It’s no secret that North Korea’s hackers have rampaged around the global internet for years, stealing hundreds of millions of dollars, extorting companies, and even carrying out vendettas against perceived enemies of the Kim Jong-Un regime. Until today, US authorities had only tied a single hacker to that sprawling online scourge, indicting a man named Park Jin Hyok in 2013. Now the US Department of Justice has charged two more North Korean men with participating in that years-long spree—and added far more detail about how they allegedly pulled it off.
Prosecutors today unsealed an indictment against Park Jin Hyok, Jon Chang Hyok, and Kim Il, all alleged to be part of the broadly defined North Korean hacker group known as Lazarus, Hidden Cobra, or APT38. The charges describe more than six years of North Korea’s chaotic hacking across the globe. On top of a slew of intrusions into banks and cryptocurrency firms, the indictment alleges that the three men were involved in the deployment of the WannaCry ransomware worm, estimated to have caused at least $4 billion in global damages. The indictment also ties the three men to cyberattacks on Sony Pictures, UK TV production firm Mammoth Pictures, and AMC Theaters, all aimed at stopping the release of media that would embarrass or offend the Kim regime.
Perhaps most remarkably, the indictment details how the men created not only a collection of fake, malicious cryptocurrency applications designed to steal victims’ funds, but also planned to create their own crypto-token called Marine Chain. The scheme would let users purchase stakes in seafaring cargo ships, but was in fact aimed at raising money for the North Korean government while evading international sanctions.
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” acting US attorney Tracy L. Wilkison for the Central District of California said in a press conference announcing the charges. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
They scored $80 million by tricking a network into routing funds to Sri Lanka and the Philippines and then using a “money mule” to pick up the cash.
While the indictment doesn’t state a total amount of funds successfully obtained by the hackers, prosecutors say they attempted to steal a total of more than $1.3 billion. In terms of actual criminal gains, the indictment points to $121 million in total cryptocurrency thefts, as well as a long-running series of bank break-ins in which the hackers manipulated SWIFT transactions and carried out ATM cashouts to steal many millions more, including $110 million from Mexican financial firm Bancomext and $101 million from the Bangladesh Central Bank. The WannaCry ransomware they’re charged with creating also produced hundreds of thousands of dollars more in ransom payments—while also indiscriminately paralyzing hundreds of thousands of computers around the world across hospitals, government agencies, and companies in one of the most damaging cyberattacks in history.
The three hackers are also charged with participating in the notorious cyberattack on Sony Pictures, in which North Korean hackers posed as hacktivists and attempted to coerce Sony to cancel its release of the Kim Jong-Un assassination comedy The Interview. But the indictment also points to less publicized attacks targeting the film and TV industry, including sending spearphishing emails to AMC Theaters as part of their campaign to prevent the screening of The Interview. They also allegedly hacked into the network of the UK TV production firm Mammoth Screen, which was at the time producing a drama about a British nuclear scientist’s kidnapping by North Koreans.
Most surprising, perhaps, is the extent of the hackers’ alleged schemes as cryptocurrency scammers and even would-be entrepreneurs. The indictment outlines how the North Koreans—specifically Kim Il—made plans to launch a cryptocurrency token scheme called Marine Chain, which would sell a blockchain-based stake in marine vessels including cargo ships. According to the British think tank the Royal United Services Institute, Marine Chain was identified by the United Nations as a North Korean sanctions-evasion scheme in 2018; it’s not clear if it ever got off the ground.
In another cryptocurrency theft scheme, the hackers are charged with creating a long list of malicious cryptocurrency apps with names like WorldBit-Bot, iCryptoFx, Kupay Wallet, CoinGo Trade, Dorusio, Ants2Whales, and CryptoNeuro Trader, all designed to surreptitiously steal victims’ cryptocurrencies. The US Cybersecurity and Infrastructure Security Agency issued an advisory Wednesday about the malware family integrated into those apps known as AppleJeus, warning that the malicious apps have been distributed by hackers posing as legitimate cryptocurrency firms, who sent the apps in phishing emails or tricked users into downloading them from fake websites. Security firm Kaspersky had warned about versions of AppleJeus as early as 2018.
The indictment demonstrates the United States’ growing willingness to indict foreign hackers for cyberattacks and cybercriminal schemes that don’t merely target US institutions, says Greg Lesnewich, a threat intelligence analyst at security firm Recorded Future. For some of the charges, he points out, Americans were impacted only as the holders of cryptocurrency stolen from international exchanges. “It’s an expansion of what the US is willing to prosecute for, even if the victims aren’t US entities,” he says.
At the same time, Lesnewich says the long arc of the crimes the indictment describes also show North Korea has expanded its ambitions to use and steal cryptocurrency in any way that might help fund its sanctions-starved government. “They’re using very ingenious methods to steal cryptocurrency now,” says Lesnewich. “They’re clearly putting some of their ‘best’ people on this to solve this problem in a diverse number of ways.”
While none of the three North Koreans have been arrested and extradited—and given that they’re in North Korea, likely never will be—prosecutors also unsealed charges against Ghaleb Alaumary, a 37-year-old Canadian man who allegedly served as a money launderer for the North Koreans’ bank heists. Alaumary, who has already pleaded guilty to the money-laundering charges, had previously been arrested and charged with a business-email-compromise hacking scheme in the Southern District of Georgia.
As for Park, Jon, and Kim, the Justice Department has little expectation of ever laying hands on them, assistant attorney general John Demers acknowledged in Wednesday’s press conference. But he argued that the indictment nonetheless sends a message to the North Korean regime and to any other states contemplating similar rogue behavior that they and their hackers will be identified and, whenever possible, held accountable, including with other diplomatic tools such as sanctions. “You think you’re anonymous behind a keyboard, but you’re not,” Demers said, holding out the indictment as proof. “We lay out how we can prove attribution not to a nation state level, or a unit level within a military or intelligence organization, but to an individual hacker.”
More Great WIRED Stories
- 📩 The latest on tech, science, and more: Get our newsletters!
- Premature babies and the lonely terror of a pandemic NICU
- Researchers levitated a small tray using nothing but light
- The recession exposes the US’ failures on worker retraining
- Why insider “Zoom bombs” are so hard to stop
- How to free up space on your laptop
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones