At the end of 2018, North Korea carried out a heist. Hackers acting on behalf of the secretive state infiltrated and extracted more than $250 million (£195m) in cryptocurrency. Where the theft took place is a mystery, but the elaborate scheme the hackers used to move the funds back within North Korea has now started to unravel.

Wired UK This story originally appeared on WIRED UK.

At the center of the heist were two Chinese citizens—Tian Yinyin and Li Jiadong. The pair have been indicted by the US government, following an investigation by the FBI, Homeland Security, and the Internal Revenue Service, for their alleged role in the criminal behavior. They’re unlikely to ever be brought before the courts—they won’t be extradited, freely visit a nation that could extradite them, or visit America—but the charges are the latest in efforts by law enforcement and intelligence agencies to publicly shame hostile nation states for their online behavior.

The pair are accused of running an elaborate money-laundering scheme involving more than $100 million in cryptocurrency between hundreds of accounts, leaving a trail of disruption in their wake. The scheme used North Korean infrastructure to purchase 8,823 Apple iTunes gift cards for $1,448,694, created false identities, and built a sophisticated network of transactions.

The US government charged the pair with conspiracy to launder money and for operating an unlicensed money transmitting business. It has also released details (PDF) of how the $250 million raid was conducted. The crypto exchange hack is one of four that have been blamed on North Korean actors, most recently by the United Nations. One of these, Youbit, filed for bankruptcy following the hack.

And it all started with malware. In mid-2018, a worker at the hacked cryptocurrency exchange was emailing a potential client. During this exchange they downloaded malware that attached itself to the exchange’s infrastructure, allowing remote access to the exchange and access to the private keys controlling crypto wallets. The result was chaos—around $250 million was siphoned from the exchange. US court documents state 10,777.94 bitcoins, known as BTC, were removed (an estimated $94m), 218,790 Ethereum, ETH, equaling $131 million, and various sums of five other cryptocurrencies. These included Dogecoin, Ripple, Litecoin, and Ethereum Classic.

Meanwhile, in North Korea, a co-conspirator searched for information about the hacked crypto exchange. According to court documents they researched “hacking,” “Gmail hacker extension,” “how to conduct phishing campaigns,” and, perhaps crucially, “how to exchange large amounts of ETH to BTC.” The documents state that “North Korean co-conspirators” who are believed to have been involved in the hacking of the crypto exchange also researched the relationship between the US and North Korean military, and Kim Jong Un.

While the movement of cryptocurrency is relatively anonymous—law enforcement agencies use third-party companies that analyze behavioral patterns in an effort to identify individuals—moving 10,000 bitcoin, or hundreds of thousands of other crypto leaves a record. The blockchain, crucially, remembers everything. In an effort to hide their activity, the US alleges, North Korean conspirators used peel chains.

The method is simple in theory, but complex theoretically. It involves one account with a large amount of cryptocurrency which transfers a small amount to another account. The process is repeated until the crypto has been moved through potentially hundreds of accounts and made harder to track. “To obfuscate the BTC trail and decrease scrutiny, the North Korean co-conspirators engaged in hundreds of automated transactions with new BTC addresses as “peel chains” to four different exchanges,” the US government says.

In another effort to mask their activity, it’s claimed North Korean conspirators also spent the stolen crypto on setting up a new company. They purchased 12 months of business email services for the domain and company Celas LLC, which offered a piece of downloadable crypto trading software. However, when cybersecurity companies inspected the files in 2018 they found a different story: it contained malware, which hoovered up personal information. They sent thousands of phishing emails trying to trick people into downloading the software.