BRATISLAVA - In September 2020, a North Korean hacking group known as Lazarus broke into a small Slovakian crypto exchange and stole virtual currency worth some $5.4 million. It was one of a string of cyber heists by Lazarus that Washington said were aimed at funding North Korea's nuclear weapons programme.
Several hours later, the hackers opened at least two dozen anonymous accounts on Binance, the world's largest cryptocurrency exchange, enabling them to convert the stolen funds and obscure the money trail, correspondence between Slovakia's national police and Binance reveals.
In as little as nine minutes, using only encrypted email addresses as identification, the Lazarus hackers created Binance accounts and traded crypto stolen from Eterbase, the Slovakian exchange, according to account records that Binance shared with the police and that are reported here for the first time.
"Binance had no idea who was moving money through their exchange" because of the anonymous nature of the accounts, said Eterbase co-founder Robert Auxt, whose firm has been unable to locate or recover the funds.
Eterbase's lost money is part of a torrent of illicit funds that flowed through Binance from 2017 to 2021, a Reuters investigation has found.
During this period, Binance processed transactions totalling at least $2.35 billion stemming from hacks, investment frauds and illegal drug sales, Reuters calculated from an examination of court records, statements by law enforcement and blockchain data, compiled for the news agency by two blockchain analysis firms. Two industry experts reviewed the calculation and agreed with the estimate.
Separately, crypto researcher Chainalysis, hired by U.S. government agencies to track illegal flows, concluded in a 2020 report that Binance received criminal funds totalling $770 million in 2019 alone, more than any other crypto exchange. Binance CEO Changpeng Zhao accused Chainalysis on Twitter of "bad business etiquette."
Binance declined to make Zhao available for an interview. Responding to written questions, Chief Communications Officer Patrick Hillmann said Binance did not consider Reuters' calculation to be accurate. He did not respond to requests to provide Binance's own figures for the cases identified in this article. He said Binance was building "the most sophisticated cyber forensics team on the planet" and was seeking to "further improve our ability to detect illegal crypto activity on our platform."
As Reuters reported in January, Binance kept weak money-laundering checks on its users until mid-2021, despite concerns raised by senior company figures starting at least three years earlier. In response to that article, Binance said it was helping drive higher industry standards and the reporting was "wildly outdated." In August 2021, Binance compelled new and existing users to submit identification.
With around 120 million users worldwide, Binance processes crypto trades worth hundreds of billions of dollars a month. The sector was hit by a sharp correction in May, its overall value slumping by a quarter to $1.3 trillion. Zhao said he saw "new found resiliency" in the market.
Meanwhile, his company is extending its reach into traditional business, announcing a $200 million investment in media group Forbes this year and committing $500 million to Tesla boss Elon Musk's bid to take over Twitter. Forbes abandoned its plans to list publicly last week and a Forbes spokesperson said Binance's investment would not take place. Musk didn't respond to requests for comment.
The flow of illicit crypto through Binance, identified by Reuters, represents a small portion of the exchange's overall trading volumes. Yet as policymakers and regulators, including U.S. Treasury Secretary Janet Yellen and European Central Bank President Christine Lagarde, voice concern over the illegal use of cryptocurrencies, the trade demonstrates how criminals have turned to the technology to launder dirty money.
For this article, Reuters interviewed law enforcement officials, researchers, and crime victims in a dozen countries, including in Europe and the United States, to assess the enduring impact of past gaps in Binance's anti-money laundering rules.
Reuters reviewed detailed data about Binance client transactions on "darknet" sites – marketplaces for narcotics, weapons and other illegal items. Most of the data was provided by Crystal Blockchain, an Amsterdam-based analysis firm that helps companies and governments trace crypto funds. The data showed that from 2017 to 2022, buyers and sellers on the world's largest darknet drugs market, a Russian-language site called Hydra, used Binance to make and receive crypto payments worth $780 million. Reuters cross-checked these figures with another analysis firm, which agreed with the findings.
