Crypto Giant Binance
became a Hub for Hackers, Fraudsters and Drug Traffickers
·
In a
2020 report that Binance received criminal funds totalling $770 million in 2019
For five years, the world’s largest cryptocurrency
exchange Binance served as a conduit for the laundering of at least $2.35 billion
in illicit funds, a Reuters investigation has found.
In September
2020, a North Korean hacking group known as Lazarus broke into a small Slovakian
crypto exchange and stole virtual currency worth some $5.4 million. It was one of
a string of cyber heists by Lazarus that Washington said were aimed at funding North
Korea’s nuclear weapons programme.
Several
hours later, the hackers opened at least two dozen anonymous accounts on Binance,
the world’s largest cryptocurrency exchange, enabling them to convert the stolen
funds and obscure the money trail, correspondence between Slovakia’s national police
and Binance reveals.
In as
little as nine minutes, using only encrypted email addresses as identification,
the Lazarus hackers created Binance accounts and traded crypto stolen from Eterbase,
the Slovakian exchange, according to account records that Binance shared with the
police and that are reported here for the first time.
“Binance
had no idea who was moving money through their exchange” because of the anonymous
nature of the accounts, said Eterbase co-founder Robert Auxt, whose firm has been
unable to locate or recover the funds.
Eterbase’s
lost money is part of a torrent of illicit funds that flowed through Binance from
2017 to 2021, a Reuters investigation has found.
“Binance
had no idea who was moving money through their exchange.”
During
this period, Binance processed transactions totalling at least $2.35 billion stemming
from hacks, investment frauds and illegal drug sales, Reuters calculated from an
examination of court records, statements by law enforcement and blockchain data,
compiled for the news agency by two blockchain analysis firms. Two industry experts
reviewed the calculation and agreed with the estimate.
Separately,
crypto researcher Chainalysis, hired by U.S. government agencies to track illegal
flows, concluded in a 2020 report that Binance received criminal funds totalling
$770 million in 2019 alone, more than any other crypto exchange. Binance CEO Changpeng
Zhao accused Chainalysis on Twitter of “bad business etiquette.”
Binance
declined to make Zhao available for an interview. Responding to written questions,
Chief Communications Officer Patrick Hillmann said Binance did not consider Reuters’
calculation to be accurate. He did not respond to requests to provide Binance’s
own figures for the cases identified in this article. He said Binance was building
“the most sophisticated cyber forensics team on the planet” and was seeking to “further
improve our ability to detect illegal crypto activity on our platform.”
As Reuters reported in January,
Binance kept weak money-laundering checks on its users until mid-2021, despite concerns
raised by senior company figures starting at least three years earlier. In response
to that article, Binance said it was helping drive higher industry standards and
the reporting was “wildly outdated.” In August 2021, Binance compelled new and existing
users to submit identification.
With
around 120 million users worldwide, Binance processes crypto trades worth hundreds
of billions of dollars a month. The sector was hit by a sharp correction in May,
its overall value slumping by a quarter to $1.3 trillion. Zhao said he saw “new
found resiliency” in the market.
Meanwhile,
his company is extending its reach into traditional business, announcing a $200
million investment in media group Forbes this year and committing $500 million to
Tesla boss Elon Musk’s bid to take over Twitter. Forbes abandoned its plans to list
publicly last week and a Forbes spokesperson said Binance’s investment would not
take place. Musk didn’t respond to requests for comment.
The flow
of illicit crypto through Binance, identified by Reuters, represents a small portion
of the exchange’s overall trading volumes. Yet as policymakers and regulators, including
U.S. Treasury Secretary Janet Yellen and European Central Bank President Christine
Lagarde, voice concern over the illegal use of cryptocurrencies, the trade demonstrates
how criminals have turned to the technology to launder dirty money.
For this
article, Reuters interviewed law enforcement officials, researchers, and crime victims
in a dozen countries, including in Europe and the United States, to assess the enduring
impact of past gaps in Binance’s anti-money laundering rules.
Reuters
reviewed detailed data about Binance client transactions on “darknet” sites – marketplaces
for narcotics, weapons and other illegal items. Most of the data was provided by
Crystal Blockchain, an Amsterdam-based analysis firm that helps companies and governments
trace crypto funds. The data showed that from 2017 to 2022, buyers and sellers on
the world’s largest darknet drugs market, a Russian-language site called Hydra,
used Binance to make and receive crypto payments worth $780 million. Reuters cross-checked
these figures with another analysis firm, which agreed with the findings.
