DOJ charges North Korean hackers with stealing $1.3 billion in cryptocurrency

The Justice Department (DOJ) announced charges Wednesday against three North Korean individuals for allegedly stealing $1.3 billion in cash and cryptocurrency from U.S. groups and conducting a series of cyberattacks, including the 2014 Sony Pictures hack. 

The indictment charges three North Korean nationals — Jon Chang Hyok, Kim Il and Park Jin Hyok — as engaging in cyberattacks against the U.S. as part of the Reconnaissance General Bureau, North Korea’s military intelligence agency. 

The group, also known as “Lazarus,” was sanctioned by the Treasury Department in 2019 for targeting U.S. critical infrastructure. Park was previously charged by the DOJ for involvement in the Sony hack in 2018. 

Assistant Attorney General for National Security John Demers announced the charges during a press call on Wednesday, noting that pushing back against malicious North Korean activity “requires global awareness, condemnation, and cooperative disruption.”

“With this indictment and related disruptions, the United States continues to do its part,” Demers said. 

The three alleged North Korean hackers, who are currently at large, were charged with a massive range of worldwide malicious cyber activities. 

These included the theft of around $81 million from a Bangladeshi bank, the 2017 WannaCry cyberattack that impacted hundreds of thousands of computer systems across 150 countries, phishing campaigns against Defense and State Department employees since 2016 and the theft over $1.3 billion in cryptocurrency from a range of organizations through the use of malicious software. 

The indictment also charges the three North Korean nationals with involvement in the cyberattack against Sony Entertainment in 2014 which was widely seen as revenge for the release of “The Interview,” a film critical of the North Korean government. 

They are also accused of involvement in cyberattacks against AMC Theatres in 2015, which showed “The Interview,” and the branch of Mammoth Screen, which produced a fictional television series set in North Korea.

The three North Koreans were indicted the same day charges were unsealed against Ghaleb Alaumary for allegedly serving as a key money launderer for the North Korean government. 

Alaumary pleaded guilty to organizing a team to launder millions of dollars obtained by North Korean actors through ATM cash-out schemes, and from banks in Bangladesh, India and Malta. He is being prosecuted in Georgia. 

“The department’s criminal charges are uniquely credible forms of attribution — we can prove these allegations beyond a reasonable doubt using only unclassified, admissible evidence,” Demers said. “They are the only way in which the department speaks. If the choice here is between remaining silent while we at the department watch nations engage in malicious, norms-violating cyber activity, or charge these cases, the choice is obvious — we will charge them.” 

Demers told reporters that the case illustrated the different objectives of North Korea versus other adversarial nation states such as China, Russia or Iran.

“Their need as a country is for currency because of their economic system and sanctions placed on them, so they use their cyber capabilities to get currency wherever they can get it and that’s not really what we see from actors in China or Iran,” Demers said. “The North Koreans are very focused on this need for currency.”

The FBI and the U.S. Secret Service also participated in investigating the case.

FBI Deputy Director Paul Abbate noted in a statement Wednesday that the new charges were an expansion of previous charges against Park and the North Korean government announced in 2018.

“The ongoing targeting, compromise, and cyber-enabled theft by North Korea from global victims was met with the outstanding, persistent investigative efforts of the FBI in close collaboration with U.S. and foreign partners,” Abbate said. “By arresting facilitators, seizing funds, and charging those responsible for the hacking conspiracy, the FBI continues to impose consequences and hold North Korea accountable for its/their criminal cyber activity.”

The FBI, the Treasury Department and the Cybersecurity and Infrastructure Security Agency put out an alert in conjunction with the charges warning of a specific North Korean malware virus known as “AppleJeus” used to target cryptocurrency exchanges. 

“These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone,” the agencies wrote in the joint alert. “It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea—the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts.”

Federal authorities put out an alert last year warning that North Korean hackers were stepping up efforts to target financial institutions. 

The charges on Wednesday were announced ahead of an expected announcement from the White House on a cybersecurity matter, with Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, set to address the press this afternoon.