Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists

Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe

Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe

The U.S. Justice Department on Wednesday announced the indictment of three North Korean military intelligence officials linked to high-profile cyber-attacks that included the theft of $1.3 billion in money and crypto-currency from organizations around the world.

The indictment alleges the trio was part of a “wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks” against companies and crypto-currency exchanges around the world.

The DOJ described the scope of the North Korean hacking operation as “extensive and long-running”. 

“The range of crimes they committed is staggering,” said Acting U.S. Attorney Tracy Wilkison. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

[ PREVIOUSLY:  North Korean Hackers Targeting Security Researchers ]

North Korea

 The new indictment expands on a 2018 case against the Pyongyang hacking group blamed for attacks against Sony Pictures,, the destructive Wannacry worm, a series of brazen online bank robberies against the global financial system, and ongoing ransomware extortion schemes.

The group, known publicly as Lazarus, has also been actively draining billions of dollars from hacks against crypto-currency exchanges.

 The newest indictment adds two new North Korean defendants to the government’s case and named a third Canadian-American citizen who was part of the Lazarus group’s money laundering operations.

From the Justice Department announcement:

The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018. 

The indictment blames the Lazarus group hackers for a wide range of publicly documented attacks, including the hack of Sony Pictures Entertainment in November 2014, the targeting of AMC Theatres later that year, and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.

[ RELATED: U.S. Charges North Koreans Over Lazarus Hacks ]

The U.S. government also linked the indicted hackers to billion-dollar bank heists that attacked the SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system.  The group is also charged with ATM cash-out schemes that stole $6.1 million from a Pakistan bank.

The government also detailed the group’s involvement in the Wannacry ransomware, the creation and deployment of malicious cryptocurrency applications, the development of multiple malicious cryptocurrency applications that gave the North Korean hackers a backdoor into the victims’ computers.

The Lazarus group has recently been flagged targeting security researchers involved in anti-malware research and other offensive exploit development work.

Earlier this week it was reported that North Korean hackers tried to hack into pharmaceutical giant Pfizer in a search for information on a coronavirus vaccine and treatment technology, adding to previous activity associated with the rogue nation trying to access COVID-19 related research.

In July 2017, researchers from Recorded Future monitored internet traffic from North Korea. One of its conclusions was that “most state-sponsored activity is perpetrated from abroad.” Recorded Future suggested at the time that North Korean malicious activity most likel originates from countries such as India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. 

In late September 2017, the United States Cyber Command reportedly engaged in offensive activity against North Korea, by launching a DDoS attack against its military spy agency, the Reconnaissance General Bureau (RGB). The attack occurred just five weeks after President Trump elevated U.S. Cyber Command to a Unified Combatant Command. 

Related: U.S. Army Report Describes North Korea’s Cyber Warfare Capabilities

RelatedNorth Korea Cyber Experts Raised Up to $2 Billion, UN Says

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.