In April,
the U.S. Justice Department announced that U.S. and German law enforcement had seized
Hydra’s servers. The U.S. indicted the servers’ alleged administrator for conspiring
to commit money laundering and distribute illicit drugs. The site was closed down
and the alleged administrator arrested by Russian authorities.
The data
compiled for Reuters included crypto that passed through multiple digital wallets
before reaching Binance. For crypto firms, such “indirect” flows with links to known
suspicious sources are red flags for money laundering, according to the Financial
Action Task Force, a global watchdog that sets standards for authorities combating
financial crime. Money launderers often use sophisticated techniques to create complex
chains of crypto transfers that cover their tracks, the FATF and the International
Monetary Fund have said.
Hillmann,
the Binance spokesperson, said the Hydra figure was “inaccurate and overblown” and
that Reuters was wrongly including indirect flows in its calculation.
Reuters
then asked how Binance views its responsibility to monitor its indirect exposure
to dirty money. Hillmann replied that “what’s important to note is not where the
funds come from - as crypto deposits cannot be blocked - but what we do after the
funds are deposited.” He said Binance uses transaction monitoring and risk assessments
to “ensure that any illegal funds are tracked, frozen, recovered and/or returned
to their rightful owner.” Binance is working closely with law enforcement to dismantle
criminal networks using cryptocurrencies, including in Russia, he said.
Reuters
reviewed documentation from criminal and civil cases. A still open civil case in
the United States alleges that in 2020 Binance declined a request from investigators
and lawyers, acting on behalf of a hacking victim, to permanently freeze an account
that was being used to launder stolen funds. Binance, which disputes the U.S. court’s
jurisdiction, confirmed to Reuters that it only put a temporary freeze on the account.
Hillmann blamed a failure by law enforcement to submit a timely request via Binance’s
web portal and then answer the exchange’s follow-up questions.
In Germany,
police said investigators began seeing criminals in Europe turn to Binance in 2020
to launder some of the proceeds from investment fraud schemes that caused victims,
many of them pensioners, to lose in total 750 million euros ($800 million). The
criminals’ use of Binance has not been previously reported.
Reuters
reporting also reveals for the first time how North Korea’s Lazarus used Binance
to launder some of the cryptocurrency stolen from Eterbase. A smaller portion of
the funds were laundered at the same time through another major exchange, Seychelles-based
Huobi, which declined to comment.
After
another heist in March this year, when Lazarus stole over $600 million from an online
game involving cryptocurrencies, Zhao said North Korean hackers had transferred
an unspecified amount of the funds to Binance. Hillmann told Reuters that Binance
has identified and frozen more than $5 million and is assisting law enforcement
with its investigation. He didn’t provide further details.
The United
States sanctioned Lazarus in 2019 over cyber attacks designed to support North Korea’s
weapons programmes, calling it an instrument of the country’s intelligence service
– an accusation Pyongyang called “vicious slander.” North Korea’s mission to the
United Nations did not respond to emailed questions. Blockchain researcher Chainalysis
estimates that Lazarus stole crypto worth $1.75 billion by 2020 that mostly flowed
through unidentified exchanges.
“The
Hydra is thriving”
Zhao,
known as CZ, started Binance in Shanghai in 2017. Three months later, he unveiled
a new strategy, on an internal chat group, for the company’s next phase of development.
“Do everything to increase our market share, and nothing else,” Zhao wrote.
The priority,
he said, was to ensure Binance overtook larger cryptocurrency exchanges and fended
off competition from smaller rivals. “Profit, revenue, comfort, etc, all come second.”
Asked
to elaborate on this remark, Hillmann said, “Neither CZ nor any other Binance business
leader has ever suggested that increasing market share should supersede compliance
obligations.”
Among
the countries Zhao sought to expand in was Russia, which Binance described in a
2018 blog as a major market due to its “hyperactive” crypto community. A Reuters article in April
detailed Binance’s efforts to dominate the crypto market there and how, behind the
scenes, the exchange was building ties with Russian government agencies.
