The Washington PostDemocracy Dies in Darkness

U.S. accuses three North Koreans of conspiring to steal more than $1.3 billion in cash and cryptocurrency

North Korean leader Kim Jong Un and his wife, Ri Sol Ju, watch a performance Tuesday in Pyongyang. (AFP/Getty Images)

The Justice Department unsealed charges Wednesday against three North Koreans accused of conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from banks and businesses around the world.

The indictment builds upon 2018 charges brought against one of the alleged hackers in connection with the North Korean regime’s 2014 cyberattack on Sony Pictures Entertainment, marking the first time the United States charged a Pyongyang operative.

The latest indictment shows the degree to which North Korea relies on financial cybertheft to obtain hard currency in a country whose main exports are under United Nations and U.S. sanctions, and that is further isolated by a self-imposed coronavirus blockade. The hackers managed to steal at least $190 million, according to prosecutors, who wouldn’t put an exact figure on how much was stolen. They said the North Koreans were unable to get at least $1 billion of the $1.3 billion they targeted, mostly in banks, officials said.

U.S. charges North Korean operative in conspiracy to hack Sony Pictures and banks

Officials also announced that a Canadian American citizen has pleaded guilty to serving as a money launderer who assisted the alleged North Korean hackers.

“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, have become the world’s leading bank robbers,” said John C. Demers, assistant attorney general for national security.

According to the indictment filed in December, the defendants work for the Reconnaissance General Bureau, North Korea’s military intelligence agency. The agency houses hacking units known by various names, including Lazarus Group and Advanced Persistent Threat 38 (APT38). North Korea has previously denied being involved in hacking operations.

Read: Indictment against three North Korean hacker spies

One of the defendants, Park Jin Hyok, was also charged in a complaint about the Sony hack that was unsealed in September 2018. The other two are Jon Chang Hyok and Kim Il. They live in North Korea but traveled to and worked from Russia and China, the indictment alleged.

The U.S. attorney’s office in Los Angeles and the FBI also obtained warrants to seize about $1.9 million in cryptocurrency allegedly stolen by the hackers from a New York bank and that was held at two cryptocurrency exchanges — businesses that exchange digital currencies for hard currency, like U.S. dollars. The money will be returned to the bank, officials said.

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” said Tracy L. Wilkison, acting U.S. attorney for the Central District of California. These “are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

U.S. imposes sanctions on North Korean hackers for Sony Pictures attack

The conspiracy ranged widely, prosecutors allege, with the operatives targeting banks around the world, most recently in Malta in 2019, by hacking their networks and sending fraudulent interbank messages to transfer funds. Prosecutors said they stole $81 million from a Bangladesh bank in 2016 using the interbank transfer system known as SWIFT.

They also hacked ATMs and cryptocurrency exchanges, and created a ransomware virus, WannaCry, in May 2017 that damaged hundreds of thousands of computers worldwide, prosecutors said.

The three are accused of developing several malicious cryptocurrency applications, which provided them a back door into victims’ computers. Wilkison said they made off with at least $112 million through cryptocurrency heists. That includes $75 million from a Slovenian cryptocurrency exchange in 2017; nearly $25 million from an Indonesian exchange in 2018; and $11.8 million from a financial services company in New York in August in which the hackers used the CryptoNeuro Trader application as a back door.

Once they gained access to the exchange’s computers, the hackers found the “wallets” where the crypto money was stored and the private keys to those wallets that allowed them to make fraudulent transfers, the indictment alleged.

They also are accused of conducting “spear-phishing” campaigns targeting U.S. defense contractors and energy, aerospace and technology companies, as well as the State Department and Pentagon, to trick employees into giving up credentials enabling the hackers’ entry into their computers.

The $1.3 billion allegedly targeted would represent almost half the total amount of North Korea’s civilian merchandise imports — mainly from China — in 2019, the most recent year for which estimates are available, said Nicholas Eberstadt, an economist at the American Enterprise Institute. “These indictments indicate the scale of the fraud Pyongyang engages in to support its other activities, including nuclear weapons and ballistic missile development,” he said.

According to prosecutors, defendant Kim Il led a scheme to lure victims into investing in a cryptocurrency platform called Marine Chain. The defendants used false names so potential investors would not realize they were supporting the North Korean regime, the indictment alleged.

The Canadian American defendant, Ghaleb Alaumary, of Mississauga, Ontario, was a “prolific” money launderer for the three, who allegedly moved millions of dollars through fraudulent ATM transactions involving a network of associates in North America who withdrew cash from the machines. He also laundered money from a North Korean cyber heist of a Maltese bank in 2019, prosecutors said. His indictment grew out of a Secret Service and FBI investigation.

Officials acknowledged that the defendants, who are at large, are unlikely to stand trial in the United States, but said the indictment serves to educate the public and to help other agencies and allies that may want to bring sanctions.