SYLVIE DOUGLIS, BYLINE: This is PLANET MONEY from NPR.
(SOUNDBITE OF COIN SPINNING)
JEFF GUO, HOST:
One of the biggest things in the world of crypto a couple of years ago was this game called Axie Infinity.
(SOUNDBITE OF LOFI NIGHT DRIVES’ “AXIE INFINITY THEME SONG (LOFT CHILLHOP)”)
KEITH ROMER, HOST:
You can think of it as, like, blockchain Pokemon. You buy these tiny little digital pet blobs with tiny little legs, and you fight them against other people’s tiny pet blobs.
(SOUNDBITE OF LASER SHOOTING)
GUO: Except every pet is also an NFT – basically, this digital Beanie Baby – and some of them were selling for thousands of dollars. People have made this game their full-time job.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED PERSON: You can even trade your Axies for cryptocurrency on our marketplace.
ROMER: A lot of Axie’s fans seemed convinced that the game was proof that crypto could be used to create an entire economic ecosystem. The company behind Axie Infinity grew into a multibillion-dollar business.
GUO: Then in March of 2022, this candy-colored paradise full of happy-go-lucky but also weirdly lucrative digital pets was the scene of a shocking crime.
ROMER: A heist – they were heisted.
GUO: It was a heist. And that is where our story begins. In the middle of the night, Erin Plante gets a phone call.
ERIN PLANTE: It was about 4 o’clock in the morning, and you know when your phone is set to do not disturb, but when someone calls you repeatedly in such short increments of time, it will actually ring through? That’s what’s happened.
ROMER: Erin is essentially a private detective who specializes in hunting down stolen cryptocurrency, and that frantic caller was her boss. Erin was about to get the biggest assignment of her life.
PLANTE: I think the first words out of his mouth were Axie Infinity lost $600 million.
ROMER: Six hundred million dollars’ worth of crypto plucked out of one of the company’s digital wallets. What was your reaction?
PLANTE: My reaction is just horrified. I mean, it was jaw-dropping. That’s a huge amount of money, an absolutely astounding amount of money.
GUO: It was, in fact, the largest crypto heist in history. And now it was Erin’s job to track down where it all went.
(SOUNDBITE OF MUSIC)
GUO: Hello, and welcome to PLANET MONEY. I’m Jeff Guo.
ROMER: And I’m Keith Romer. That 4 a.m. phone call would launch an 18-monthlong investigation and lead Erin to face off against some of the world’s most sophisticated digital money launderers.
GUO: Today on the show, the biggest crypto heist of all time, a case that would eventually pull in the FBI, raise alarms at the highest levels of government and threaten the nuclear security of the entire planet.
(SOUNDBITE OF MUSIC)
GUO: A lot of times when there’s a high-profile crypto crime, Erin and her team get called in. Erin is the vice president of investigations at a startup called Chainalysis, and she’s often working side by side with law enforcement.
You have a security clearance?
PLANTE: I do.
GUO: How often in your regular life do you have to use the phrase, it’s classified?
PLANTE: I’ve never had to use that phrase before (laughter). I actually don’t think most people in my regular life have any idea what I do.
GUO: Because by the time they find out, they’ve disappeared.
PLANTE: Yes. Yeah (laughter). Yes, exactly.
ROMER: When Erin first started out 20 years ago, she was helping governments investigate bribery and corruption and tracking down where all those bribes were going. And Erin loved this methodical kind of work.
PLANTE: I’m very much a math, science, black, white, nothing colorful in between kind of person.
GUO: Back in the early 2000s, it was kind of the dawn of digital evidence. Erin would have to literally sneak into server rooms, physically plug in hard drives and copy over the incriminating data.
PLANTE: We would often go into a company building, and our story was that we were there to do a software upgrade.
ROMER: Literally undercover. This was your cover story. You’re an IT person.
PLANTE: Yes, we were an IT person. So we would go in with a cover story that we were there to do a software upgrade or do something IT-related, and it had to be done overnight. So we would arrive in the evening. We would work all night copying people’s emails.
GUO: In secret.
PLANTE: In secret.
ROMER: Those emails would sometimes hold clues to illicit payments, and they would help Erin trace those payments through the financial system, through credit cards and wire transfers and banks. It was all this very slow process with all of these dead ends.
GUO: But by the time the Axie heist happened last year, a lot had changed in Erin’s world. Instead of using the traditional financial system, these days, more and more criminals are using cryptocurrency – laundering money through bitcoin or ethereum or whatever.
ROMER: And in some ways, crypto might sound like an investigator’s dream because every transaction gets recorded on the blockchain. And for most of the big cryptocurrencies, that blockchain is visible to the entire world.