Binance
has continued to provide limited services in Russia since the country’s invasion
of Ukraine this year, despite requests from the government in Kyiv for exchanges
to ban Russian users as part of efforts to isolate Russia financially. Russia calls
its actions in Ukraine a “special operation.”
Reuters’
new reporting following the April article shows that many people who signed up to
Binance in Russia weren’t using it for trading. Instead, Binance became a key payment
provider for Hydra, the giant darknet marketplace, according to the blockchain data
compiled for Reuters, a review of Hydra user forums, and interviews with illegal
drug users and researchers.
After
it was set up in 2015, Hydra distributed narcotics on behalf of drug dealers, all
priced in bitcoin, to millions of buyers, mostly in Russia.
German
police, in coordination with U.S. authorities, seized Hydra’s servers in Germany
in April, closing the site down. The U.S. indicted a Russian resident, Dmitry Pavlov,
for administering the servers. A week later, Russian authorities arrested Pavlov
for allegedly dealing in drugs, a Moscow court said, adding he had filed an appeal.
Before his arrest, Pavlov told the BBC he ran a licensed server company and was
not aware it was hosting Hydra. Pavlov didn’t respond to messages from Reuters sent
via his company.
The Justice
Department, describing Hydra as “the world’s largest and longest-running darknet
market,” said the site had received in total around $5.2 billion in cryptocurrency.
Neither Binance nor any other payment provider linked to Hydra was named by the
Justice Department, which declined to comment on Binance.
Hillmann
told Reuters that Binance “works closely with law enforcement to target the illicit
drug trade daily.”
Sites
like Hydra are only accessible on a clandestine part of the internet, known as the
dark web, that requires a browser that hides a user’s identity.
As early
as March 2018, Hydra users recommended on the site’s Russian-language forums that
buyers use Binance to make purchases, citing the anonymity Binance afforded its
clients at the time by allowing them to register with just an email address. “This
is the fastest and cheapest way I’ve tried,” a user wrote.
Cryptocurrency
traders exchanged dozens of messages in 2021 and early 2022 about using Hydra on
Binance’s own Russian community Telegram chat. “The Hydra is thriving,” wrote one
last year.
Hydra
transformed the narcotics market in Russia, researchers said. Previously, drug users
tended to buy from street dealers with cash. With Hydra, users selected substances
on the site, paid the seller in bitcoin, and received coordinates to pick up the
“treasure” at a discreet location. Buyers, known as “treasure hunters,” found their
purchases buried in forests at the edge of town, hidden in garbage dumps, or stuffed
behind loose bricks in abandoned buildings.
According
to a report by the United Nations Office on Drugs and Crime, Hydra increased the
availability of drugs in Russia and drove a surge in demand for stimulants, such
as methamphetamine and mephedrone. Drug-related deaths rose by two-thirds between
2018 and 2020, figures from Russia’s state anti-drug committee show.
At the
time of the U.S. and German operation to seize Hydra’s servers, the Drug Enforcement
Administration, which supported the investigation, said the marketplace’s services
“threaten the safety and health of communities far and wide.” The DEA referred Reuters
to the Justice Department for further comment.
Aleksey
Lakhov, a director at Russian charity foundation Humanitarian Action, which researches
drug use, said he was “horrified” by how Hydra fuelled addiction. “During the days
I used drugs, you had to know someone at least” in order to obtain narcotics, Lakhov,
a recovered addict, added.
Alexandra,
a 24-year-old office manager in Moscow, started buying mephedrone and ketamine on
Hydra in 2019 to help cope with her bipolar disorder. Several friends who used Hydra
told her Binance was the safest way to pay dealers, Alexandra told Reuters, speaking
on condition she be identified only with her first name. Some of them used fake
personal information to open Binance accounts, she said, but she uploaded a copy
of her passport. Binance never blocked or queried any of her payments. Asked about
her account, Binance said it was continually strengthening its know-your-customer
capabilities.
The system’s
anonymity made it easy to buy drugs on the darknet, Alexandra said. “It was like
buying chocolate in the store.”
As her
drug use became an everyday habit, she went days without sleep, wracked by hallucinations
and depression. “I felt like I was dying, and I liked that feeling,” she said. Eventually,
she sought psychiatric help and received therapy. Since then, she just used Hydra
to buy cannabis.
