The Justice Department has charged three North Korean computer programmers in a broad range of global hacks, including a destructive attack targeting an American movie studio, and in the attempted theft and extortion of more than $1.3 billion from banks and companies, federal prosecutors said Wednesday.
The newly unsealed indictment builds off an earlier criminal case brought in 2018 and adds two additional North Korean defendants. Prosecutors identified all three as members of a North Korean military intelligence agency, accusing them of carrying out hacks at the behest of the government with a goal of using stolen funds for the benefit of the regime. Alarmingly to U.S. officials, the defendants worked at times from locations in Russia and China.
Law enforcement officials say the prosecution highlights the profit-driven motive behind North Korea’s criminal hacking, a contrast from other adversarial nations like Russia, China and Iran who are generally more interested in espionage, intellectual property theft or even disrupting democracy. As the U.S. announced its case against the North Koreans, the government was still grappling with hacks by Russia of federal agencies and private corporations that officials say was aimed at information-gathering.
“What we see emerging uniquely out of North Korea is trying to raise funds through illegal cyber activities,” including the theft of traditional currency and cryptocurrency, as well as cyber extortion schemes, said Assistant Attorney General John Demers, the Justice Department’s top national security official.
Because of North Korea’s economic system and sanctions imposed on the country, he added, “They use their cyber capabilities to try to get currency wherever they can do that, and that’s not something that we really see from actors in China or Russia or in Iran.”
None of the three defendants is in American custody, and though officials don’t expect them to travel to the U.S. anytime soon for prosecution, Justice Department officials in recent years have found value in indicting foreign government hackers — even in absentia — as a message that they are not anonymous and can be identified and implicated in crimes.
At the same time, prosecutors unsealed a plea deal with a dual U.S.-Canadian citizen who investigators say organized the sophisticated laundering of millions of dollars in stolen funds. Ghaleb Alaumary, 37, of Ontario, Canada,agreed to plead guilty in Los Angeles to organizing teams of co-conspirators in the U.S. and Canada to launder funds obtained through various schemes.
The indictment unsealed Wednesday charges Jon Chang Hyok, Kim Il and Park Jin Hyok with crimes including conspiracy to commit wire and bank fraud. Park was previously charged in 2018 in a criminal complaint linking him to the hacking team responsible for the hack of Sony Pictures and the WannaCry global ransomware attack, among other acts.
Besides naming two additional defendants beyond the original case, the new indictment also adds to the list of victims from around the world of hacks carried out by the Reconnaissance General Bureau.
The indictment accuses the hackers of participating in a conspiracy that attempted to steal more than $1.3 billion of money and cryptocurrency from banks and businesses, unleashed a sweeping ransomware campaign and targeted Sony Pictures Entertainment in 2014 in retaliation for a Hollywood movie, “The Interview,” that the North Korean government didn’t like because it depicted a fictionalized assassination of leader Kim Jong Un.
The indictment says the hackers engaged not just in cybertheft but also in “revenge-motivated computer attacks, at times executing commands “to destroy computer systems, deploy ransomware” or otherwise render victims’ computers inoperable.
“The scope of these crimes by the North Korean hackers is staggering,” said Tracy Wilkison, the acting U.S. Attorney in the Central District of California, where Sony Pictures is located and where the indictment was filed. “They are the crimes of a nation-state that has stopped at nothing to extract revenge and to obtain money to prop up its regime.”
Wilkison would not say how much money the hackers actually received. But the indictment does charge them in connection with a theft from Bangladesh’s central bank in 2016 involving wire transfers “totaling approximately $81 million to bank accounts in the Philippines and $20 million to a bank account in Sri Lanka,” and with multiple other multi-million-dollar ATM cashouts and cyber extortion schemes.
All told, the conspirators “attempted to steal or extort more than $1.3 billion,” according to the indictment.
To empty the cryptocurrency accounts of victims, the cyberthieves seeded malware posing as cryptocurrency-trading software on legitimate-seeming websites to trick victims, according to an alert published by the FBI and other U.S. agencies. Once infected, a victim’s computer could be entered and controlled by remote access. Later, hackers used other techniques including phishing and social engineering to infect victims’ computers.