The U.S. Department of Justice (DOJ) has charged three North Korean computer programmers with theft and extortion on various allegations, including stealing over $100 million in cryptocurrencies between 2017 and 2020.
The thefts are part of a broader conspiracy in which the alleged hackers steal over $1.3 billion, the DOJ announced Wednesday. In a related second case, a Canadian-American was charged with participating in a money laundering scheme.
In a statement, Assistant Attorney General John Demers said, “as laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers.”
Jon Chang Hyok, Kim Il and Park Jin Hyok have been charged with criminal hacking and other crimes, and are allegedly a part of the Lazarus Group cybercrime ring, according to a press release. The three were allegedly behind the 2014 hack of Sony Pictures Entertainment, which appeared to be a retaliatory move for producing The Interview, a comedy film about the assassination of North Korean leader Kim Jong Un.
The hackers targeted “hundreds of cryptocurrency companies” and stole “tens of millions of dollars’ worth of cryptocurrency,” according to the press release.
This included “$75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor,” the press release said.
Just last week, the United Nations alleged that North Korea was funding its nuclear weapons program using funds from hacked cryptocurrency exchanges, alongside other thefts. The UN believes that over $300 million in crypto assets have been stolen by various North Korean hackers.
In addition to Wednesday’s indictment, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Treasury published a joint advisory about a crypto malware produced by North Korea.
The advisory, which includes seven malware analysis reports (MARs) with technical details about the AppleJeus malware, details how the program was installed on victim machines.
“This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application – seen on both Windows and Mac operating systems – appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate,” the notice said.
The threat actors targeted companies in the U.S., Canada, Brazil, Argentina, Australia, New Zealand, India, China, Russia, Israel, Saudi Arabia, South Korea and over a dozen others, according to the alert.
UPDATE (Feb. 17, 2021, 17:29 UTC): Edits and updates throughout.