State
Department reports from 2019 and 2020, without mentioning Hydra or Binance, warned
that drug traffickers in Russia were using virtual currencies to launder proceeds.
A State Department spokesman declined to comment on Hydra and Binance.
As reported
by Reuters in its January investigation, an internal document shows that Binance
was aware of the risk of illegal finance in Russia. Binance’s compliance department
assigned Russia an “extreme” risk rating in 2020 in an assessment that was reviewed
by Reuters. It cited money-laundering reports by the U.S. State Department. Hillmann
told Reuters Binance had taken more action against Russian money launderers than
any other crypto exchange, citing a ban it imposed on three Russian digital currency
platforms that were sanctioned by the United States.
Crypto
flows between Binance and Hydra dropped sharply after the exchange tightened its
customer checks in August 2021, the data from Crystal Blockchain shows.
“Financial
freedom”
For the
past five years, Binance has allowed traders on its platform to buy and sell a coin
called Monero, a cryptocurrency that offers users anonymity. While bitcoin transactions
are recorded on a public blockchain, Monero obscures the digital addresses of senders
and receivers. A Beginner’s Guide to Monero by Binance, available on its website,
said such coins were “desirable for those seeking true financial confidentiality.”
Zhao
has spoken in favour of “privacy coins,” of which Monero is the most traded. During
a 2020 video call with staff, a recording of which Reuters reviewed, Zhao said privacy
was part of people’s “financial freedom.” He didn’t mention Monero, but said Binance
had funded other privacy coin projects.
Monero
proved to be popular among Binance users. As of late May, Binance was processing
Monero trades worth around $50 million a day, far more than other exchanges, according
to data from the CoinMarketCap website.
Law enforcement
agencies in Europe and the United States have warned that Monero’s anonymity makes
it a potential tool for money launderers. The U.S. Department of Justice, in a 2020
report, said it considered the use of “anonymity enhanced cryptocurrencies” like
Monero “a high-risk activity that is indicative of possible criminal conduct.”
On several
darknet forums that Reuters reviewed, over 20 users wrote about buying Monero on
Binance to purchase illegal drugs. They shared how-to guides with names like DNM
Bible, a reference to darknet markets.
“XMR
is essential to anyone buying drugs on the Dark web,” wrote one user on the forum
Dread, referring to Monero’s ticker symbol. It isn’t possible to contact users through
the forum so Reuters was unable to reach these people for comment.
Hillmann
told Reuters there were “many legitimate reasons why users require privacy,” such
as when opposition groups in authoritarian regimes are denied safe access to funds.
Binance opposed anyone using crypto to buy or sell illegal drugs, he said.
Hackers have used Binance to convert stolen
funds into Monero.
In August
2020, hackers hijacked a cryptocurrency wallet belonging to an Australian man named
Steve Kowalski by tricking him into downloading malware, Kowalski said in a witness
statement to Australian police. They withdrew the 1,400 bitcoin he held in the wallet,
worth some $16 million at the time. Kowalski told police he had bought the bitcoin
for $500,000 six years earlier and they were a significant portion of his assets.
Investigators
hired by Kowalski traced most of his bitcoin through a series of wallets to six
Binance accounts, where the coins were exchanged for Monero, according to testimony
and blockchain analysis reports filed as part of an ongoing civil complaint Kowalski
submitted last year against Binance in Miami-Dade County, Florida. Kowalski declined
to comment.
Kowalski’s
investigation showed that a U.S. software consultant called Brandon Ng, then living
in Florida, controlled most of the Binance accounts. Ng testified to the court that
a crypto trading partner, who he knew online only by the username MoneyTree, deposited
the bitcoin in his Binance accounts. MoneyTree, Ng said, paid him a 1% commission
to convert the bitcoin into Monero on Binance and then transfer it back. A lawyer
for Ng, Spencer Silverglate, said MoneyTree likely traded through Ng to shield his
identity from Binance. Ng testified that he was not aware he was laundering stolen
bitcoin.
MoneyTree
did not respond to emails sent by Reuters to an address that Ng provided to the
court. Silverglate, the lawyer, said Ng did not steal or launder Kowalski’s bitcoin
and was an “innocent downstream trader.”
