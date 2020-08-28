While the action followed related U.S. moves in March targeting the theft of $250 million in cryptocurrency exchange hacks attributed to North Korea, Thursday’s announcement included a new player — the military’s Cyber Command. The command’s chief, Gen. Paul Nakasone, rebuked Pyongyang this week for flouting sanctions through hacks that fund its weapons programs as he made the case for expanded cyber-offensive operations through what he called “persistent engagement.”

“Department of Defense cyber operations do not occur in isolation,” Brig. Gen. Joe Hartman, commander of the Cyber National Mission Force, said in a statement announcing the law enforcement filing with the FBI, the IRS and officials from the Department of Homeland Security and the Justice Department. “Persistent engagement includes acting through cyber-enabled operations as much as it does sharing information with our interagency partners to do the same.”

A spokeswoman declined to detail the Cyber Command’s contribution to the latest case but called it representative of a “proactive shift” in operations.

“As it does with many of its interagency partners, U.S. Cyber Command shared key information with the Dept. of Justice, which enabled an investigation and resulted in the asset forfeiture complaint,” Air Force Capt. Katrina J. Cheesman said in an email.

According to court filings, two North Korean actors communicated using an email address that was allegedly included in a piece of malware related to a type used in past North Korea hacks against cryptocurrency exchanges, revealing coordination between the launching of phishing attacks, the accessing of victims’ computers and the laundering of stolen proceeds.

On Wednesday, several of the same federal agencies, as well as the U.S. Treasury Department and the Cybersecurity and Infrastructure Security Agency, issued a joint alert accusing “North Korean government cyber actors” for the first time of using malware to gain illicit access to “banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs.”

Cyber Command disclosed the attribution of two new malware samples to those attacks, as well as nine previously known samples.

Taken together, the moves highlight the U.S. pursuit of increasingly sophisticated phishing and laundering efforts used by online North Korea operations that international investigators estimate have raised up to $2 billion for the country’s weapons programs.

Exploits by the North Korean government cyber group linked to Thursday’s seizure, called the Lazarus Group, allegedly include an attempted ransomware attack on hundreds of thousands of WannaCry users in 2017 and the 2014 hack of Sony Pictures after it backed a satirical movie depicting the assassination of North Korean leader Kim Jong Un.

The group is also accused of waging large-scale attacks on cryptocurrency exchanges that deal in virtual money such as bitcoin and Ethereum and rely on blockchain technology, including four attacks since 2017 on exchanges in South Korea and elsewhere in Asia that plundered more than $329 million.

In Thursday’s court filing, U.S. authorities said they traced the proceeds from one of those hacks and found two additional hacks. Court documents do not name the targets but cite details linking the initial attack to a publicly reported hack that a U.N. panel tied to North Korea’s revenue generation efforts, a $49 million hack on Upbit in November.

Court pleadings say one of the two new attacks came in September and stole nearly $2.5 million after gaining access to virtual currency wallets held by a U.S.-based company focused on Algorand blockchain technology and Algo tokens. The description matches Algo Capital, which reported at the time that a hacker gained access to about $2 million after compromising a senior executive’s phone.

Jonathan Levin, co-founder of Chainalysis, a commercial blockchain analysis firm that helps U.S. investigators trace funds and calculated the value of bitcoin received by the accounts at $28.7 million, said the case showed how North Korea “has been stealing a wide range of cryptocurrencies,” transferring them through a maze of exchanges and types of cryptocurrencies to cover their tracks.

Levin likened the process, known as “chain hopping,” to moving 100 euros through hundreds of transactions of varying amounts using different national currencies and bank accounts before cashing out in U.S. dollars.

Although most of the accounts have been emptied, Levin said, “law enforcement’s ability to follow the money is a testament to blockchain analysis and the industry’s commitment to compliance.”

The complaint highlighted the role of a group of Chinese over-the-counter cryptocurrency traders in North Korean efforts, exposing a significant gap in international money-laundering controls, said Assistant U.S. Attorneys Zia Faruqui and Jessi Brooks, who brought the case with a cryptocurrency strike force.