In April, the U.S. Justice Department announced that U.S. and German law enforcement had seized Hydra's servers. The U.S. indicted the servers' alleged administrator for conspiring to commit money laundering and distribute illicit drugs. The site was closed down and the alleged administrator arrested by Russian authorities.
The data compiled for Reuters included crypto that passed through multiple digital wallets before reaching Binance. For crypto firms, such "indirect" flows with links to known suspicious sources are red flags for money laundering, according to the Financial Action Task Force, a global watchdog that sets standards for authorities combating financial crime. Money launderers often use sophisticated techniques to create complex chains of crypto transfers that cover their tracks, the FATF and the International Monetary Fund have said.
Hillmann, the Binance spokesperson, said the Hydra figure was "inaccurate and overblown" and that Reuters was wrongly including indirect flows in its calculation.
Reuters then asked how Binance views its responsibility to monitor its indirect exposure to dirty money. Hillmann replied that "what's important to note is not where the funds come from - as crypto deposits cannot be blocked - but what we do after the funds are deposited." He said Binance uses transaction monitoring and risk assessments to "ensure that any illegal funds are tracked, frozen, recovered and/or returned to their rightful owner." Binance is working closely with law enforcement to dismantle criminal networks using cryptocurrencies, including in Russia, he said.
Reuters reviewed documentation from criminal and civil cases. A still open civil case in the United States alleges that in 2020 Binance declined a request from investigators and lawyers, acting on behalf of a hacking victim, to permanently freeze an account that was being used to launder stolen funds. Binance, which disputes the U.S. court's jurisdiction, confirmed to Reuters that it only put a temporary freeze on the account. Hillmann blamed a failure by law enforcement to submit a timely request via Binance's web portal and then answer the exchange's follow-up questions.
In Germany, police said investigators began seeing criminals in Europe turn to Binance in 2020 to launder some of the proceeds from investment fraud schemes that caused victims, many of them pensioners, to lose in total 750 million euros ($800 million). The criminals' use of Binance has not been previously reported.
Reuters reporting also reveals for the first time how North Korea's Lazarus used Binance to launder some of the cryptocurrency stolen from Eterbase. A smaller portion of the funds were laundered at the same time through another major exchange, Seychelles-based Huobi, which declined to comment.
After another heist in March this year, when Lazarus stole over $600 million from an online game involving cryptocurrencies, Zhao said North Korean hackers had transferred an unspecified amount of the funds to Binance. Hillmann told Reuters that Binance has identified and frozen more than $5 million and is assisting law enforcement with its investigation. He didn't provide further details.
The United States sanctioned Lazarus in 2019 over cyber attacks designed to support North Korea's weapons programmes, calling it an instrument of the country's intelligence service – an accusation Pyongyang called "vicious slander." North Korea's mission to the United Nations did not respond to emailed questions. Blockchain researcher Chainalysis estimates that Lazarus stole crypto worth $1.75 billion by 2020 that mostly flowed through unidentified exchanges.
"THE HYDRA IS THRIVING"
Zhao, known as CZ, started Binance in Shanghai in 2017. Three months later, he unveiled a new strategy, on an internal chat group, for the company's next phase of development. "Do everything to increase our market share, and nothing else," Zhao wrote.
The priority, he said, was to ensure Binance overtook larger cryptocurrency exchanges and fended off competition from smaller rivals. "Profit, revenue, comfort, etc, all come second."
Asked to elaborate on this remark, Hillmann said, "Neither CZ nor any other Binance business leader has ever suggested that increasing market share should supersede compliance obligations."
Among the countries Zhao sought to expand in was Russia, which Binance described in a 2018 blog as a major market due to its "hyperactive" crypto community. A Reuters article in April detailed Binance's efforts to dominate the crypto market there and how, behind the scenes, the exchange was building ties with Russian government agencies.
Binance has continued to provide limited services in Russia since the country's invasion of Ukraine this year, despite requests from the government in Kyiv for exchanges to ban Russian users as part of efforts to isolate Russia financially. Russia calls its actions in Ukraine a "special operation."