Ng’s
Monero trading had earlier raised alarms at another crypto exchange called Poloniex,
based in the United States, where he also had an account. In mid-2019, his Poloniex
account was frozen after it was flagged for “high risk exposure” to money laundering
due to Monero withdrawals totalling over $1 million, according to a summary filed
with the court. Poloniex didn’t respond to a request for comment.
Binance
dealt with Ng differently. Kowalski’s private investigators and lawyers contacted
Binance soon after the theft, before Ng converted all the funds, and repeatedly
asked Binance to permanently freeze Ng’s accounts, their written communications
show. The letters, filed with the court, also accuse Binance of not responding to
police requests to secure the assets for the duration of their investigation.
Binance
imposed a seven-day freeze on the accounts, but then lifted it, allowing Ng to exchange
the stolen bitcoin for Monero over several months. In his response to Reuters, Hillmann
said law enforcement failed to request a permanent freeze via Binance’s web portal
within the seven-day period and then didn’t answer the exchange’s follow-up questions.
A Binance
investigation team member told one of the private investigators in a message that
“while it is highly likely the paths leading to this account are malicious,” Binance
could not prove the accounts were “created to facilitate laundering.” When the investigator
persisted, the team member scolded him for “several issues with your tone.”
In a
submission last December to the court in Florida, Binance said the case should be
dismissed as the court did not have jurisdiction over the company. To determine
the matter, the judge has granted discovery, a process where parties request documents
from each other.
Hillmann
told Reuters that Binance investigates all allegations of misconduct on its platform
and takes appropriate action if its investigators uncover wrongdoing.
Eterbase,
the Bratislava-based exchange hacked by the North Koreans, sought Binance’s help,
too.
After
news of the hack by Lazarus, Zhao tweeted on Sept. 9, 2020: “Will do what we can
to assist.” But when Eterbase emailed Binance’s support centre, a Binance team member
said they could not share any account data without a law enforcement request, according
to communications between the two firms seen by Reuters.
Eterbase
submitted a criminal complaint to Slovakia’s National Crime Agency. In June, 2021,
the agency wrote to Binance requesting information and saying the funds were stolen
by “anonymous attackers united under the Lazarus hacking group.” Binance replied
that it could not identify accounts connected to the hack. In July, after another,
more detailed police request, Binance sent the agency records on 24 accounts, adding
they had been empty for over nine months as “the assets have instantly been traded.”
Hillmann
said Binance fully cooperated with requests received from Slovakian authorities
and helped them to identify the relevant accounts.
The records,
reviewed by Reuters, showed the only personal information Binance held on the account
holders was their email addresses, many of which were based on misspelt well-known
names, such as “bejaminfranklin,” the American founding father, and “garathbale,”
the Welsh soccer player. The hackers used virtual private networks to obscure their
devices’ locations, the records show.
Within
around 20 minutes of opening most of the accounts, the hackers passed an unspecified
“security check” allowing them to withdraw crypto, according to the account records.
Each account then converted portions of the stolen funds into just under two bitcoin,
the withdrawal limit at the time for a basic account without identification.
After
the hack, Eterbase stopped its operations and later filed for bankruptcy. Auxt,
the company co-founder, said the losses meant Eterbase could no longer cover its
expenses. “The hack killed our business,” he said. Victims of the hack are yet to
be reimbursed.
“Black hole”
In private,
Zhao has bemoaned that Binance needs to carry out checks on its customers. During
the 2020 video call, Zhao told staff that know-your-customer rules were “unfortunately
a requirement” of Binance’s business.
At times,
the compliance team struggled with its workload. In a message to staff in January
2019, Zhao asked other departments to help the compliance team run background checks
due to an “overwhelming” number of new users.
According
to a group chat among Binance staff, the compliance team sometimes approved accounts
with inadequate documentation. A team member complained to colleagues that one user
was able to open an account by submitting three copies of the same receipt from
a meal at an Indian restaurant. Hillmann said Binance’s know-your-customer checks
are now “highly sophisticated” and that it views such rules as both “mandatory and
welcome.”
Current
and former police officials in five countries told Reuters that criminal groups
were among Binance’s growing customer base in recent years.
In late
2019, Konrad Alber, a retired family lawyer in Germany, invested most of his savings
on a trading platform he found online. He told Reuters he hoped it would supplement
his small pension and allow his wife to stop working to support their life in a
village in the Black Forest.
