In brief

  • US law enforcement has cracked down at Chinese nationals who laundered $100 million in stolen crypto for North Korean hackers.
  • The hackers are exploiting Bitcoin's blockchain to hide their tracks.
  • Chainalysis' Philip Gradwell explains to Decrypt how they're doing it.

Recently, the US Department of Justice charged two Chinese nationals, Tian Yinyin and Li Jiadong, with laundering over $100 million worth of stolen cryptocurrencies to benefit their alleged co-conspirators in North Korea. The corresponding documents unsealed by the US government also indicate that Kim Jong-un’s state-sponsored hackers keep evolving their tactics, often employing so-called “peel chains” to cover their tracks.

Speaking to Decrypt, Philip Gradwell, the chief economist at blockchain analysis firm Chainalysis, explained that peel chains are a natural feature of “Unspent Transaction Output” blockchains, such as Bitcoin. This is because when value is transferred from one entity to another on a UTXO blockchain, a “change transfer” is almost always generated at the same time.

“A change transfer is generated because a Transaction Output must always be fully spent, similar to how you cannot tear a $10 bill into two to pay someone $5. So if you are sending an amount less than the Transaction Output to another entity, you send the remainder—the ‘change’—to another address you control, in the same way you would get change back from spending $5 with a $10 bill,” Gradwell explained.


Notably, this is not a system every blockchain ever created uses, with Ethereum being the most obvious example. However, both models track the database state and equally contribute to their respective platforms’ purposes.

Lost in the peeling

A “peel chain” occurs when an entity makes its next transfer from the change of its previous transfer and sends it to a new address, he said. As a result, it gets two change addresses chained together, with the payment peeled off each one sent to the recipient. If the entity makes a further transfer from the latest change address and sends it to a new one, then the peel chain gets longer.

That’s actually how the system is supposed to work, and peel chains are common. However, Gradwell said that when money launderers use them “they are not sending a transfer to another entity when they peel Bitcoin off from their change address. They are simply splitting up their funds into smaller amounts, in a way that, simplistically, looks like some of the funds could have changed hands. In actuality, they haven’t however.

Believe it or not, things get exponentially complicated from here. When peel chains become very long and new ones are started from Bitcoin that has already been peeled off, “peel chains of peel chains” start to appear.

Because of that, it’s hard for law enforcement agencies and crypto security firms to keep track of this activity and detect whether funds have actually changed hands, or have simply been moved by the money launderer through a peel chain they control. And crypto hackers constantly step up their game, using longer and more complex peel chains.


Last September, Decrypt reported that North Korea has officially denied the expert UN report linking it to a $2 billion hacking campaign. The statement published by KCNA, North Korea’s state news agency, denied any allegations that North Korea “illegally forced the transfer of two billion US dollars needed for the development of WMD programs by involving cyber actors.”

Yet, cases keep piling up.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.