Several hours later, the hackers opened at
least two dozen anonymous accounts on Binance, the world’s largest
cryptocurrency exchange, enabling them to convert the stolen funds and obscure
the money trail, correspondence between Slovakia’s national police and Binance
In as little as nine minutes, using only
encrypted email addresses as identification, the Lazarus hackers created
Binance accounts and traded crypto stolen from Eterbase, the Slovakian
exchange, according to account records that Binance shared with the police and
that are reported here for the first time.
“Binance had no idea who was moving
money through their exchange” because of the anonymous nature of the
accounts, said Eterbase co-founder Robert Auxt, whose firm has been unable to
locate or recover the funds.
Eterbase’s lost money is part of a torrent
of illicit funds that flowed through Binance from 2017 to 2021, a Reuters
investigation has found.
During this period, Binance processed
transactions totalling at least $2.35 billion stemming from hacks, investment
frauds and illegal drug sales, Reuters calculated from an examination of court
records, statements by law enforcement and blockchain data, compiled for the
news agency by two blockchain analysis firms. Two industry experts reviewed the
calculation and agreed with the estimate.
Separately, crypto researcher Chainalysis,
hired by US government agencies to track illegal flows, concluded in a 2020
report that Binance received criminal funds totalling $770 million in 2019
alone, more than any other crypto exchange. Binance CEO Changpeng Zhao accused
Chainalysis on Twitter of “bad business etiquette.”
Binance declined to make Zhao available for
an interview. Responding to written questions, Chief Communications Officer
Patrick Hillmann said Binance did not consider Reuters’ calculation to be accurate.
He did not respond to requests to provide Binance’s own figures for the cases
identified in this article. He said Binance was building “the most
sophisticated cyber forensics team on the planet” and was seeking to
“further improve our ability to detect illegal crypto activity on our
As Reuters reported in January, Binance
kept weak money-laundering checks on its users until mid-2021, despite concerns
raised by senior company figures starting at least three years earlier. In
response to that article, Binance said it was helping drive higher industry
standards and the reporting was “wildly outdated.” In August 2021,
Binance compelled new and existing users to submit identification.
With around 120 million users worldwide,
Binance processes crypto trades worth hundreds of billions of dollars a month.
The sector was hit by a sharp correction in May, its overall value slumping by
a quarter to $1.3 trillion. Zhao said he saw “new found resiliency”
in the market.
Meanwhile, his company is extending its
reach into traditional business, announcing a $200 million investment in media
group Forbes this year and committing $500 million to Tesla boss Elon Musk’s
bid to take over Twitter. Forbes abandoned its plans to list publicly last week
and a Forbes spokesperson said Binance’s investment would not take place. Musk
didn’t respond to requests for comment.
The flow of illicit crypto through Binance,
identified by Reuters, represents a small portion of the exchange’s overall
trading volumes. Yet as policymakers and regulators, including US Treasury
Secretary Janet Yellen and European Central Bank President Christine Lagarde,
voice concern over the illegal use of cryptocurrencies, the trade demonstrates
how criminals have turned to the technology to launder dirty money.
For this article, Reuters interviewed law
enforcement officials, researchers, and crime victims in a dozen countries,
including in Europe and the United States, to assess the enduring impact of
past gaps in Binance’s anti-money laundering rules.
Reuters reviewed detailed data about
Binance client transactions on “darknet” sites – marketplaces for
narcotics, weapons and other illegal items. Most of the data was provided by
Crystal Blockchain, an Amsterdam-based analysis firm that helps companies and
governments trace crypto funds. The data showed that from 2017 to 2022, buyers
and sellers on the world’s largest darknet drugs market, a Russian-language
site called Hydra, used Binance to make and receive crypto payments worth $780
million. Reuters cross-checked these figures with another analysis firm, which
agreed with the findings.
In April, the US Justice Department
announced that US and German law enforcement had seized Hydra’s servers. The US
indicted the servers’ alleged administrator for conspiring to commit money
laundering and distribute illicit drugs. The site was closed down and the
alleged administrator arrested by Russian authorities.
