3 North Korean Military Hackers steal and extort more than $1.3 billion of money and cryptocurrency

Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.

For more details on the significance, John Hultquist, Vice President, Mandiant Threat Intelligence said, “Cyber operations are clearly a favoured tool of the North Korean state. They use this capability to spy on their neighbours and competitors. These hackers gather intelligence on South Korea and the US, focusing heavily on political and defence information. Most recently, they have sought information on healthcare and vaccines for COVID-19. On several occasions they have carried out massive cyber attacks to successfully intimidate others. Now, the North Korean state relies on a variety of cybercriminal schemes to fund the regime, which faces considerable pressure from international sanctions. It is no surprise that cybercrime has become a lifeline for North Korea, as they have steadily expanded criminal operations to include new complex heists, extortion, and other ingenious schemes.”

A second case unsealed today revealed that a Canadian-American citizen has agreed to plead guilty in a money laundering scheme and admitted being a high-level money launderer for multiple criminal schemes, including ATM “cash-out” operations and a cyber-enabled bank heist orchestrated by North Korean hackers.

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” said Acting U.S. Attorney Tracy L. Wilkison. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

The indictment describes a broad array of criminal cyber activities undertaken by the conspiracy, in the United States and abroad, conducted for revenge or financial gain. The schemes alleged include:

Targeting of and Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion of Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.

Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.

ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the United States Government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).

Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.

Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.

Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.

Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the United States Department of State, and the United States Department of Defense.

Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.

“This global investigation showcases the remarkable dedication necessary to disrupt a sophisticated and far-reaching state-sponsored network of cyber criminals,” said Jesse Baker, Special Agent in Charge of the Los Angeles Field Office for the Secret Service. “Thanks to the perseverance of highly trained law enforcement partners around the globe, a broad range of malicious and destructive cyberattacks was defeated and those responsible for the intrusions will be brought to justice.”