The platform,
called Grandefex, promised to “unleash” his money’s potential through a sophisticated
algorithm. In an email, a sales representative told Alber, who had little investing
experience, that he could double any deposits within a year. Over 18 months, he
wired almost 35,000 euros to Grandefex’s bank accounts.
Then,
last June, when he asked Grandefex to pay him his expected profits, he discovered
his money had been transferred to Binance, emails and bank account records show.
Alber begged Grandefex by email to return his funds, telling their finance department
he had a “mountain of debt” and was suffering a “nervous breakdown.”
In response,
Grandefex told him, “You will simply not receive your money.”
Reuters’
emails and calls to Grandefex went unanswered. In June 2020, Germany’s regulator
said the platform was unauthorised and ordered its closure.
Grandefex
was one of a string of fake trading websites set up by organised crime groups that
have scammed some 750 million euros from European citizens, many of them pensioners,
according to German, Austrian and Spanish authorities. Six people involved in police
investigations into the scams told Reuters that the groups, which operate call centres
in Eastern Europe, have shifted to laundering their gains through crypto exchanges,
particularly Binance.
Hillmann
said Binance is tackling investment fraud by identifying victims and suspects, and
whenever possible, freezing criminal proceeds.
A Vienna-based
non-profit organisation, the European Funds Recovery Initiative, which supports
victims of investment fraud, has received around 220 complaints from people whose
stolen savings were converted into crypto. Almost two-thirds lost money that was
funnelled through Binance, totalling 7.4 million euros, said the initiative’s co-founder,
Elfi Sixt. Other investment frauds targeting people in Turkey, Britain and Pakistan
also used Binance, authorities have said.
Police
officers and lawyers told Reuters that it is harder for fraud victims to recover
lost funds when they pass through a crypto exchange. In many countries, consumers
can ask their banks to freeze or reimburse stolen funds. Binance requires victims
to sign non-disclosure agreements as a condition for temporarily freezing assets
and insists on the direct involvement of law enforcement to process claims, according
to its website.
Sixt
said she has followed this process to no avail. “I’ve never succeeded at getting
money back from Binance.” Asked about this, Hillmann didn’t directly respond.
Alber,
the retired lawyer, sent a letter to Binance, but said he never heard back. In June
2021, the 67-year-old reported the theft of his savings and their transfer to Binance
to local police. The prosecutor’s office in the nearby town of Baden-Baden said
his case remains under investigation. Binance said it had no record of Alber’s letter.
At a
police station in the Lower Saxony city of Braunschweig, the state cyber crime unit
is investigating a similar scam that used Binance. Chief Inspector Mario Krause,
two of his investigators and the prosecutor leading the probe detailed the case
to Reuters.
Last
October, the unit coordinated with Bulgarian authorities to raid a call centre in
the capital Sofia, which police said ran hundreds of fake online trading platforms.
They
obtained evidence, reviewed by Reuters, including a database showing the operators
had taken in deposits totalling 94 million euros. Videos police seized from an employee’s
phone depicted what Krause described as a “Wolf of Wall Street” atmosphere at the
call centre. Staff rang gongs and popped champagne bottles when they secured big
deposits. A scoreboard showed which employee had raked in the most money each week.
They partied on yachts and private jets.
In a
statement at the time of the raid, the prosecutor’s office said one suspect was
arrested. The case prosecutor, Manuel Recha, told Reuters the organisation’s leaders
are still at large. The company that ran the call centre, Dortome BG, did not respond
to requests to comment.
During
the investigation, the cyber unit sought to trace where the stolen funds ended up.
Investigators
tracked the money through many layers of bank accounts to Binance and another exchange,
U.S.-based Kraken, police said. By the time Binance and Kraken provided account
records, the police said the funds had been withdrawn or sent to a “mixer,” a service
which anonymises crypto transactions by breaking them up and mixing them with other
funds. The personal information held by both exchanges on the accounts was often
fake or stolen from victims, the officers said.
Kraken
told Reuters it has “bank-grade” customer checks and robust tools to prevent fraud.
Kraken disputed that customer information provided to Braunschweig police was fake,
saying “every indicator we have suggests these accounts were used by legitimate
clients.”
The Germans’ money trail went cold.
Krause
said his team was struggling to make progress. “We’re searching for a way out of
the black hole,” he said.