Reuters' new reporting following the April article shows that many people who signed up to Binance in Russia weren't using it for trading. Instead, Binance became a key payment provider for Hydra, the giant darknet marketplace, according to the blockchain data compiled for Reuters, a review of Hydra user forums, and interviews with illegal drug users and researchers.
After it was set up in 2015, Hydra distributed narcotics on behalf of drug dealers, all priced in bitcoin, to millions of buyers, mostly in Russia.
German police, in coordination with U.S. authorities, seized Hydra's servers in Germany in April, closing the site down. The U.S. indicted a Russian resident, Dmitry Pavlov, for administering the servers. A week later, Russian authorities arrested Pavlov for allegedly dealing in drugs, a Moscow court said, adding he had filed an appeal. Before his arrest, Pavlov told the BBC he ran a licensed server company and was not aware it was hosting Hydra. Pavlov didn't respond to messages from Reuters sent via his company.
The Justice Department, describing Hydra as "the world's largest and longest-running darknet market," said the site had received in total around $5.2 billion in cryptocurrency. Neither Binance nor any other payment provider linked to Hydra was named by the Justice Department, which declined to comment on Binance.
Hillmann told Reuters that Binance "works closely with law enforcement to target the illicit drug trade daily."
Sites like Hydra are only accessible on a clandestine part of the internet, known as the dark web, that requires a browser that hides a user's identity.
As early as March 2018, Hydra users recommended on the site's Russian-language forums that buyers use Binance to make purchases, citing the anonymity Binance afforded its clients at the time by allowing them to register with just an email address. "This is the fastest and cheapest way I've tried," a user wrote.
Cryptocurrency traders exchanged dozens of messages in 2021 and early 2022 about using Hydra on Binance's own Russian community Telegram chat. "The Hydra is thriving," wrote one last year.
Hydra transformed the narcotics market in Russia, researchers said. Previously, drug users tended to buy from street dealers with cash. With Hydra, users selected substances on the site, paid the seller in bitcoin, and received coordinates to pick up the "treasure" at a discreet location. Buyers, known as "treasure hunters," found their purchases buried in forests at the edge of town, hidden in garbage dumps, or stuffed behind loose bricks in abandoned buildings.
According to a report by the United Nations Office on Drugs and Crime, Hydra increased the availability of drugs in Russia and drove a surge in demand for stimulants, such as methamphetamine and mephedrone. Drug-related deaths rose by two-thirds between 2018 and 2020, figures from Russia's state anti-drug committee show.
At the time of the U.S. and German operation to seize Hydra's servers, the Drug Enforcement Administration, which supported the investigation, said the marketplace's services "threaten the safety and health of communities far and wide." The DEA referred Reuters to the Justice Department for further comment.
Aleksey Lakhov, a director at Russian charity foundation Humanitarian Action, which researches drug use, said he was "horrified" by how Hydra fuelled addiction. "During the days I used drugs, you had to know someone at least" in order to obtain narcotics, Lakhov, a recovered addict, added.
Alexandra, a 24-year-old office manager in Moscow, started buying mephedrone and ketamine on Hydra in 2019 to help cope with her bipolar disorder. Several friends who used Hydra told her Binance was the safest way to pay dealers, Alexandra told Reuters, speaking on condition she be identified only with her first name. Some of them used fake personal information to open Binance accounts, she said, but she uploaded a copy of her passport. Binance never blocked or queried any of her payments. Asked about her account, Binance said it was continually strengthening its know-your-customer capabilities.
The system's anonymity made it easy to buy drugs on the darknet, Alexandra said. "It was like buying chocolate in the store."
As her drug use became an everyday habit, she went days without sleep, wracked by hallucinations and depression. "I felt like I was dying, and I liked that feeling," she said. Eventually, she sought psychiatric help and received therapy. Since then, she just used Hydra to buy cannabis.
State Department reports from 2019 and 2020, without mentioning Hydra or Binance, warned that drug traffickers in Russia were using virtual currencies to launder proceeds. A State Department spokesman declined to comment on Hydra and Binance.
