like the following:

In order for such a plan to work, we would have to assume the following:

•Bitcoin and other pseudonymous cryptocurrencies are trackable by US Government actors, as long as Monero and more private coins are not usable for laundering transactions •Monero and quasi-anonymous cryptocurrencies are not reliably trackable •51% Attacks are possible at roughly fixed costs as set out here: https://www.crypto51.app/

There are serious disadvantages to initiating a plan like this, however:

•Likely massive public backlash from privacy/cryptocurrency community (mitigatable in part by not using a 51 hold on Bitcoin itself, at the cost of sending a weaker message) •Cost is reasonable for short time frames but susceptible to other actors increasing their mining to raise (mitigatable by publishing that the US gov’t is doing it and only maintaining holds for short, tactical timeframes) •Private actors in space will likely create workarounds and new coins, so effectiveness will be limited in repeated attempts

But we also see some serious potential upsides:

•Potential to completely halt and continuously cripple North Korea’s use of cryptocurrencies •Coordinated effort will likely have increased signaling impact that US is willing to use its capabilities in this sphere •As non-cryptocurrency avenues of restricting North Korean access to currency ratchet up the pressure, they may find themselves more and more reliant on cryptocurrency. Strategically freezing their entire ability to move cryptocurrency may have significant impact on their decision making

Ultimately we are still working on this potential plan of action for suddenly and broadly interfering with North Korean cryptocurrency use. We have heard serious skepticism about the wisdom of such a plan from practitioners in the crypto space, especially as related to the 51% holds. We definitely need to consider these concerns as we proceed.

Interviews this week:

We focused this week on learning from experts in cryptocurrency and cybersecurity about the general framework that underlies North Korea’s actions in this world.

  1. Dan Morehead, CEO Pantera Capital
  2. Donnie Hasseltine, Chief Security Officer, Xenon Ventures
  3. Marc Zlomek, USCG
  4. Chris Painter, Former US Coordinator for Cyber Issues
  5. Joe Grundfest, Professor at Stanford Law School
  6. Lenny Raymond, Partner at Volvox
  7. Adam Meyers, VP for Intelligence
  8. Steve Weinstein, Professor at Stanford University
  9. Jeff Ladish, Former CISO at Reserve
  10. Josh Bernstein, Crypto Investo

Key Learnings:

Learning #1: The theft, rather than mining, of cryptocurrencies has provided DPRK with $500M+ worth of cryptocurrency (mostly Bitcoin).
Learning #2: Insecure cryptocurrency exchanges in ASEAN countries facilitates these practices.
Learning #3: The private sector is unsure how the DPRK has or will convert cryptocurrency holdings to fiat currency or use cryptocurrency to procure resources, which implies the DPRK’s use is not public knowledge within the cryptocurrency community.

Week 6: Choosing the major. So, what’s normal?

Key Learning Moments

  1. The process of interagency coordination is actually very well structured. An interagency task force employs a unique model to coordinate all actors’ actions: private and public, foreign and domestic, strategic and operational.
  2. Illegal activity not linked to DPRK makes it harder to detect anomalies and generates a lot of (wasteful and costly) false positives.
  3. The seemingly only area that is not mapped well enough is DPRK’s illegal extraction, laundering and spending of cryptocurrencies (mainly Bitcoin).
  4. The operators on the ground distrust the intelligence passed down to them.

Our Major

Nothing on the sea meters if China opens another pipeline.

OSD Sponsor

Problem tackled:

The DPRK, faced with increased international pressure along their physical transportation routes (maritime and land) has reverted to circumventing the sanctions by:

  • Employing state-sponsored security professionals, including the Lazarus Group, refereed to commonly as APT (Advanced Persistent Threat) 38 to extract cryptocurrency from wallets, exchanges etc.
  • Rerouting the stolen currency through a mixture of commonly used (US-Based) and more obscure (mainly East-Asian) exchanges and clearing houses and gradually converting it to hard currency (USD, EUR, CNY)
  • Spending the illegally-obtained currency on luxury items, refined petroleum, industrial machines etc.

Currently, the sanction-enforcement authorities have little tools available to tackle this stream of DRPK financing.

If you are my private think tank, I want you to figure out a way to stop NK from making money using cyber tools. I want a mechanism that rivals in the cyberspace what we can already do in the physical space.