PLANTE: So it is real-time. It is available for anyone to look at. And you can follow the money in a similar manner that you follow it in traditional financial crime investigations, but you’re able to do it much faster.
ROMER: But in the world of crypto, the criminals can also move much faster and in all of these really sophisticated ways.
GUO: Now, when Erin was hired by Axie Infinity to investigate this heist, step one was to start at the scene of the crime. And you know how in murder mysteries they have that wall where they take photos of suspects and evidence, and there’s this little red string connecting everything.
ROMER: They love a murder board. You got to love a murder board.
GUO: (Laughter) Exactly. Erin has a version of that for the blockchain. We’re in her office, and she pulls it up on her computer. And she can show us exactly what happened in the immediate aftermath of the Axie heist.
PLANTE: So this is – this yellow circle here is Axie Infinity’s wallet. This is their wallet that they control. And this yellow circle here is the wallet that the money moved to. And then you see from this hacker wallet that held all of the stolen funds – you see this sort of spray of lines coming out of it.
ROMER: In those first few hours after the heist, the hackers are already moving that stolen crypto. They’re changing wallets. They’re splitting money into different wallets. They’re swapping it for other kinds of cryptocurrencies.
PLANTE: It’s like following a getaway car that is making exits off of offramps and going through tunnels and going onto different roads and merging onto other roads to try to lose the path of the car that’s behind them, chasing.
GUO: Or in this case, it sounds like you guys are, like, in a helicopter, and you can just see them.
PLANTE: (Laughter) We – I – that’s a good analogy. I think we are in a helicopter, and we can see them, and we’re watching them at all times.
GUO: Erin doesn’t know who these hackers are, but one thing she notices is they are good. They are methodical. They are breaking this money into regular amounts, moving it around in systematic ways. And then they kick it up a notch.
PLANTE: So it’s now an hour or two in, and we are looking at the money that came out of the Axie Infinity treasury, and it starts to hit a mixer called Tornado Cash. And so that immediately sets off alarm bells.
ROMER: Tornado Cash is this notorious cryptocurrency mixer. Mixers are these digital services that take in money from different places and kind of scramble it all together. For the Erins of the world, they are a giant headache.
GUO: Here’s how they work. Let’s say I have 10 bitcoins, and I bring it to a mixer. The mixer is collecting my bitcoins. It’s collecting bitcoins from other people, and it uses these fancy algorithms – one of them’s called CoinJoin – to pool all of our bitcoins together and then randomly deposit our money into new clean digital wallets.
ROMER: Now, mixers can be used for legitimate reasons – for privacy, to keep your crypto transactions anonymous – but they are also essentially the ultimate money laundering tool.
PLANTE: So when money hits a mixer, it’d be like if a getaway car went into a building and…
GUO: The giant garage.
PLANTE: Exactly – goes into a giant garage, and 15 cars come out the other side, and those cars are all identical.
GUO: I think this is a plot element in “Ocean’s Eleven.”
PLANTE: I think it is. I – absolutely is. And if it’s not, they should build it into the next one. And so what happens there is you don’t know which one to continue chasing. You saw one car go in, and you saw multiple come out.
ROMER: All right, hold up. Hold up, Jeff. You know that I’m not going to allow your erasure of the “Fast & Furious” franchise to go unremarked. It’s from “2 Fast 2 Furious,” not from “Ocean’s Eleven.” OK, go on with the show.
GUO: OK, OK. Regardless of which fictional movie this came from, in the real world, in the real Axie Infinity heist, these hackers – they weren’t just using one mixer. They were using multiple mixers, one after another after another. And all this scrambling can make it really difficult, almost impossible, for investigators to follow the trail.
ROMER: Except Erin lets us in on what is kind of a secret. She says she and her team at Chainalysis have started to develop ways to essentially reverse the mixing process, to actually trace the money through a mixer and out the other side to see which is the right car for them to be following.
GUO: Do the criminals know you can do this?
PLANTE: They are starting to figure it out. So one year ago I would have said no, and at that point, Chainalysis didn’t even talk about demixing. We didn’t want criminals to know that demixing, as we call it, was even possible.
GUO: Wait, so people thought this was actually impossible, to figure out which of the getaway cars were the right ones?
PLANTE: Yes. Yes, exactly.
GUO: Erin was pretty cagey about how their demixing technology actually works. When I pressed her for details, she told me it was proprietary, and she didn’t want to give away too many clues to the criminals.
It sounds like what you’re doing is you’re taking advantage of, like, vulnerabilities in how these mixers operate.
Erin starts looking at the public relations guy sitting in the corner.
