The holiday season is an especially lucrative period for cybercriminals, but this year the Department of Justice seems to be keeping just as busy tackling foreign cybersecurity threats. On Thursday, the U.S. announced sanctions against a Russian cybercrime organization with the slightly too-on-the-nose name “Evil Corp” and offered a record $5 million reward for assistance leading to the arrest of the organization’s leaders, Igor Turashev and Maksim Yakubets. Previously, the largest reward that had been offered for a cybercriminal’s arrest by the FBI was $3 million for Evgeniy Bogachev, the head of another Russian cybercrime ring.
Reward money notwithstanding, Turashev and Yakubets are unlikely to be arrested anytime soon—but the U.S. government did make another cybersecurity-related arrest last week. Well-known hacker Virgil Griffith was taken into custody for giving a talk about blockchain technology in North Korea. Now a developer for the cryptocurrency Ethereum, Griffith is better known for some of his earlier exploits. More than a decade ago, for instance, he developed the WikiScanner software that linked the IP addresses of people editing Wikipedia entries to the organizations associated with those IPs to figure out when organizations or individuals were changing their own Wikipedia entries.
He’s a U.S. citizen who lives in Singapore, so Griffith’s much easier for U.S. authorities to arrest than Russian cybercriminals, but the national security threat he poses by participating in a conference in North Korea is so unbelievably trivial by comparison to, say, the threat of Evil Corp, that it’s hard to imagine what the government was thinking by wasting time and energy on this case.
The complaint in which FBI special agent Brandon Cavanaugh lays out the charges details how Griffith went to North Korea in April 2019 to present a talk at the Pyongyang Blockchain and Cryptocurrency Conference after being expressly denied permission to travel there by the State Department. According to the complaint, in giving his talk “Blockchain and Peace,” Griffith violated sanctions placed on North Korea by his “transfer of technical knowledge” to conference participants. More egregiously, he also apparently sent messages indicating his interest in transferring cryptocurrency from South Korea to North Korea, though there is no suggestion by the government that he was ever successful in doing so or even actually attempted such a transfer.
Instead, the charges rest heavily on the allegations that Griffith “provided the DPRK with valuable information on blockchain and cryptocurrency technologies, and participated in discussions regarding using cryptocurrency technologies to evade sanctions and launder money.” This idea, that Griffith provided North Korea with some special or secret information about how to use cryptocurrencies to evade sanctions and launder money, is repeated several times throughout the charging document.
For instance, the complaint states that “an organizer of the DPRK Cryptocurrency conference … told Griffith that, during his presentation, Griffith should stress the potential money laundering and sanction evasion applications of cryptocurrency and blockchain technology as such topics were most likely to resonate with the DPRK audience” It goes on to say that “Griffith and other attendees discussed how blockchain and cryptocurrency technology could be used by the DPRK to launder money and evade sanctions, and how the DPRK could use these technologies to achieve independence from the global banking system.”
It’s perfectly true that cryptocurrencies can be used for these purposes—just look at Evil Corp, which made more than $100 million through online crimes that relied partly on cryptocurrency transfers. But North Korea already knew that, as did anyone else who’s been paying even a little bit of attention to the cybercrime landscape for the past five years. In fact, North Korea has been using cryptocurrencies to these ends for years: In 2017, the government launched the widespread WannaCry ransomware attack in which victims were instructed to pay Bitcoin ransoms. (Despite the destruction wrought by WannaCry, it did not prove to be very profitable for North Korea, perhaps prompting them to consult with experts like Griffith.)
It was deeply foolish and undeniably risky for Griffith to travel to North Korea in spite of the State Department’s denial. And it was even stupider of him to text friends about wanting to transfer cryptocurrency to North Korea or, when one friend asked about what interest he thought North Korea had in cryptocurrency, for him to respond “probably avoiding sanctions … who knows.” (To me, this reads more like a joke than someone deliberately planning to aid a foreign adversary—needless to say, the FBI had a different interpretation.)
Griffith’s arrest seems like a futile and unproductive attempt to tackle North Korea’s cyber capabilities.
But despite this stupidity, the government fails to support its very vague claims that he provided any even remotely secret or little-known information about blockchain technology. The only specific detail in the DOJ complaint about the technical content of Griffith’s presentation comes in a reference to Griffith discussing “technical issues such as ‘proof of work’ versus ‘proof of stake.’ ”
I will spare you a more detailed explanation of proof of work and proof of stake because there are literally hundreds of articles easily accessible online that explain this very thing—articles that North Korea has just as much access to as you or I. Any one of them will offer a better explanation than the one Cavanaugh offers in the complaint: “I know from my training, experience, discussions with other law enforcement officers and open source reporting, that these concepts relate to the creation of new cryptocurrency through a process called ‘mining.’ ”
Griffith should not have gone to North Korea when the State Department denied him permission to go. But the Justice Department should not be pretending that, in doing so, he provided any valuable information to North Korea that was not freely and easily accessible from any number of other sources.
For decades, the U.S. government has struggled to figure out how to try to control the international transfer of online technologies such as encryption using traditional mechanisms like export controls to restrict the transfer of information that, in many cases, is already public knowledge. Griffith’s arrest seems like a similarly futile and unproductive attempt to tackle North Korea’s cyber capabilities, as if by stopping people from giving talks at conferences in North Korea it will somehow be possible to prevent the country from learning about the blockchain and potential criminal applications of cryptocurrencies.
Law enforcement victories in cybersecurity are still relatively few and far between, so it’s understandable that officials are sometimes eager to make any arrest they can when faced with the frustrations of not being able to get their hands on bigger fish like Turashev and Yakubets. But it’s important not to get sidetracked by peripheral figures like Griffith or unwinnable fights, like keeping blockchain technology out of North Korea’s hands. I spend a fair bit of time at conferences and have some firsthand experience with how rarely they yield groundbreaking insights. Frankly, this seems like one of the more innocuous things North Korean leaders could be doing at the moment.