The U.S. Justice Department has charged three North Korea-backed cyber operatives with conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from financial institutions and businesses around the world.
Allegations contained in the hacking indictment, which was filed on Dec. 8, 2020, in U.S. District Court in Los Angeles, claim the defendants work for North Korea’s military intelligence agency, referred to as the Reconnaissance General Bureau (RGB). Hacking crews called the Lazarus Group and Advanced Persistent Threat 38 (APT38), are said to be part of the RGB. At times, RGB spies have been stationed in China, Russia and other countries, the DOJ said. The indictment alleges that these groups engaged in a single conspiracy to "cause damage, steal data and money and otherwise further the strategic and financial interests of the North Korean government and its leader, Kim Jong Un."
A second case alleges that a Canadian-American citizen operated as a high-level money launderer for multiple criminal schemes, including ATM cash-out schemes and a bank job bank orchestrated by North Korean hackers.
“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said John Demers, assistant attorney general in the DOJ’s National Security Division.
The indictment adds two new defendants to the DOJ’s 2018 case detailing the 2014 attack on Sony Pictures and the creation of the destructive WannaCry ransomware that hit 150 nations and infected 300,000 computers. One of the defendants, Park Jin Hyok, was charged in the Sony hack unsealed in September, 2018. The other two defendants are Jon Chang Hyok and Kim Il.
Their alleged rap sheet is long. According to the DOJ, in addition to the Sony Pictures hack and WannaCry in 2017, their alleged schemes include:
- Bank cyber heists: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta and Africa.
- ATM cash-out thefts: Thefts through ATM cash-out schemes, including the October 2018 robbery of of $6.1 million from a Bangladesh bank.
- Ransomware extortion: Extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
- Malicious cryptocurrency applications: Development of at least nine malicious cryptocurrency applications from March 2018 through at least September 2020 to provide the North Korean hackers a backdoor into the victims’ computers.
- Cryptocurrency theft: Targeting hundreds of cryptocurrency companies and stealing more than $110 million worth of cryptocurrency worldwide.
- Spear phishing campaigns: From March 2016 through February 2020 targeting U.S. defense contractors, energy companies, aerospace companies, technology companies, the U.S. Department of State, and the U.S. Department of Defense.
- Marine chain token and initial coin offering: Development and marketing in 2017 and 2018 of the marine chain token that would allow North Korea to secretly obtain funds from investors, control interests in marine shipping vessels and evade U.S. sanctions.
Jon, Kim, and Park are charged with one count of conspiracy to commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud and bank fraud, which carries a maximum sentence of 30 years in prison. Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer in the conspiracy. Alaumary has pleaded guilty to the charge.
In addition to the criminal charges, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), have issued a joint cybersecurity advisory and malware analysis reports regarding North Korean cryptocurrency malware.
Last August, a North Korean-sponsored hacking group, referred to as BeagleBoyz, reignited, after a brief lull, a six-year long, multi-country campaign to steal money through fraudulent bank transfers and ATM cash outs, four federal agencies warned in a new advisory. The alert, jointly issued by CISA, the Department of the Treasury, the FBI and U.S. Cyber Command, identified malware and other indicators used by the North Korean government in the cyber robbery scheme, which federal officials dubbed “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.” The agencies pointed the finger at North Korea’s spy agency for the operation.
Nearly a year ago, CISA warned that North Korea is an escalating cyber threat to the international community, network defenders and the public.