PLANTE: I probably can’t say that.
(LAUGHTER)
GUO: OK, it’s classified. It’s classified. We get it. We get it.
PLANTE: Yeah. It’s classified. Yeah.
GUO: Erin was not going to tell me how they did the demixing, but I talked to some computer security experts, and they told me, in theory, maybe here’s how you could do it. Like, you might make a database of all the digital wallets associated with a mixer. You might monitor the entrances, the exits, maybe look for patterns in how money flows in and how money flows out.
ROMER: Still, even with whatever fancy demixing strategies Erin’s team is using, they are not able to keep track of all the money as it bounces around from one mixer to another mixer. Some of the cars still end up getting away.
GUO: What fraction of the money would you estimate was lost to the mixing process?
PLANTE: Probably about 10% was lost…
GUO: Wow.
PLANTE: …To the mixing. Yeah.
GUO: That’s, like, $60 million.
PLANTE: That’s a lot of money. Yeah, exactly. The stakes are high when you’re dealing with $600 million (laughter).
ROMER: Now, while Erin is trying to track where all that money is going, she’s also trying to figure out who is behind the heist and where the money will ultimately end up.
GUO: And this is where she starts to get this bad feeling. The way the thieves are moving the stolen crypto – it’s clear that this is not some random teenage hacker who just got lucky. This is a tightly choreographed operation. The hackers are moving the crypto into the mixers at these precisely timed intervals. They’re routing it through multiple mixers, including the notorious Tornado Cash.
ROMER: And Erin – she had seen these tactics before. This was the M.O. of one of the most formidable crypto hacking operations in the world.
PLANTE: Once we see the money start moving to Tornado Cash in this way, this very structured, very systematic way, we say, oh, s***, this starts to look like North Korea.
GUO: And if the North Koreans were the ones behind this hack, this was no longer just about getting the money back for some online game. This has become a problem of national security.
(SOUNDBITE OF MUSIC)
ROMER: Last year, the FBI created a special team devoted to crimes involving cryptocurrency.
CHRIS WONG: So my name is Chris Wong. I’m a supervisor at the Virtual Assets Unit within the FBI.
GUO: As you might imagine, there’s kind of this weird culture clash between the very buttoned-up culture of the FBI and the very not-buttoned-up world of crypto. And this clash is neatly captured by the Virtual Asset Unit’s choice of mascot.
WONG: Oh, of course there’s a mascot. We have an alpaca for sure.
GUO: Really? No.
WONG: Yeah.
GUO: Are you kidding?
WONG: Yeah. I think it’s J. Edgar HODLer.
GUO: No. No.
WONG: No. I’m dead serious. Yeah.
GUO: It’s J. Edgar…
JEFF GUO AND CHRIS WONG: HODLer.
WONG: You know, like HODLer, if you know crypto.
GUO: So this is like a mash-up of J. Edgar Hoover, who is the infamous first director of the FBI, and HODL – H-O-D-L. It’s like this crypto inside joke. It stands for hold on for dear life, like never ever sell your crypto.
ROMER: Now, clever mascot aside, Chris is still very much an FBI agent. So while we know that the FBI worked on the Axie Infinity case and we know that Chris is one of the crypto experts inside the FBI, good luck getting Chris to actually talk about the case.
GUO: Have you worked on this investigation?
WONG: So we’re not in the practice of talking about who – which agent is necessarily involved in any particular case.
GUO: You’re not allowed to talk about it.
WONG: That’s not really what I said.
(LAUGHTER)
GUO: OK. So interesting.
ROMER: Chris was, however, willing to talk about North Korea’s involvement in this kind of thing.
GUO: Chris is actually an expert in stopping the flow of illegal funds to North Korea. He says North Korea has been frozen out of the U.S. financial system since long before crypto, going back to, like, the 1950s.
WONG: For decades, North Korea has been one of the most sanctioned countries in the world. Part of our job is to essentially enforce those rules.
ROMER: Over the years, North Korea has found all these creative ways to work around these rules, like using front companies to secretly sell their coal and buy gas. But six or seven years ago, Chris noticed the North Koreans were increasingly turning their attention to crypto.
WONG: I would say, like, the North Koreans – I call them crypto curious – they do everything. They try everything.
GUO: Crypto curious.
WONG: Yeah.
GUO: Well, you know, the whole promise of crypto is, we’re going to disrupt the traditional financial system. And I’m sure from a North Korean perspective, it was like, well, the traditional financial systems kind of has all these roadblocks. So this sounds great. Let’s disrupt it. Yeah.
WONG: Right. I mean, if you think about, like – you call them roadblocks, but we call them anti-money-laundering controls, you know?