As reported by Reuters in its January investigation, an internal document shows that Binance was aware of the risk of illegal finance in Russia. Binance's compliance department assigned Russia an "extreme" risk rating in 2020 in an assessment that was reviewed by Reuters. It cited money-laundering reports by the U.S. State Department. Hillmann told Reuters Binance had taken more action against Russian money launderers than any other crypto exchange, citing a ban it imposed on three Russian digital currency platforms that were sanctioned by the United States.
Crypto flows between Binance and Hydra dropped sharply after the exchange tightened its customer checks in August 2021, the data from Crystal Blockchain shows.
For the past five years, Binance has allowed traders on its platform to buy and sell a coin called Monero, a cryptocurrency that offers users anonymity. While bitcoin transactions are recorded on a public blockchain, Monero obscures the digital addresses of senders and receivers. A Beginner's Guide to Monero by Binance, available on its website, said such coins were "desirable for those seeking true financial confidentiality."
Zhao has spoken in favour of "privacy coins," of which Monero is the most traded. During a 2020 video call with staff, a recording of which Reuters reviewed, Zhao said privacy was part of people's "financial freedom." He didn't mention Monero, but said Binance had funded other privacy coin projects.
Monero proved to be popular among Binance users. As of late May, Binance was processing Monero trades worth around $50 million a day, far more than other exchanges, according to data from the CoinMarketCap website.
Law enforcement agencies in Europe and the United States have warned that Monero's anonymity makes it a potential tool for money launderers. The U.S. Department of Justice, in a 2020 report, said it considered the use of "anonymity enhanced cryptocurrencies" like Monero "a high-risk activity that is indicative of possible criminal conduct."
On several darknet forums that Reuters reviewed, over 20 users wrote about buying Monero on Binance to purchase illegal drugs. They shared how-to guides with names like DNM Bible, a reference to darknet markets.
"XMR is essential to anyone buying drugs on the Dark web," wrote one user on the forum Dread, referring to Monero's ticker symbol. It isn't possible to contact users through the forum so Reuters was unable to reach these people for comment.
Hillmann told Reuters there were "many legitimate reasons why users require privacy," such as when opposition groups in authoritarian regimes are denied safe access to funds. Binance opposed anyone using crypto to buy or sell illegal drugs, he said.
Hackers have used Binance to convert stolen funds into Monero.
In August 2020, hackers hijacked a cryptocurrency wallet belonging to an Australian man named Steve Kowalski by tricking him into downloading malware, Kowalski said in a witness statement to Australian police. They withdrew the 1,400 bitcoin he held in the wallet, worth some $16 million at the time. Kowalski told police he had bought the bitcoin for $500,000 six years earlier and they were a significant portion of his assets.
Investigators hired by Kowalski traced most of his bitcoin through a series of wallets to six Binance accounts, where the coins were exchanged for Monero, according to testimony and blockchain analysis reports filed as part of an ongoing civil complaint Kowalski submitted last year against Binance in Miami-Dade County, Florida. Kowalski declined to comment.
Kowalski's investigation showed that a U.S. software consultant called Brandon Ng, then living in Florida, controlled most of the Binance accounts. Ng testified to the court that a crypto trading partner, who he knew online only by the username MoneyTree, deposited the bitcoin in his Binance accounts. MoneyTree, Ng said, paid him a 1% commission to convert the bitcoin into Monero on Binance and then transfer it back. A lawyer for Ng, Spencer Silverglate, said MoneyTree likely traded through Ng to shield his identity from Binance. Ng testified that he was not aware he was laundering stolen bitcoin.
MoneyTree did not respond to emails sent by Reuters to an address that Ng provided to the court. Silverglate, the lawyer, said Ng did not steal or launder Kowalski's bitcoin and was an "innocent downstream trader."
Ng's Monero trading had earlier raised alarms at another crypto exchange called Poloniex, based in the United States, where he also had an account. In mid-2019, his Poloniex account was frozen after it was flagged for "high risk exposure" to money laundering due to Monero withdrawals totalling over $1 million, according to a summary filed with the court. Poloniex didn't respond to a request for comment.
