The move shows the degree to which North Korea relies on financial cyber theft to obtain hard currency in a country whose main exports are under United Nations and U.S. sanctions, and that is further isolated by a self-imposed coronavirus blockade.
Officials also announced that a Canadian-American citizen has pleaded guilty to serving as a money launderer who assisted the alleged North Korean hackers.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” Assistant Attorney General for National Security John Demers said.
According to the indictment filed in December, the defendants work for the Reconnaissance General Bureau, North Korea’s military intelligence agency. The agency houses the hacking units known by various names, including Lazarus Group and APT38.
One of the defendants, Park Jin Hyok, was also charged in a complaint about the Sony hack unsealed in September 2018. The other two are John Chang Hyok and Kim Il.
The U.S. Attorney’s office in Los Angeles and the FBI also obtained warrants to seize about $1.9 million in cryptocurrency allegedly stolen by the hackers from a New York bank and that was held at two cryptocurrencey exchanges. The money will be returned to the bank, officials said.
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running and the range of crimes they have committed is staggering,” said Acting U.S. Attorney Tracy L. Wilkison for the Central District of California. These “are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
The conspiracy ranged widely, prosecutors allege, with the operatives hacking into banks and crypto exchanges, and creating a destructive ransomware virus, WannaCry, in May 2017. They are accused of developing multiple malicious cryptocurrency applications from March 2018 through at least September 2020, which provided the hackers a backdoor into victims’ computers.
They targeted cryptocurrency exchanges, stealing $75 million from a Slovenian company in 2017, $25 million from an Indonesian company in 2018 and $11.8 million from a bank in New York in August in which the hackers used the CryptoNeuro Trader application as a backdoor, prosecutors alleged.
They also conducted “spear-phishing” campaigns targeting U.S. defense contractors and energy, aerospace and technology companies, as well as the State Department and Pentagon, to trick employees into giving up credential enabling the hackers’ entry into their computers.
The $1.3 billion allegedly stolen would represent almost half of the total amount of North Korea’s civilian merchandise imports — mainly from China — in 2019, the most recent year for which estimates are available, said Nicholas Eberhardt an economist at the American Enterprise Institute. “So it’s a huge big deal for the North Korean economy,” he said.