An individual experienced with the Interagency Task Force

Researching the policy vectors that could be applied along with the ways DPRK currently performs their operations will form the bedrock of the policy recommendations we will be presenting as our deliverable.

Experiment Results

While the previous lines of inquiry were largely focused on exploring the internal process of sanctions enforcement coordination, this week we have made significant findings that led us to believe that there is more potential in actual enforcement (upper part of the graph). Namely, we are focusing on better exploring the DPRK’s illegal activities in cyberspace as well as getting to know what does normal (legal and illegal) traffic look like in the East China Sea.

Where we stood and where we stand. How we chose our major.

Throughout the past weeks we have explored several different MVP ideas. Most of them have been abandoned, before we committed to the predictive modelling approach.

  • Improved blacklists have been proven to give negative value due to inability to fine-tune the pressure after inclusion on the list.
  • Flag state approval reform was ineffective as interdictions don’t actually happen (the US ships come close and photograph suspicious assets).
  • Process Improvement turns out to be ineffective due to the presence and efficiency of the interagency task force.
  • The Internal Wiki would overlap with solutions currently in existence.
  • Improved negotiation toolkit (providing better materials to negotiators) has proven to require access to information beyond our grasp.

Next Steps

Next week we’re intending to continue working to get a better understanding of the new problem space. We will be trying to learn:

  • What the most common vectors of cryptocurrency-related crime are in general and whether there are some distinguishing features DPRK employs.
  • How do nation-states currently regulate cryptocurrency security and if there are any mechanisms in use to tackle this kind of crimes.
  • Who are the individuals responsible for enforcement on the US side (and hopefully talk to them as well)

The key action items are listed below:

The main interviewees are going to be: Stanford Faculty, private sector security professionals, and people with relevant intelligence experience.

Interviews this week

This week’s interviews have been largely divided into three categories:

  • Military personnel and analysts who would validate our predictive modelling MVP
  • Specialists in cybercrime and cryptocurrencies-based money laundering who would help us better explore this new field
  • Process coordination insiders who helped us validate hypotheses from last week.

Week 5.5 – A Shift in Perspective: Keeping the Big Picture in Mind, While Identifying an Actionable Pinpoint

TL;DR:

Inspired by a conversation with Capt. Miller, we decided two things: a) commit to “zooming in” into the enforcement piece and understand how to make it easier for those who perform it daily (more details in our “Week 6” Blog Post)!; b) not to disregard our “zooming out”: keep the wealth of insights we gather, and crystalize it into a policy report, which will be produced alongside our final product.

Background

Last week was probably one of the most important ones for Embargo.NK so far. Our learning curve was the steepest yet, as we went through a process of trying, failing, hitting a wall, retrying. As a recap, in week 4 we came up with three MVPs:

  • An internal sanctions wiki, which would allow different government agencies to have at their disposal various information regarding sanctioned entities, to speed up the démarche process;
  • A watchlist, which would be relied upon by private entities, as part of a due diligence process to ensure they are not trading with “bad actors”;
  • A “prioritization” tool that would help identify where to best deploy enforcement resources, in light of the strategic objectives the sanctions purports to accomplish.

After our rounds of interviews for week 5 and, particularly, after enlightening chats with Ambassadors Hill and Stephens, we reconsidered our perspective. We decided to zoom out, once again, and look at the bigger picture. We told ourselves the best way to address the issue was to empower the negotiators, and to affect the enforcement decision-making process by encouraging information sharing among the different parties involved.

This idea was, at best, idealistic. True, we got several signals from our interviews that “the process is broken” and that the negotiator needs a menu of option, a range of analytical and anecdotal evidence that they can leverage during the negotiations level. We learned that, sometimes, sanctions are more effective when un-or under-enforced, and that you want to make sure that you are equally able to lift them, as you’re able to apply them. However, if we want to have an impact in this process, and an immediately helpful one, zooming out is not the right option. We need to zoom in, and dig further, and assess our pinpoint.

We learned this the hard way – when we presented what we thought were our breakthrough learnings and, yet, could not come up with an actionable MVP. We thought we had figured out the whole picture, but were also looking at it through the wrong angle. Hitting this wall was crucial in our growth as a team, and in the development of our project.

