DOJ Charges 3 North Korean Hackers With Stealing $100M+ From Crypto Firms

The hackers allegedly stole over $1.3 billion overall through various schemes.

AccessTimeIconFeb 17, 2021 at 4:54 p.m. UTC
Updated Aug 19, 2021 at 7:18 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

The U.S. Department of Justice (DOJ) has charged three North Korean computer programmers with theft and extortion on various allegations, including stealing over $100 million in cryptocurrencies between 2017 and 2020.

The thefts are part of a broader conspiracy in which the alleged hackers stole over $1.3 billion, the DOJ announced Wednesday. In a related second case, a Canadian-American was charged with participating in a money laundering scheme.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • In a statement, Assistant Attorney General John Demers said, "As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers."

    Jon Chang Hyok, Kim Il and Park Jin Hyok have been charged with criminal hacking and other crimes, and are allegedly a part of the Lazarus Group cybercrime ring, according to a press release. The three were allegedly behind the 2014 hack of Sony Pictures Entertainment, which appeared to be a retaliatory move for producing The Interview, a comedy film about the assassination of North Korean leader Kim Jong Un.

    The hackers targeted "hundreds of cryptocurrency companies" and stole "tens of millions of dollars' worth of cryptocurrency," according to the press release.

    This included "$75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor," the press release said.

    Just last week, the United Nations alleged that North Korea was funding its nuclear weapons program using funds from hacked cryptocurrency exchanges, alongside other thefts. The U.N. believes that over $300 million in crypto assets have been stolen by various North Korean hackers.

    Initial coin offerings

    The defendants raised funds using initial coin offerings (ICOs) as well, the indictment alleged. Specifically, it claims that Kim Il tried raising funds through the Marine Chain ICO, which the U.N. suspected was affiliated with the North Korean government last year.

    The defendants created a digital token representing fractional ownership in marine shipping vessels and marketed it to individuals in Singapore, the indictment alleged.

    "Defendant KIM IL and other conspirators would not disclose to these individuals that the conspirators were DPRK citizens or that they were communicating using false and fraudulent names. They also would not disclose to investors that a purpose of the Marine Chain Token was to evade United States sanctions on North Korea," the indictment said.

    It's unclear how much the Marine Chain ICO raised.

    Evan Kohlmann, the chief innovation officer of cybersecurity and risk intelligence firm Flashpoint, told CoinDesk, “Countries like North Korea will continue to create schemes to avoid U.S. sanctions. The DoJ indictment highlights the breadth of North Korean malicious cyber intrusions targeting entertainment, finance, defense, energy, government, and technology companies."

    Countries could try cashing out through ATMs in addition to using ICOs or malware to steal cryptocurrencies, he said.

    Advisory

    In addition to Wednesday's indictment, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Treasury published a joint advisory about a crypto malware produced by North Korea.

    The advisory, which includes seven malware analysis reports (MARs) with technical details about the AppleJeus malware, details how the program was installed on victim machines.

    "This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application – seen on both Windows and Mac operating systems – appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate," the notice said.

    The threat actors targeted companies in the U.S., Canada, Brazil, Argentina, Australia, New Zealand, India, China, Russia, Israel, Saudi Arabia, South Korea and over a dozen others, according to the alert.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.