Binance dealt with Ng differently. Kowalski's private investigators and lawyers contacted Binance soon after the theft, before Ng converted all the funds, and repeatedly asked Binance to permanently freeze Ng's accounts, their written communications show. The letters, filed with the court, also accuse Binance of not responding to police requests to secure the assets for the duration of their investigation.
Binance imposed a seven-day freeze on the accounts, but then lifted it, allowing Ng to exchange the stolen bitcoin for Monero over several months. In his response to Reuters, Hillmann said law enforcement failed to request a permanent freeze via Binance's web portal within the seven-day period and then didn't answer the exchange's follow-up questions.
A Binance investigation team member told one of the private investigators in a message that "while it is highly likely the paths leading to this account are malicious," Binance could not prove the accounts were "created to facilitate laundering." When the investigator persisted, the team member scolded him for "several issues with your tone."
In a submission last December to the court in Florida, Binance said the case should be dismissed as the court did not have jurisdiction over the company. To determine the matter, the judge has granted discovery, a process where parties request documents from each other.
Hillmann told Reuters that Binance investigates all allegations of misconduct on its platform and takes appropriate action if its investigators uncover wrongdoing.
Eterbase, the Bratislava-based exchange hacked by the North Koreans, sought Binance's help, too.
After news of the hack by Lazarus, Zhao tweeted on Sept. 9, 2020: "Will do what we can to assist." But when Eterbase emailed Binance's support centre, a Binance team member said they could not share any account data without a law enforcement request, according to communications between the two firms seen by Reuters.
Eterbase submitted a criminal complaint to Slovakia's National Crime Agency. In June, 2021, the agency wrote to Binance requesting information and saying the funds were stolen by "anonymous attackers united under the Lazarus hacking group." Binance replied that it could not identify accounts connected to the hack. In July, after another, more detailed police request, Binance sent the agency records on 24 accounts, adding they had been empty for over nine months as "the assets have instantly been traded."
Hillmann said Binance fully cooperated with requests received from Slovakian authorities and helped them to identify the relevant accounts.
The records, reviewed by Reuters, showed the only personal information Binance held on the account holders was their email addresses, many of which were based on misspelt well-known names, such as "bejaminfranklin," the American founding father, and "garathbale," the Welsh soccer player. The hackers used virtual private networks to obscure their devices' locations, the records show.
Within around 20 minutes of opening most of the accounts, the hackers passed an unspecified "security check" allowing them to withdraw crypto, according to the account records. Each account then converted portions of the stolen funds into just under two bitcoin, the withdrawal limit at the time for a basic account without identification.
After the hack, Eterbase stopped its operations and later filed for bankruptcy. Auxt, the company co-founder, said the losses meant Eterbase could no longer cover its expenses. "The hack killed our business," he said. Victims of the hack are yet to be reimbursed.
In private, Zhao has bemoaned that Binance needs to carry out checks on its customers. During the 2020 video call, Zhao told staff that know-your-customer rules were "unfortunately a requirement" of Binance's business.
At times, the compliance team struggled with its workload. In a message to staff in January 2019, Zhao asked other departments to help the compliance team run background checks due to an "overwhelming" number of new users.
According to a group chat among Binance staff, the compliance team sometimes approved accounts with inadequate documentation. A team member complained to colleagues that one user was able to open an account by submitting three copies of the same receipt from a meal at an Indian restaurant. Hillmann said Binance's know-your-customer checks are now "highly sophisticated" and that it views such rules as both "mandatory and welcome."
Current and former police officials in five countries told Reuters that criminal groups were among Binance's growing customer base in recent years.
In late 2019, Konrad Alber, a retired family lawyer in Germany, invested most of his savings on a trading platform he found online. He told Reuters he hoped it would supplement his small pension and allow his wife to stop working to support their life in a village in the Black Forest.
The platform, called Grandefex, promised to "unleash" his money's potential through a sophisticated algorithm. In an email, a sales representative told Alber, who had little investing experience, that he could double any deposits within a year. Over 18 months, he wired almost 35,000 euros to Grandefex's bank accounts.
