Three North Korean military hackers indicted by DOJ for cyberattacks and scheme to steal over $1.3 billion in cryptocurrency

America is under attack, not just from coronavirus but from countries that hate her. Unlike the physical bombs that the Japanese dropped on Pearl Harbor in 1941, America is now under attack by a different type of bomb: the digital bomb. It is not a matter of if, but when a cyber Pearl Harbor will occur.

In February 2020, the United States Justice Department (DOJ) charged four Chinese military intelligence officers with hacking the credit-reporting giant Equifax, in one of the largest data breaches in history. The four Chinese spies were charged for allegedly hacking the credit bureau Equifax in 2017. The breach affected more than 145 million Americans, with the hackers successfully stealing names, Social Security numbers, and other personal information stored in the company’s databases.

Exactly a year later, DOJ indicted three North Korean military hackers in a wide-ranging scheme to commit cyberattacks and financial crimes across the globe. According to a statement issued by the agency, the U.S. government charged the three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.

Assistant Attorney General John C. Demers of the Justice Department’s National Security Division said:

“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers.”

Demers added: “The Department will continue to confront malicious nation-state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.”

As part of the indictment, another unsealed case also found that a Canadian-American citizen agreed to plead guilty in a money-laundering scheme and admitted to being a high-level money launderer for multiple criminal schemes, including ATM “cash-out” operations and a cyber-enabled bank heist orchestrated by North Korean hackers.

The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018.

The indictment alleges a broad array of criminal cyber activities undertaken by the conspiracy, in the United States and abroad, for revenge or financial gain. The schemes alleged include:

• Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
• Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
• Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
• Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
• Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.
• Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
• Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense.
• Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.

According to the allegations contained in the hacking indictment, which was filed on Dec. 8, 2020, in the U.S. District Court in Los Angeles and unsealed today, the three defendants were members of units of the RGB who were at times stationed by the North Korean government in other countries, including China and Russia. While these defendants were part of RGB units that have been referred to by cybersecurity researchers as Lazarus Group and APT38, the indictment alleges that these groups engaged in a single conspiracy to cause damage, steal data and money, and otherwise further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un.

You can read the rest of the story on the DOJ website.