Brainstorming & an Important Interview

We then had a major brainstorming session. We boiled down and mapped out this enormous quantity of information that we had been gathering in the previous weeks, concerning the actors involved, the process, and the strategic goals at play.

What we had investigated, up to this point, was the relationship between the “results” and the decision-making process. We did not have a clear MVP in mind, but we were thinking to help influence that process by providing a system, a process, or just more information on how the sanctions should align with our strategic goals.

Through our brainstorming session, however, we reached a different conclusion: regardless of our other findings, improving enforcement is valuable, as it is the central piece that connects decision and results.

The brainstorming session came right after an important conversation with Captain Jeffrey Miller, COMPACFLT Maritime Homeland Defense Office in Charge, Coast Guard Area Pacific. Capt. Miller shared with us what vessel monitoring operation looks like in the East China Sea. Miller has a target list of potential vessels that are trafficking with North Korea: the list is based on intelligence he receives from DC, as well as on an algorithm that detects routine people that have been caught performing similar operations. Although in most cases the interdiction operation cannot be performed, as it is not authorized, Miller’s team follows suspected vessels across the horizon, takes pictures and/or annotates the vessel’s number.

Based on Captain Miller’s description, and the cumulative knowledge we gathered from previous interviews, we plunged into the enforcement piece and developed the following diagram:

Captain Miller reiterated a common theme from DoD interviews, that illegal ship-to-ship transfers of refined petroleum are a key focus. Basically, vessels act like a gas station: another vessel can stop and get fuel from them. A key regional problem related to ship-to-ship transfers is that a lot of them happen in the East China Sea unrelated to North Korean sanctions evasion. But as, the latest report from the UN Panel of Experts highlights, North Korea’s use of these illegal transfers have increased exponentially in 2018. The techniques used for sanction circumvention range from less sophisticated, like painting their vessels and changing their names, to more professional ones, like using flags of convenience and spoofing AIS (Automatic Identification System).

Our interviewee reported that, in this process, what he and his team would benefit from is a model that tracks the “normal traffic” of ship-to-ship transfer in the East China Sea. Having a pattern that identifies the regular behavior during these transfers; ie. licit and not-North Korean related ones, will make it a lot easier to spot the outliers.

Inspired by this request, we decided two things:

a) commit to “zooming in” into the enforcement piece and understand how to make it easier for those who perform it daily (more details in our “Week 6” Blog Post)! ; b) not to disregard our “zooming out”: keep the wealth of insights we gather, and crystalize it into a policy report, which will be produced alongside our final product.

Week 5: Running our MVPs by the Ambassadors

Key Learning M0ments

  1. We found out that private companies already rely on more robust tools than the list we proposed to create. Given our previous week’s hesitation around IC concerns, we’ve decided to scrap the list MVP.
  2. Speaking to a number of former State Dept. folks didn’t yield the “grab it out of our hands” moment that we hoped regarding our internal wiki idea. While this isn’t necessarily an invalidation, it also isn’t support for the idea.
  3. Speaking to two former Ambassadors who were both involved in the Six-Party talks indicated that information coordination is a significant challenge within the enforcement ecosystem.

Experiment Results

This week we used our MVPs to test three hypotheses with potential beneficiaries to a mixed result.

  1. The démarche process is overly complex and takes too much time for State Country Officers.
  2. Private companies unwittingly violate sanctions and a public list of suspected evaders would help these companies comply.
  3. Enforcement priorities are not driven by or responsive to the negotiation team.

Our interviews this week included a number of former State Department officials, including two former Ambassadors who were both involved in the Six-Party talks. We also talked to a number of academics and former Commerce Department officials.

As to the first hypothesis, we had hoped that talking to folks from the State Department about our idea to create an internal wiki for known sanctions evaders would result in the fabled “grab it out of our hands” moment. While the people we were able to talk to hadn’t worked directly on the démarche issue recently, none of them seemed to agree that it posed a significant challenge to State Department officials. No one told us directly that this MVP was a bad idea or would have negative consequences, but neither did they indicate that it would be a useful tool. As a team we have decided to continue trying to talk to people more directly involved in the démarche process while making sure that we respond appropriately to the feedback we have received. Essentially, we are putting this MVP on the back burner as we move forward with other ideas.

