Federal authorities said Wednesday that three North Korean computer programmers have been indicted for conducting a series of cyberattacks to attempt to steal and extort more than $1.3 billion in cash and cryptocurrency from financial institutions and companies.
The programmers, who are part of a North Korean military intelligence agency, also are accused of creating and deploying “multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform,” according to a Department of Justice press release.
And the scheme also deployed repeated “spear-phishing campaigns” from 2016 through early 2020 that targeted employees of the U.S. Defense Department, the State Department, and workers at U.S.-cleared defense contractors, energy firms, aerospace companies and tech firms, authorities said.
During a press conference Wednesday, officials said that the development and marking in 2017 and 2018 of the so-called Marine Chain Token, which allowed investors to buy fractional ownership interests in marine shipping vessels with blockchain technology, allowed North Korea to “secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.”
Tracy Wilkinson, the acting U.S. Attorney for the Central District of California, said, “The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering.”
Wilkinson also said, “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
The indictment filed in U.S. District Court in Los Angeles charges Jon Chang, 31, 27-year-old Kim Il, and Park Jin Hyo 36, were members of units of the Reconnaissance General Bureau, a North Korean military intelligence agency which engaged in criminal hacking. Authorities noted that Park was previously charged in a September 2018 criminal complaint that detailed the cyberattack on Sony Pictures and the creation of the ransomware known as WannaCry.
At the same time Wednesday, officials announced that a Canadian-American citizen, 37-year-old Ghaleb Alaumary, agreed to plead guilty in a money-laundering scheme, and admitted to helping the indicted North Koreans “cash-out” their “cyber-enabled bank heist.”
Authorities said that Alaumary organized teams of people in the U.S. and Canada to launder millions of dollars obtained by the hackers through ATM cash-out transactions.
The conspiracy, which officials said was motivated for revenge or financial gain, depending on the target, included the 2014 attack on Sony for its satirical movie “The Interview,” which depicted the assassination of North Korea, as well as the targeting of AMC Theaters, which showed the film. Another alleged target was Mammoth Screen, which was producing a fictional series that depicted a British scientist taken hostage by North Korea, and which suffered a digital intrusion in 2015.
Authorities also said that the hackers from 2015 through 2019 tried to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta and Africa by breaking into their computer networks and sending fraudulent messages over the SWIFT bank messaging system.
The hackers are accused of targeting hundreds of cryptocurrency companies and stealing tens of millions dollars worth of cryptocurrency as part of the scheme.
One Slovenian cryptocurrency company was ripped off of $75 million in such currency, authorities said, and the hackers stole almost $25 million worth of cryptocurrency from an Indonesian cryptocurrency company in September 2018 and $11.8 million from New York financial services firm last summer by using the malicious CryptoNeuro Trader application.
The defendants also are accused of stealing $6.1 million from BankIslami Pakistan Limited as part of a series of ATM cash-out schemes, creation of the WannaCry 2.0 ransomware in 2017, “and the extortion and attempted extortion of victim companies,” the DOJ said.
And the scheme also allegedly developed multiple malicious cryptocurrency applications since March 2018 that gave North Korean hackers backdoors into victims’ computers. Those applications included Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale, officials said.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John Demers of the Justice Department’s National Security Division.
This is breaking news. Check back for updates.