GUO: (Laughter) Rules.
WONG: It’s, like, rules in place for a good reason. Like, dang, you have to provide an ID to open a bank account.
GUO: These kinds of roadblocks, these – whatever – rules, by and large, did not exist in the world of crypto back then. The North Koreans could set up accounts and transfer money, no questions asked.
ROMER: And their state-sponsored hackers have turned into some of the world’s most sophisticated digital money launderers. Last year, they stole a record-breaking amount of crypto. Some estimates put it north of a billion dollars.
WONG: So we’re talking, you know, significant amounts of funds. And, you know, the issue, it’s not that, you know, North Korea is stealing these assets and doing good with them. Like, they’re diverting large amounts of currency into funding weapons production and weapons delivery systems…
GUO: Nukes.
WONG: …And – yeah, exactly.
ROMER: The Biden administration recently estimated that half of the North Korean nuclear program is being funded by stolen crypto, and 2022 was record breaking not just for North Korea’s crypto hackers, but also for its nuclear program. Before 2022, North Korea had been doing maybe 10 or 20 cruise and ballistic missile tests a year. Last year, by some estimates, they fired off 90.
GUO: So the U.S. government is now taking North Korea’s crypto operation a lot more seriously. The Axie Infinity hack, it was really the turning point. Because of that hack, for the first time ever, the U.S. government put sanctions on crypto mixers. They went after two of North Korea’s favorite mixers, including the notorious Tornado Cash. They even recently arrested one of Tornado Cash’s founders.
ROMER: Shutting down the mixers was one way to make life harder for the Axie hackers, to slow them down. But Chris says the larger goal is not just to slow them down. The goal is to stop the North Koreans from turning their stolen crypto into actual cash.
WONG: Well, North Korea needs crypto to buy stuff, but you can’t buy ballistic missiles with Bitcoin.
GUO: You can’t?
WONG: Yeah. Well, I mean, maybe you can. Like, I’ve never tried, but, like, ultimately you need to convert this crypto to fiat currency, or cash…
GUO: Into, like – to real cash.
WONG: …Like, government-backed cash.
GUO: Yeah, like, dollars or rubles or something.
ROMER: And there are just not that many places where you can offload hundreds of millions of dollars worth of crypto.
GUO: At the time, one of the big ways for the North Koreans to cash out was to send their crypto to a third party to a place called a centralized exchange. These are kind of like the banks of the crypto world. And for the FBI, they represent one of the few opportunities they have to actually get some of the stolen money back.
WONG: Generally speaking, those are the prime places that – where we’re able to have some sort of impact.
GUO: Like, places that have a real phone number and existence.
WONG: Sure. But your mileage is going to vary with a lot of exchanges.
ROMER: Some crypto exchanges still see themselves as disruptors of the traditional financial system. They seem to really not care all that much who is using their services. They don’t ask their customers too many questions.
GUO: But some crypto exchanges are more willing to cooperate. When the FBI sees stolen money moving to one of those exchanges, they can reach out. They can say, hey, freeze that account; it’s the North Koreans; and the exchanges will actually do it.
ROMER: Now, the FBI, they are not doing all of this alone. Remember, Erin and her team of investigators from Chainalysis – they are also simultaneously digging around in the Axie Infinity case. They’ve been hard at work following the money up and down the blockchain through all these different mixers. And they think they know where, like, 90% of the stolen crypto is.
GUO: Their strategy is to exploit the vulnerability that Chris mentioned. So Erin and her team are waiting for the North Koreans to try and cash out the stolen crypto at one of these centralized exchanges. That is when she and her team will have a brief window of time to catch the money before it slips away again.
PLANTE: So we’ve done a lot of timing analysis on how long you actually have to freeze money. And it’s somewhere in the window of 20 minutes to one hour at the most.
GUO: What?
PLANTE: Yeah.
GUO: Were you literally having people just like 24-hour shifts watching where this money was going?
PLANTE: It’s exactly what we were doing. Somebody is watching at all times, 24-7.
ROMER: It’s like a crypto stakeout.
GUO: Yeah, Erin says they’re just logged on to their computers. They’re waiting for an alert to go off that says the money’s on the move. And Erin remembers the first time all of that watching and waiting paid off.
PLANTE: I was actually on an airplane, and I was connected to the airplane Wi-Fi. And it was, like, 10 p.m., and one of my investigators said money just moved to this address. And that address we knew belong to a service that we had relationships with.
ROMER: That’s when the timer started. Erin and her team knew they only had 20 minutes, maybe an hour before the money would slip away and possibly disappear forever. So they reached out to the crypto exchange, convinced them to put a temporary hold on the accounts.