The MVP used to test the second hypothesis, the idea of creating a more robust list to help private companies with their due diligence regarding sanctions, was met with a much firmer negative response. We heard from some of our interviewees that not only did commercially available tools already exist that companies rely on, these companies also don’t normally use ignorance as a defense. Given that we as a team had previously had qualms with the idea that creating a list would have negative consequences for the intelligence community, we have decided to abandon this potential product. We all agreed that it would be better to start over with new ideas than to move forward with a product that our beneficiaries don’t need and that will negatively impact other actors in this space.

We discussed our third hypothesis with a number of our interviewees, notably Ambassadors Hill and Stephens. We have been getting the sense over the last few weeks that the major challenge in the sanctions enforcement space is not the availability of intelligence or the capacity to interdict when necessary, but that the tools of enforcement are not coordinated with the goals the drive the imposition of sanctions in the first place. An anecdote from the Ambassadors involved their experience during the six-party talks, when negotiations were abandoned by the North Koreans following enforcement actions against BDA, a financial institution used by the regime. In that case, the untimely enforcement of sanctions led to the opposite of the strategic intention of those sanctions, which was to cripple the North Korean regime sufficiently enough to force them to the negotiation table.

While we still haven’t been able to talk to the current negotiation team, talking to members of the six-party talk team was our closest approximation and we think that it continues to represent the present day challenges in this area.

Where We Stand

The result of our interviews this week have led us to graph last week’s potential MVPs on a spectrum of difficulty and value add.

We’ve decided to focus on the upper right hand corner of the graph as we move forward. We want to find ways to improve the process around how sanctions are prioritized and see if that process can be implemented with a greater focus on strategic goals. The first aspect which is to determine if we have accurately mapped out the process as it currently stands. This will be a major task for the coming week as we check our understanding against that of actors in this space. While there are a lot of actors involved and many different layers to this process, at the broadest level we think that the ecosystem can be displayed using this chart:

We need to fill in the gaps and run this by more interviewees in the coming week. Our tasks moving forward include:

Week 5: Customer Discovery

During week 5, we are seeking to test our hypotheses and potential MVPs by interviewing three categories of possible beneficiaries: state department officers involved or familiar with the démarche process; private companies – and in particular, risk manager officers – and OSD.

Our goal for the week is to further brainstorm our MVPs, understand their utility, and possibly narrow them down to one.

Weekly Hypotheses:

  1. The démarche process is lengthy and complex. An internal wiki or tool that would provide more easily accessible information, would speed up the process significantly (Possible MVP: Internal Wiki).
  2. Private companies often violate sanctions, by unwittingly trading with North Korean companies. A publicly available list of sanctioned entities would facilitate due diligence and prevent n0n-compliant transfers due to ignorance (Possible MVP: Public Bad Actor List).
  3. Not all sanctions are best when enforced. Sometimes a prioritized approach can lead to better strategic outcomes. The US needs a tool that analytically suggests what to devote resources to when enforcing (Possible MVP: Prioritization Tool).

Experiment(s)

We will conduct Customer Discovery interviews to test our hypotheses. We are looking forward to understanding which of the possible MVP has a potential for being useful, so that we could further elaborate on it.

Week 4: Brainstorming MVPs

Key Learning Moments

  1. The DoS, and specifically analysts beneficiaries, would find it useful to have an internal wikipedia-like page compiling information related to sanctioned entities;
  2. The permeability of sanctions enforcement is not necessarily a negative thing: it can be a net positive for US strategic interests;
  3. US blacklisting practices are stricter than UN ones.

Experiment Results

This week, we tested three hypotheses:

  1. Different governmental agencies conducting enforcement do not adequately share information related to their activity in this respect;
  2. Although a list of bad actors already exists, and it is managed by the US Treasury, the list it not comprehensive and under-inclusive: a less formal blacklist would facilitate impacting shippers involved in violations;
  3. Not all sanctions are created equal: some have a stronger impact than others. The government can and should prioritize their enforcement strategically.

Our interviewees this week involved people from State Department and Intelligence, as well as a wide range of experts in North Korea economy and markets. We also had the opportunity to interview a plurality of journalists and bloggers.