The data compiled for Reuters included
crypto that passed through multiple digital wallets before reaching Binance.
For crypto firms, such “indirect” flows with links to known
suspicious sources are red flags for money laundering, according to the
Financial Action Task Force, a global watchdog that sets standards for
authorities combating financial crime. Money launderers often use sophisticated
techniques to create complex chains of crypto transfers that cover their
tracks, the FATF and the International Monetary Fund have said.
Hillmann, the Binance spokesperson, said
the Hydra figure was “inaccurate and overblown” and that Reuters was
wrongly including indirect flows in its calculation.
Reuters then asked how Binance views its
responsibility to monitor its indirect exposure to dirty money. Hillmann
replied that “what’s important to note is not where the funds come from –
as crypto deposits cannot be blocked – but what we do after the funds are
deposited.” He said Binance uses transaction monitoring and risk
assessments to “ensure that any illegal funds are tracked, frozen,
recovered and/or returned to their rightful owner.” Binance is working
closely with law enforcement to dismantle criminal networks using
cryptocurrencies, including in Russia, he said.
Reuters reviewed documentation from
criminal and civil cases. A still open civil case in the United States alleges
that in 2020 Binance declined a request from investigators and lawyers, acting
on behalf of a hacking victim, to permanently freeze an account that was being
used to launder stolen funds. Binance, which disputes the US court’s
jurisdiction, confirmed to Reuters that it only put a temporary freeze on the
account. Hillmann blamed a failure by law enforcement to submit a timely
request via Binance’s web portal and then answer the exchange’s follow-up
In Germany, police said investigators began
seeing criminals in Europe turn to Binance in 2020 to launder some of the
proceeds from investment fraud schemes that caused victims, many of them
pensioners, to lose in total 750 million euros ($800 million). The criminals’
use of Binance has not been previously reported.
Reuters reporting also reveals for the
first time how North Korea’s Lazarus used Binance to launder some of the
cryptocurrency stolen from Eterbase. A smaller portion of the funds were
laundered at the same time through another major exchange, Seychelles-based
Huobi, which declined to comment.
After another heist in March this year,
when Lazarus stole over $600 million from an online game involving
cryptocurrencies, Zhao said North Korean hackers had transferred an unspecified
amount of the funds to Binance. Hillmann told Reuters that Binance has
identified and frozen more than $5 million and is assisting law enforcement
with its investigation. He didn’t provide further details.
The United States sanctioned Lazarus in
2019 over cyber attacks designed to support North Korea’s weapons programmes,
calling it an instrument of the country’s intelligence service – an accusation
Pyongyang called “vicious slander.” North Korea’s mission to the
United Nations did not respond to emailed questions. Blockchain researcher
Chainalysis estimates that Lazarus stole crypto worth $1.75 billion by 2020
that mostly flowed through unidentified exchanges.
“THE HYDRA IS THRIVING”
Zhao, known as CZ, started Binance in
Shanghai in 2017. Three months later, he unveiled a new strategy, on an
internal chat group, for the company’s next phase of development. “Do
everything to increase our market share, and nothing else,” Zhao wrote.
The priority, he said, was to ensure
Binance overtook larger cryptocurrency exchanges and fended off competition
from smaller rivals. “Profit, revenue, comfort, etc, all come
Asked to elaborate on this remark, Hillmann
said, “Neither CZ nor any other Binance business leader has ever suggested
that increasing market share should supersede compliance obligations.”
Among the countries Zhao sought to expand
in was Russia, which Binance described in a 2018 blog as a major market due to
its “hyperactive” crypto community. A Reuters article in April
detailed Binance’s efforts to dominate the crypto market there and how, behind
the scenes, the exchange was building ties with Russian government agencies.
Binance has continued to provide limited
services in Russia since the country’s invasion of Ukraine this year, despite
requests from the government in Kyiv for exchanges to ban Russian users as part
of efforts to isolate Russia financially. Russia calls its actions in Ukraine a
Reuters’ new reporting following the April
article shows that many people who signed up to Binance in Russia weren’t using
it for trading. Instead, Binance became a key payment provider for Hydra, the
giant darknet marketplace, according to the blockchain data compiled for
Reuters, a review of Hydra user forums, and interviews with illegal drug users
After it was set up in 2015, Hydra
distributed narcotics on behalf of drug dealers, all priced in bitcoin, to
millions of buyers, mostly in Russia.