GUO: Erin says her team then contacted the FBI. And with the FBI’s help, the U.S. government issued a warrant to freeze almost $6 million worth of crypto.
PLANTE: And it was it was exciting because it was also the first time we had seen North Korean money be frozen in a very long time.
GUO: Really?
PLANTE: Yeah.
ROMER: That was their routine for months. Alerts would come in. They would race to contact more exchanges, get more warrants, try to freeze more money.
PLANTE: You feel the pressure to get the message out to whoever it needs to as quickly as possible. And then you’re just, like, hoping that they’re going to respond.
ROMER: At first, a lot of the exchanges would not respond. But Erin says over the last year, the conversations with the exchanges have actually gotten a lot easier.
PLANTE: You could reach out to pretty much any service that you had somebody to reach out to and say, this is Axie money, and they knew exactly what you were talking about.
GUO: Oh.
PLANTE: You didn’t have to explain (laughter)
GUO: Through this process, week by week, they were able to freeze more of that stolen money. A few million here, a few million there – money they were keeping out of the hands of the North Koreans. And also, Erin says, since the heist, the value of the stolen crypto – it’s also fallen by, like, half. But still, we’re talking hundreds of millions of dollars. And the truth is, for all their hard work, Erin and her team know that the vast majority of all that stolen money – they are never going to be able to get that back.
PLANTE: If you look at the numbers, I think at, you know, the end of this whole investigation, about 20% of the money will be recovered.
ROMER: The other 80% either got to the North Koreans or is still sitting out there somewhere on the blockchain.
PLANTE: I mean, it happens all the time, unfortunately. And it’s not, you know, the fault or wrongdoing of anyone. It’s the nature of how quickly money can flow through in this digital ecosystem.
GUO: In the end, the Axie Infinity heist was this kind of watershed moment for the world of crypto. For one thing, it caused the U.S. government to take these unprecedented steps to try to slow down crypto money laundering. And it even got some folks in the crypto world to start recognizing some of the dangers of crypto. A lot of the centralized exchanges – they’re beginning to ask their customers more questions, requiring ID, doing a little more due diligence.
ROMER: For Erin, the Axie case was kind of the high point of her career so far, partly because it was the biggest investigation but partly because she finally got to share what she and her team had pulled off. She’s usually not allowed to talk about her work.
PLANTE: They’re usually cases that are classified or completely confidential, and we’re never able to talk about them. But within our team, we give a lot of, you know, digital, private, classified high-fives (laughter).
GUO: Classified high-five. That’s all you get.
PLANTE: Classified high-fives. That’s what we’ll call it (laughter).
GUO: But in this case, her clients, the Axie Infinity team – they were happy to let her talk about the case. In fact, they invited her to speak at their conference last year, which sounded like this big party. They called it AxieCon.
PLANTE: It started at a pool party where there were all these, like, neon-colored drinks. And we were on a rooftop in Barcelona, drinking our neon drinks, feeling really cool. I’ve never really been part of, like, a cool crowd (laughter). I’m usually more classified with, like, the nerds and the computer geeks.
ROMER: At the conference, one of the founders brought her up onto this big stage so that she could give an update on the stolen money to all the Axie fans and game players who had come.
PLANTE: Afterwards, when I did walk off stage, there were hundreds of people that came up, and they were hugging me and thanking me. And, I mean, it was emotional. I was really excited for everyone.
GUO: After spending all that time on the blockchain giving digital, private, classified high-fives, getting to celebrate out in real life, in the real world, that was nice.
PLANTE: We took a lot of selfies with them, throwing up the – they call it the Axie. I still can’t do it properly, but they all – they have a (laughter)…
GUO: A hand signal?
PLANTE: They have a hand signal that’s an Axie. In all the photos I saw that got posted, I’m doing it incorrectly, and everyone else is doing it correctly (laughter). Again, I’m a nerd.
(SOUNDBITE OF MUSIC)
ROMER: Have you been robbed of $600 million worth of crypto? Send us an email. We are at planetmoney@npr.org. You could also find us on Instagram or Facebook. We are @planetmoney.
GUO: James Sneed produced this episode. It was engineered by Maggie Luthar, fact-checked by Willa Rubin. And Sam Yellowhorse Kesler and Jess Jiang edited it. Alex Goldmark is our executive producer.
ROMER: Special thanks today to Tiffany Bowe (ph), Adam Dupay (ph), Julia Hardy, Trenton Kennedy and Caroline Bresler. I’m Keith Romer.
GUO: And I’m Jeff Guo. This is NPR. Thanks for listening.
Copyright © 2023 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