As to the first hypothesis, it was difficult for us to fully prove or disprove the lack of information sharing within different agencies. The issue is classified, and as such we were unable to get a clear-cut answer. We were able to find out that a task – force agency does exist for the purpose of information sharing. However, the actors that are not part of it do not benefit from this information sharing – for this reason, they should be the focus of our further research.

Secondly, we tested the possibility of creating a less formal lists of “bad actors” and its potential utility. Notably, there was no consensus between intelligence and other enforcement authorities, to whom we submitted the idea. The primary concern with the list is the costs it would bear: as such, further pursuit of this idea will require an attentive balance of its costs and its benefits.

Lastly, we discussed with our interviewees the differential impact of sanctions. We learned that, in some cases, sanction violation can be a positive outcome for the US strategy. Whether and how the US could better prioritize enforcement remains unclear, but we plan on engaging our sponsor and, potentially, other intelligence contacts to further elaborate a possible prioritization scenario.

Our Potential MVPs

Based on these findings, we started drafting three possible product directions.

First, to encourage better sharing of interagency information, we could develop an internal Government Sanctions Wikipedia. Having a centralized database, in fact, would significantly decrease the time necessary for State Department negotiators/desk officers to perform démarches, once intel is received regarding a sanction-evasion related activity. We know a similar, external tool, called Pyongyang Papers, already exists and is open sourced. The information is gathered from media outlets, or other public reports. However, we believe the database is flawed. We plan on digging in more deeply in the upcoming weeks to flesh out how it can be improved and effectively deployed.

Second, to increase barriers to ship-to-ship transfers for North Korean ships, we could build a government sponsored, yet informal “Watchlist” of “bad actors”. This product would achieve two goals: first, it would name and shame the companies that help with sanction evasion, leveraging the possibility of a deterrent effect; second, it would prevent shipping companies from claiming “ignorance” when conducting transfers to North Korea.

One idea we had is to rely on technology, such as automation, to help deploy a more effective product than the currently existing Treasury OFAC List. In fact, as it came up in one of our interviews:

“…if  there were a way that was more dynamic in helping to understand who you are dealing with – that would give you a better shot at doing enforcement. Being able not to be manually update these tools could be extremely valuable. There might be ways to look at previous cases where we know that there was a network going on and train through AI a system to look for similar patterns.

Third, we will continue brainstorming on a potential prioritization tool. Before further focusing on it, we will discuss with our sponsor whether this direction might reveal itself to be useful or not.

Interviewees

This week, we focused on conversations with a wide range of North Korean experts, including former State Department and Intelligence officials, journalists and policy experts.

  1. William Brown, Former ODNI
  2. Alastair Gale, Wall Street Journal
  3. David Slayton, US Navy, Hoover
  4. Andy Kim, Former CIA
  5. Chloe Chung, Korean Foreign Ministry
  6. Todd Buchwald, Former Ambassador for Global Criminal Justice
  7. Richard Johnson, Nuclear Threat Initiative
  8. Kyle Ferrier, Korea Economic Institute of America
  9. Andray Abrahamian, Chosen Exchange
  10. Eddie Fishman, Former State
  11. Joshua Stanton, One Free Korea
  12. Sig Hecker, Stanford Nuclear Energy Expert
  13. Matt Prusak, Korean Institute
  14. Michael Matheson, Former State

Week 4 Customer Discovery

To prepare for week 4 we are hoping to dig up a few more pain points or gain areas that might help us solidify our product-market fit on our mission model canvas. We plan to accomplish this by hitting one last round of North Korean experts, focusing some on economic and market dynamics. We also want to confirm that certain assumptions about who benefits from smuggled petroleum are correct.

We also want to test an idea that came out of an interview regarding the narrowness of the OFAC SDN list and the possibility of providing gains to corporate executives concerned with legal and public relations exposure while also supporting the US lead negotiator by weakening North Korean access to smuggled petroleum products.

Weekly Hypotheses:

  1. Refined Petroleum imported illegally through ship-to-ship transfers is primarily benefiting the North Korean state and not quasi-private black market actors.
  2. The Treasury Department OFAC SDN list is significantly underinclusive of all relevant bad actors and publishing a wider ranging list would reduce North Korea’s access to sanctions evading markets.

Experiment(s)

We will conduct Customer Discovery interviews to test our hypotheses. We especially hope to pull out of each interview one or two ideas for areas that need attention and possible future MVPs.