Then, last June, when he asked Grandefex to pay him his expected profits, he discovered his money had been transferred to Binance, emails and bank account records show. Alber begged Grandefex by email to return his funds, telling their finance department he had a "mountain of debt" and was suffering a "nervous breakdown."
In response, Grandefex told him, "You will simply not receive your money."
Reuters' emails and calls to Grandefex went unanswered. In June 2020, Germany's regulator said the platform was unauthorised and ordered its closure.
Grandefex was one of a string of fake trading websites set up by organised crime groups that have scammed some 750 million euros from European citizens, many of them pensioners, according to German, Austrian and Spanish authorities. Six people involved in police investigations into the scams told Reuters that the groups, which operate call centres in Eastern Europe, have shifted to laundering their gains through crypto exchanges, particularly Binance.
Hillmann said Binance is tackling investment fraud by identifying victims and suspects, and whenever possible, freezing criminal proceeds.
A Vienna-based non-profit organisation, the European Funds Recovery Initiative, which supports victims of investment fraud, has received around 220 complaints from people whose stolen savings were converted into crypto. Almost two-thirds lost money that was funnelled through Binance, totalling 7.4 million euros, said the initiative's co-founder, Elfi Sixt. Other investment frauds targeting people in Turkey, Britain and Pakistan also used Binance, authorities have said.
Police officers and lawyers told Reuters that it is harder for fraud victims to recover lost funds when they pass through a crypto exchange. In many countries, consumers can ask their banks to freeze or reimburse stolen funds. Binance requires victims to sign non-disclosure agreements as a condition for temporarily freezing assets and insists on the direct involvement of law enforcement to process claims, according to its website.
Sixt said she has followed this process to no avail. "I've never succeeded at getting money back from Binance." Asked about this, Hillmann didn't directly respond.
Alber, the retired lawyer, sent a letter to Binance, but said he never heard back. In June 2021, the 67-year-old reported the theft of his savings and their transfer to Binance to local police. The prosecutor's office in the nearby town of Baden-Baden said his case remains under investigation. Binance said it had no record of Alber's letter.
At a police station in the Lower Saxony city of Braunschweig, the state cyber crime unit is investigating a similar scam that used Binance. Chief Inspector Mario Krause, two of his investigators and the prosecutor leading the probe detailed the case to Reuters.
Last October, the unit coordinated with Bulgarian authorities to raid a call centre in the capital Sofia, which police said ran hundreds of fake online trading platforms.
They obtained evidence, reviewed by Reuters, including a database showing the operators had taken in deposits totalling 94 million euros. Videos police seized from an employee's phone depicted what Krause described as a "Wolf of Wall Street" atmosphere at the call centre. Staff rang gongs and popped champagne bottles when they secured big deposits. A scoreboard showed which employee had raked in the most money each week. They partied on yachts and private jets.
In a statement at the time of the raid, the prosecutor's office said one suspect was arrested. The case prosecutor, Manuel Recha, told Reuters the organisation's leaders are still at large. The company that ran the call centre, Dortome BG, did not respond to requests to comment.
During the investigation, the cyber unit sought to trace where the stolen funds ended up.
Investigators tracked the money through many layers of bank accounts to Binance and another exchange, U.S.-based Kraken, police said. By the time Binance and Kraken provided account records, the police said the funds had been withdrawn or sent to a "mixer," a service which anonymises crypto transactions by breaking them up and mixing them with other funds. The personal information held by both exchanges on the accounts was often fake or stolen from victims, the officers said.
Kraken told Reuters it has "bank-grade" customer checks and robust tools to prevent fraud. Kraken disputed that customer information provided to Braunschweig police was fake, saying "every indicator we have suggests these accounts were used by legitimate clients."
The Germans' money trail went cold.
Krause said his team was struggling to make progress. "We're searching for a way out of the black hole," he said.
(Reporting by Angus Berwick and Tom Wilson; additional reporting from Michelle Nichols in New York; editing by Janet McBride)