Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists

Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe

Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe

The U.S. Justice Department on Wednesday announced the indictment of three North Korean military intelligence officials linked to high-profile cyber-attacks that included the theft of $1.3 billion in money and crypto-currency from organizations around the world.

The indictment alleges the trio was part of a “wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks” against companies and crypto-currency exchanges around the world.

The DOJ described the scope of the North Korean hacking operation as “extensive and long-running”. 

“The range of crimes they committed is staggering,” said Acting U.S. Attorney Tracy Wilkison. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

[ PREVIOUSLY:  North Korean Hackers Targeting Security Researchers ]

North Korea

 The new indictment expands on a 2018 case against the Pyongyang hacking group blamed for attacks against Sony Pictures,, the destructive Wannacry worm, a series of brazen online bank robberies against the global financial system, and ongoing ransomware extortion schemes.

The group, known publicly as Lazarus, has also been actively draining billions of dollars from hacks against crypto-currency exchanges.

 The newest indictment adds two new North Korean defendants to the government’s case and named a third Canadian-American citizen who was part of the Lazarus group’s money laundering operations.

From the Justice Department announcement:

The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018. 

The indictment blames the Lazarus group hackers for a wide range of publicly documented attacks, including the hack of Sony Pictures Entertainment in November 2014, the targeting of AMC Theatres later that year, and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.

[ RELATED: U.S. Charges North Koreans Over Lazarus Hacks ]

The U.S. government also linked the indicted hackers to billion-dollar bank heists that attacked the SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system.  The group is also charged with ATM cash-out schemes that stole $6.1 million from a Pakistan bank.

The government also detailed the group’s involvement in the Wannacry ransomware, the creation and deployment of malicious cryptocurrency applications, the development of multiple malicious cryptocurrency applications that gave the North Korean hackers a backdoor into the victims’ computers.

The Lazarus group has recently been flagged targeting security researchers involved in anti-malware research and other offensive exploit development work.

Earlier this week it was reported that North Korean hackers tried to hack into pharmaceutical giant Pfizer in a search for information on a coronavirus vaccine and treatment technology, adding to previous activity associated with the rogue nation trying to access COVID-19 related research.

In July 2017, researchers from Recorded Future monitored internet traffic from North Korea. One of its conclusions was that “most state-sponsored activity is perpetrated from abroad.” Recorded Future suggested at the time that North Korean malicious activity most likel originates from countries such as India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. 

In late September 2017, the United States Cyber Command reportedly engaged in offensive activity against North Korea, by launching a DDoS attack against its military spy agency, the Reconnaissance General Bureau (RGB). The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command. 

Related: U.S. Army Report Describes North Korea’s Cyber Warfare Capabilities

RelatedNorth Korea Cyber Experts Raised Up to $2 Billion, UN Says

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.