The US Justice Department charged three North Korean military intelligence officials in a campaign of cyberattacks to steal $1.3 billion in crypto and traditional currencies from banks and other targets.
The first action against Pyongyang by President Joe Biden’s administration took aim at what the department called “a global campaign of criminality” being waged by North Korea.
The department accused the three of a wide-ranging hacking and malware operation to obtain funds for their government while avoiding punishing UN sanctions that have cinched off its sources of income.
Over at least seven years, the officials created malicious cryptocurrency applications that opened back doors into targets’ computers; hacked into companies marketing and trading digital currencies like bitcoin; and developed a blockchain platform to evade sanctions and secretly raise funds, the department said.
The case filed in federal court in Los Angeles builds on 2018 charges against one of the three, identified as Park Jin Hyok.
He was charged with the 2014 hack of Sony pictures, the creation of the notorious WannaCry ransomware, and the 2016 theft of $81 million from the central bank of Bangladesh.
The new charges added two defendants, Jon Chang Hyok and Kim Il.
The allegations said the three worked together in the North Korean military intelligence’s hacking-focused Reconnaissance General Bureau, better known within the cybersecurity community as the Lazarus Group, or APT 38.
In addition to the earlier charges, the three allegedly operated out of North Korea, Russia and China to hack computers using spearfishing techniques, and to promote cryptocurrency applications loaded with malicious software that allowed them to empty victims’ crypto wallets.
They allegedly robbed digital currency exchanges in Slovenia and Indonesia and extorted a New York exchange of $11.8 million.
In a 2018 scheme, they robbed $6.1 million from ATM machines from Pakistan’s BankIslami after gaining access to its computer network.
The Justice Department did not specify exactly how much it believed the defendants have stolen altogether.
‘Keyboards instead of guns’
In addition, the charges said, Kim Il developed the blockchain-based digital currency-like “Marine Chain Token” which ostensibly was an instrument for investors to buy shares of shipping vessels.
He marketed opportunities to invest in the scheme in Singapore, without telling potential investors that it was mainly designed to hide ship ownership identities to help North Korea avoid sanctions, the charges said.
All of the actions, the Justice Department said, were to “further the strategic and financial interests of the (North Korean) government and its leader, Kim Jong Un.”
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John Demers in a statement.
Nation-state indictments like this are an important step in identifying the problem, calling it out in a legally rigorous format, and building international consensus,” Demers said.
In parallel, the department announced that Ghaleb Alaumary of Mississauga, Canada, had pleaded guilty to one charge of acting as a money launderer for the North Koreans.
Alaumary helped arrange for money to be removed from ATMs hacked by the North Korean operation.
He was also, the department said, a “prolific” money launderer for other hackers engaged in ATM cash-out schemes, cyber-enabled bank theft, and fraud schemes based on hijacking companies’ email.
The case announced Wednesday was the first open action taken against North Korea by the Biden administration, amid ongoing tensions over Pyongyang’s development of nuclear weapons and long-range missiles that threaten the United States and allies.
State Department spokesman Ned Price said the administration is reviewing policy toward the country.
The review “will take into account the totality of the malign activity and the threats that are emanating from North Korea,” Price said.
“Most frequently we speak of North Korea’s nuclear and ballistic missile program, but of course, its malicious cyber activity is something we are carefully evaluating and looking at as well,” he said.