German police, in coordination with US
authorities, seized Hydra’s servers in Germany in April, closing the site down.
The US indicted a Russian resident, Dmitry Pavlov, for administering the
servers. A week later, Russian authorities arrested Pavlov for allegedly
dealing in drugs, a Moscow court said, adding he had filed an appeal. Before
his arrest, Pavlov told the BBC he ran a licensed server company and was not
aware it was hosting Hydra. Pavlov didn’t respond to messages from Reuters sent
via his company.
The Justice Department, describing Hydra as
“the world’s largest and longest-running darknet market,” said the
site had received in total around $5.2 billion in cryptocurrency. Neither
Binance nor any other payment provider linked to Hydra was named by the Justice
Department, which declined to comment on Binance.
Hillmann told Reuters that Binance
“works closely with law enforcement to target the illicit drug trade
Sites like Hydra are only accessible on a
clandestine part of the internet, known as the dark web, that requires a
browser that hides a user’s identity.
As early as March 2018, Hydra users
recommended on the site’s Russian-language forums that buyers use Binance to
make purchases, citing the anonymity Binance afforded its clients at the time
by allowing them to register with just an email address. “This is the
fastest and cheapest way I’ve tried,” a user wrote.
Cryptocurrency traders exchanged dozens of
messages in 2021 and early 2022 about using Hydra on Binance’s own Russian
community Telegram chat. “The Hydra is thriving,” wrote one last
Hydra transformed the narcotics market in
Russia, researchers said. Previously, drug users tended to buy from street
dealers with cash. With Hydra, users selected substances on the site, paid the
seller in bitcoin, and received coordinates to pick up the “treasure”
at a discreet location. Buyers, known as “treasure hunters,” found
their purchases buried in forests at the edge of town, hidden in garbage dumps,
or stuffed behind loose bricks in abandoned buildings.
According to a report by the United Nations
Office on Drugs and Crime, Hydra increased the availability of drugs in Russia
and drove a surge in demand for stimulants, such as methamphetamine and
mephedrone. Drug-related deaths rose by two-thirds between 2018 and 2020,
figures from Russia’s state anti-drug committee show.
At the time of the US and German operation
to seize Hydra’s servers, the Drug Enforcement Administration, which supported
the investigation, said the marketplace’s services “threaten the safety
and health of communities far and wide.” The DEA referred Reuters to the
Justice Department for further comment.
Aleksey Lakhov, a director at Russian
charity foundation Humanitarian Action, which researches drug use, said he was
“horrified” by how Hydra fuelled addiction. “During the days I
used drugs, you had to know someone at least” in order to obtain
narcotics, Lakhov, a recovered addict, added.
Alexandra, a 24-year-old office manager in
Moscow, started buying mephedrone and ketamine on Hydra in 2019 to help cope
with her bipolar disorder. Several friends who used Hydra told her Binance was
the safest way to pay dealers, Alexandra told Reuters, speaking on condition
she be identified only with her first name. Some of them used fake personal
information to open Binance accounts, she said, but she uploaded a copy of her
passport. Binance never blocked or queried any of her payments. Asked about her
account, Binance said it was continually strengthening its know-your-customer
The system’s anonymity made it easy to buy
drugs on the darknet, Alexandra said. “It was like buying chocolate in the
As her drug use became an everyday habit,
she went days without sleep, wracked by hallucinations and depression. “I
felt like I was dying, and I liked that feeling,” she said. Eventually,
she sought psychiatric help and received therapy. Since then, she just used
Hydra to buy cannabis.
State Department reports from 2019 and
2020, without mentioning Hydra or Binance, warned that drug traffickers in
Russia were using virtual currencies to launder proceeds. A State Department
spokesman declined to comment on Hydra and Binance.
