US charges three North Koreans in massive hacking scheme
February 18, 2021
The United States on Wednesday charged three North Korean computer programmers with a massive cyberattack campaign aimed at stealing more than $1.3 billion in crypto and traditional currencies from banks and other targets.
"North Korea's operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world's leading bank robbers," said Assistant Attorney General John Demers in a statement.
"Nation-state indictments like this are an important step in identifying the problem, calling it out in a legally rigorous format, and building international consensus," Demers said.
Who are the hackers?
The Justice Department accused Jon Chang Hyok, 31, Kim Il, 27, and Park Jin Hyok, 36, of stealing money while working for North Korean military intelligence's hacking-focused Reconnaissance General Bureau, better known within the cybersecurity community as the Lazarus Group.
The case filed in a Los Angeles federal court builds on 2018 charges against Park. He had previously been charged with the 2014 hack of Sony Pictures Entertainment, and the creation of the destructive WannaCry ransomware in 2017.
What are the charges?
The indictment alleges that in addition to the previous charges, the three men allegedly robbed digital currency exchanges in Slovenia and Indonesia and extorted a New York exchange of $11.8 million.
The group is also alleged to have targeted the staff of AMC Theatres and broken into the computers of Mammoth Screen, a UK film company that was working on a drama series about North Korea.
They targeted banks and cryptocurrency companies in the US, Bangladesh, Britain, Mexico, Pakistan, and Vietnam, among other countries by penetrating the financial institutions' networks and exploiting the SWIFT protocol to steal money, the Justice Department said.
It wasn't clear how much money the hackers had stolen altogether as in some cases the thefts were either halted or reversed. But the figure is believed to be significant.
In a 2016 theft, the hackers are alleged to have stolen $81 million from the central bank of Bangladesh.
According to a UN report by independent experts monitoring international sanctions on North Korea, the country has generated an estimated $2 billion using "widespread and increasingly sophisticated" digital intrusions at banks and cryptocurrency exchanges.
How do they operate?
The three men allegedly operated out of North Korea, Russia, and China, hacking computers using spearfishing techniques, and promoting cryptocurrency applications embedded with malicious software through which they stole their victims' crypto-wallets.
The Justice Department said that the wide-ranging hacking and malware operations were to "further the strategic and financial interests of the (North Korean) government and its leader, Kim Jong Un."
The group sought to obtain funds for their government while circumventing punishing UN sanctions that have crippled the North Korean economy and its sources of income.
Biden's cybersecurity review
The indictment is the first action by President Joe Biden's administration against Pyongyang aimed at combating "a global campaign of criminality" being waged by North Korea.
The Justice Department also announced Wednesday that Ghaleb Alaumary, a Canadian-American citizen, had separately pleaded guilty to laundering some of the alleged hackers' money.
He helped arrange for money to be removed from ATMs hacked by the North Korean operation and was a "prolific" money launderer for other hackers engaged in similar activities, the department said.
Additionally, the US State Department said Wednesday that North Korea's malicious cyber activities threaten the United States and its allies and would be included in an ongoing review of US policy toward the country by the Biden administration.
The review "will take into account the totality of the malign activity and the threats that are emanating from North Korea," State Department spokesman Ned Price said.
"Most frequently we speak of North Korea's nuclear and ballistic missile program, but of course, its malicious cyber activity is something we are carefully evaluating and looking at as well," he said.
adi/aw (AFP, Reuters, dpa)