U.S. authorities charged three North Korean computer programmers with stealing billions through numerous cyber attacks on financial institutions and other companies around the globe.
Jon Chang Hyok, Kim Il and Park Jin Hyok are accused of conspiracy to commit a series of destructive cyber attacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies.
According to the indictment, the trio allegedly carried out the cyber attacks on behalf of the Reconnaissance General Bureau, North Korea’s military intelligence agency, also known as Lazarus Group (HIDDEN COBRA) and APT38.
“The three defendants were members of units of the RGB who were at times stationed by the North Korean government in other countries, including China and Russia,” the US Department of Justice said in a press release.
The North Korean hackers were indicted for multiple hacking activities, including:
Cyber attacks on the Entertainment Industry: The destructive cyber attack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.
Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense.
Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.
US prosecutors also unsealed charges against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada who was allegedly a money launderer for the North Korean cyber heists. The indictment alleges that Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.