As reported by Reuters in its January
investigation, an internal document shows that Binance was aware of the risk of
illegal finance in Russia. Binance’s compliance department assigned Russia an
“extreme” risk rating in 2020 in an assessment that was reviewed by
Reuters. It cited money-laundering reports by the US State Department. Hillmann
told Reuters Binance had taken more action against Russian money launderers
than any other crypto exchange, citing a ban it imposed on three Russian
digital currency platforms that were sanctioned by the United States.
Crypto flows between Binance and Hydra
dropped sharply after the exchange tightened its customer checks in August
2021, the data from Crystal Blockchain shows.
For the past five years, Binance has
allowed traders on its platform to buy and sell a coin called Monero, a
cryptocurrency that offers users anonymity. While bitcoin transactions are
recorded on a public blockchain, Monero obscures the digital addresses of
senders and receivers. A Beginner’s Guide to Monero by Binance, available on
its website, said such coins were “desirable for those seeking true
Zhao has spoken in favour of “privacy
coins,” of which Monero is the most traded. During a 2020 video call with
staff, a recording of which Reuters reviewed, Zhao said privacy was part of
people’s “financial freedom.” He didn’t mention Monero, but said
Binance had funded other privacy coin projects.
Monero proved to be popular among Binance
users. As of late May, Binance was processing Monero trades worth around $50
million a day, far more than other exchanges, according to data from the
Law enforcement agencies in Europe and the
United States have warned that Monero’s anonymity makes it a potential tool for
money launderers. The US Department of Justice, in a 2020 report, said it
considered the use of “anonymity enhanced cryptocurrencies” like
Monero “a high-risk activity that is indicative of possible criminal
On several darknet forums that Reuters
reviewed, over 20 users wrote about buying Monero on Binance to purchase
illegal drugs. They shared how-to guides with names like DNM Bible, a reference
to darknet markets.
“XMR is essential to anyone buying
drugs on the Dark web,” wrote one user on the forum Dread, referring to
Monero’s ticker symbol. It isn’t possible to contact users through the forum so
Reuters was unable to reach these people for comment.
Hillmann told Reuters there were “many
legitimate reasons why users require privacy,” such as when opposition
groups in authoritarian regimes are denied safe access to funds. Binance
opposed anyone using crypto to buy or sell illegal drugs, he said.
Hackers have used Binance to convert stolen
funds into Monero.
In August 2020, hackers hijacked a
cryptocurrency wallet belonging to an Australian man named Steve Kowalski by
tricking him into downloading malware, Kowalski said in a witness statement to
Australian police. They withdrew the 1,400 bitcoin he held in the wallet, worth
some $16 million at the time. Kowalski told police he had bought the bitcoin
for $500,000 six years earlier and they were a significant portion of his
Investigators hired by Kowalski traced most
of his bitcoin through a series of wallets to six Binance accounts, where the
coins were exchanged for Monero, according to testimony and blockchain analysis
reports filed as part of an ongoing civil complaint Kowalski submitted last
year against Binance in Miami-Dade County, Florida. Kowalski declined to
Kowalski’s investigation showed that a US
software consultant called Brandon Ng, then living in Florida, controlled most
of the Binance accounts. Ng testified to the court that a crypto trading
partner, who he knew online only by the username MoneyTree, deposited the
bitcoin in his Binance accounts. MoneyTree, Ng said, paid him a 1% commission
to convert the bitcoin into Monero on Binance and then transfer it back. A
lawyer for Ng, Spencer Silverglate, said MoneyTree likely traded through Ng to
shield his identity from Binance. Ng testified that he was not aware he was
laundering stolen bitcoin.
MoneyTree did not respond to emails sent by
Reuters to an address that Ng provided to the court. Silverglate, the lawyer,
said Ng did not steal or launder Kowalski’s bitcoin and was an “innocent
Ng’s Monero trading had earlier raised
alarms at another crypto exchange called Poloniex, based in the United States,
where he also had an account. In mid-2019, his Poloniex account was frozen
after it was flagged for “high risk exposure” to money laundering due
to Monero withdrawals totalling over $1 million, according to a summary filed
with the court. Poloniex didn’t respond to a request for comment.
Binance dealt with Ng differently.
