Security Experts:

U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists

Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe

The U.S. Justice Department on Wednesday announced the indictment of three North Korean military intelligence officials linked to high-profile cyber-attacks that included the theft of $1.3 billion in money and crypto-currency from organizations around the world.

The indictment alleges the trio was part of a “wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks” against companies and crypto-currency exchanges around the world.

The DOJ described the scope of the North Korean hacking operation as “extensive and long-running”. 

“The range of crimes they committed is staggering,'' said Acting U.S. Attorney Tracy Wilkison. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

[ PREVIOUSLY:  North Korean Hackers Targeting Security Researchers ]

North Korea

 The new indictment expands on a 2018 case against the Pyongyang hacking group blamed for attacks against Sony Pictures,, the destructive Wannacry worm, a series of brazen online bank robberies against the global financial system, and ongoing ransomware extortion schemes.

The group, known publicly as Lazarus, has also been actively draining billions of dollars from hacks against crypto-currency exchanges.

 The newest indictment adds two new North Korean defendants to the government’s case and named a third Canadian-American citizen who was part of the Lazarus group’s money laundering operations.

From the Justice Department announcement:

The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018. 

The indictment blames the Lazarus group hackers for a wide range of publicly documented attacks, including the hack of Sony Pictures Entertainment in November 2014, the targeting of AMC Theatres later that year, and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.

[ RELATED: U.S. Charges North Koreans Over Lazarus Hacks ]

The U.S. government also linked the indicted hackers to billion-dollar bank heists that attacked the SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system.  The group is also charged with ATM cash-out schemes that stole $6.1 million from a Pakistan bank.

The government also detailed the group’s involvement in the Wannacry ransomware, the creation and deployment of malicious cryptocurrency applications, the development of multiple malicious cryptocurrency applications that gave the North Korean hackers a backdoor into the victims’ computers.

The Lazarus group has recently been flagged targeting security researchers involved in anti-malware research and other offensive exploit development work.

Earlier this week it was reported that North Korean hackers tried to hack into pharmaceutical giant Pfizer in a search for information on a coronavirus vaccine and treatment technology, adding to previous activity associated with the rogue nation trying to access COVID-19 related research.

In July 2017, researchers from Recorded Future monitored internet traffic from North Korea. One of its conclusions was that "most state-sponsored activity is perpetrated from abroad." Recorded Future suggested at the time that North Korean malicious activity most likel originates from countries such as India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. 

In late September 2017, the United States Cyber Command reportedly engaged in offensive activity against North Korea, by launching a DDoS attack against its military spy agency, the Reconnaissance General Bureau (RGB). The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command. 

Related: U.S. Army Report Describes North Korea's Cyber Warfare Capabilities

RelatedNorth Korea Cyber Experts Raised Up to $2 Billion, UN Says

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. He is a regular speaker at cybersecurity conferences around the world. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Follow Ryan on Twitter @ryanaraine.