Kowalski’s private investigators and lawyers contacted Binance soon after the
theft, before Ng converted all the funds, and repeatedly asked Binance to
permanently freeze Ng’s accounts, their written communications show. The
letters, filed with the court, also accuse Binance of not responding to police
requests to secure the assets for the duration of their investigation.
Binance imposed a seven-day freeze on the
accounts, but then lifted it, allowing Ng to exchange the stolen bitcoin for
Monero over several months. In his response to Reuters, Hillmann said law
enforcement failed to request a permanent freeze via Binance’s web portal
within the seven-day period and then didn’t answer the exchange’s follow-up
A Binance investigation team member told
one of the private investigators in a message that “while it is highly
likely the paths leading to this account are malicious,” Binance could not
prove the accounts were “created to facilitate laundering.” When the
investigator persisted, the team member scolded him for “several issues
with your tone.”
In a submission last December to the court
in Florida, Binance said the case should be dismissed as the court did not have
jurisdiction over the company. To determine the matter, the judge has granted
discovery, a process where parties request documents from each other.
Hillmann told Reuters that Binance
investigates all allegations of misconduct on its platform and takes
appropriate action if its investigators uncover wrongdoing.
Eterbase, the Bratislava-based exchange
hacked by the North Koreans, sought Binance’s help, too.
After news of the hack by Lazarus, Zhao
tweeted on Sept. 9, 2020: “Will do what we can to assist.” But when
Eterbase emailed Binance’s support centre, a Binance team member said they
could not share any account data without a law enforcement request, according
to communications between the two firms seen by Reuters.
Eterbase submitted a criminal complaint to
Slovakia’s National Crime Agency. In June, 2021, the agency wrote to Binance
requesting information and saying the funds were stolen by “anonymous
attackers united under the Lazarus hacking group.” Binance replied that it
could not identify accounts connected to the hack. In July, after another, more
detailed police request, Binance sent the agency records on 24 accounts, adding
they had been empty for over nine months as “the assets have instantly
Hillmann said Binance fully cooperated with
requests received from Slovakian authorities and helped them to identify the
The records, reviewed by Reuters, showed
the only personal information Binance held on the account holders was their
email addresses, many of which were based on misspelt well-known names, such as
“bejaminfranklin,” the American founding father, and “garathbale,”
the Welsh soccer player. The hackers used virtual private networks to obscure
their devices’ locations, the records show.
Within around 20 minutes of opening most of
the accounts, the hackers passed an unspecified “security check”
allowing them to withdraw crypto, according to the account records. Each
account then converted portions of the stolen funds into just under two
bitcoin, the withdrawal limit at the time for a basic account without
After the hack, Eterbase stopped its
operations and later filed for bankruptcy. Auxt, the company co-founder, said
the losses meant Eterbase could no longer cover its expenses. “The hack
killed our business,” he said. Victims of the hack are yet to be reimbursed.
In private, Zhao has bemoaned that Binance
needs to carry out checks on its customers. During the 2020 video call, Zhao
told staff that know-your-customer rules were “unfortunately a
requirement” of Binance’s business.
At times, the compliance team struggled
with its workload. In a message to staff in January 2019, Zhao asked other
departments to help the compliance team run background checks due to an
“overwhelming” number of new users.
According to a group chat among Binance
staff, the compliance team sometimes approved accounts with inadequate
documentation. A team member complained to colleagues that one user was able to
open an account by submitting three copies of the same receipt from a meal at
an Indian restaurant. Hillmann said Binance’s know-your-customer checks are now
“highly sophisticated” and that it views such rules as both
“mandatory and welcome.”
Current and former police officials in five
countries told Reuters that criminal groups were among Binance’s growing customer
base in recent years.
In late 2019, Konrad Alber, a retired
family lawyer in Germany, invested most of his savings on a trading platform he
found online. He told Reuters he hoped it would supplement his small pension
and allow his wife to stop working to support their life in a village in the
The platform, called Grandefex, promised to
“unleash” his money’s potential through a sophisticated algorithm. In
an email, a sales representative told Alber, who had little investing
experience, that he could double any deposits within a year. Over 18 months, he
wired almost 35,000 euros to Grandefex’s bank accounts.
Then, last June, when he asked Grandefex to
pay him his expected profits, he discovered his money had been transferred to
Binance, emails and bank account records show. Alber begged Grandefex by email
to return his funds, telling their finance department he had a “mountain
of debt” and was suffering a “nervous breakdown.”
In response, Grandefex told him, “You
will simply not receive your money.”
Reuters’ emails and calls to Grandefex went
unanswered. In June 2020, Germany’s regulator said the platform was
unauthorised and ordered its closure.
Grandefex was one of a string of fake
trading websites set up by organised crime groups that have scammed some 750
million euros from European citizens, many of them pensioners, according to
German, Austrian and Spanish authorities. Six people involved in police
investigations into the scams told Reuters that the groups, which operate call
centres in Eastern Europe, have shifted to laundering their gains through
crypto exchanges, particularly Binance.
Hillmann said Binance is tackling
investment fraud by identifying victims and suspects, and whenever possible,
freezing criminal proceeds.
A Vienna-based non-profit organisation, the
European Funds Recovery Initiative, which supports victims of investment fraud,
has received around 220 complaints from people whose stolen savings were
converted into crypto. Almost two-thirds lost money that was funnelled through
Binance, totalling 7.4 million euros, said the initiative’s co-founder, Elfi
Sixt. Other investment frauds targeting people in Turkey, Britain and Pakistan
also used Binance, authorities have said.
Police officers and lawyers told Reuters
that it is harder for fraud victims to recover lost funds when they pass
through a crypto exchange. In many countries, consumers can ask their banks to
freeze or reimburse stolen funds. Binance requires victims to sign
non-disclosure agreements as a condition for temporarily freezing assets and
insists on the direct involvement of law enforcement to process claims,
according to its website.
Sixt said she has followed this process to
no avail. “I’ve never succeeded at getting money back from Binance.”
Asked about this, Hillmann didn’t directly respond.
Alber, the retired lawyer, sent a letter to
Binance, but said he never heard back. In June 2021, the 67-year-old reported
the theft of his savings and their transfer to Binance to local police. The
prosecutor’s office in the nearby town of Baden-Baden said his case remains
under investigation. Binance said it had no record of Alber’s letter.
At a police station in the Lower Saxony
city of Braunschweig, the state cyber crime unit is investigating a similar
scam that used Binance. Chief Inspector Mario Krause, two of his investigators
and the prosecutor leading the probe detailed the case to Reuters.
Last October, the unit coordinated with
Bulgarian authorities to raid a call centre in the capital Sofia, which police
said ran hundreds of fake online trading platforms.
They obtained evidence, reviewed by
Reuters, including a database showing the operators had taken in deposits
totalling 94 million euros. Videos police seized from an employee’s phone
depicted what Krause described as a “Wolf of Wall Street” atmosphere
at the call centre. Staff rang gongs and popped champagne bottles when they
secured big deposits. A scoreboard showed which employee had raked in the most
money each week. They partied on yachts and private jets.
In a statement at the time of the raid, the
prosecutor’s office said one suspect was arrested. The case prosecutor, Manuel
Recha, told Reuters the organisation’s leaders are still at large. The company
that ran the call centre, Dortome BG, did not respond to requests to comment.
During the investigation, the cyber unit
sought to trace where the stolen funds ended up.
Investigators tracked the money through
many layers of bank accounts to Binance and another exchange, US-based Kraken,
police said. By the time Binance and Kraken provided account records, the
police said the funds had been withdrawn or sent to a “mixer,” a
service which anonymises crypto transactions by breaking them up and mixing
them with other funds. The personal information held by both exchanges on the
accounts was often fake or stolen from victims, the officers said.
Kraken told Reuters it has
“bank-grade” customer checks and robust tools to prevent fraud.
Kraken disputed that customer information provided to Braunschweig police was
fake, saying “every indicator we have suggests these accounts were used by
The Germans’ money trail went cold.
Krause said his team was struggling to make
progress. “We’re searching for a way out of the black hole,” he said.