The Justice Department has charged three North Korean computer programmers in a broad range of global hacks, including a destructive attack targeting an American movie studio and an extortion scheme aimed at attempting to steal more than $1.3 billion from banks and other financial institutions, federal prosecutors said Wednesday.
The newly unsealed indictment builds off an earlier criminal case brought in 2018 and adds two additional North Korean defendants. Prosecutors identified all three as members of a North Korean military intelligence agency and said they carried out hacks at the behest of the government with a goal of using stolen funds for the benefit of the regime. Alarmingly to U.S. officials, the defendants worked at times from locations in Russia and China.
Law enforcement officials say the prosecution underscores the profit-driven motive behind the North Korean criminal hacking model, a contrast from other adversarial nations like Russia, China and Iran who are generally more interested in espionage, intellectual property theft or even disrupting democracy. As the U.S. announced its case against the North Koreans, the government was still grappling with an intrusion by Russia of federal agencies and private corporations that officials say was aimed at information-gathering.
“What we see emerging uniquely out of North Korea is trying to raise funds through illegal cyber activities,” including the theft of traditional and cryptocurrency, as well as cyber extortion schemes, said Assistant Attorney General John Demers, the Justice Department’s top national security official.
Because of their economic system and sanctions imposed on the country, he added, “They use their cyber capabilities to try to get currency wherever they can do that, and that’s not something that we really see from actors in China or Russia or in Iran.”
None of the three defendants is in American custody, and though officials don’t expect them to travel to the U.S. anytime soon for prosecution, Justice Department officials in recent years have found value in indicting foreign government hackers even in absentia as a message that they are not anonymous and can be identified and implicated in crimes.
At the same time, prosecutors announced a plea deal with a dual U.S.-Canadian citizen who investigators say organized the laundering of millions of dollars in stolen funds. Ghaleb Alaumary, 37, of Ontario, Canada, has agreed to plead guilty in Los Angeles to organizing teams of co-conspirators in the U.S. and Canada to launder funds obtained through various schemes.
Besides naming two additional defendants beyond the original 2018 case, the new case also adds to the list of victims from around the world of hacks carried out by the Reconnaissance General Bureau.
The hackers, according to the indictment, were part of a conspiracy that attempted to steal more than $1.3 billion of money and cryptocurrency from banks and companies; unleashed a global sweeping ransomware campaign; and hacks that targeted Sony Pictures Entertainment in 2014 in retaliation for a Hollywood movie, “The Interview,” that the North Korean government didn’t like.
The indictment says the hackers engaged not just in cybertheft but also in “revenge-motivated computer attacks, at times executing commands “to destroy computer systems, deploy ransomware” or otherwise render victims’ computers inoperable.
“The scope of these crimes by the North Korean hackers is staggering,” said Tracy Wilkison, the acting U.S. Attorney in the Central District of California, where Sony Pictures is located and where the indictment was filed. “They are the crimes of a nation-state that has stopped at nothing to extract revenge and to obtain money to prop up a machine.”
Officials would not say how much money the hackers actually obtained, though the indictment does charge them in connection with an $81 million theft from Bangladesh’s central bank in 2016 and with multiple other multi-million-dollar ATM cashouts and cyber extortion schemes. All told, the conspirators conspirators “attempted to steal or extort more than $1.3 billion,” according to the indictment.
To empty the cryptocurrency accounts of victims, the cyberthieves seeded malware posing as cryptocurrency-trading software on legitimate-seeming websites to trick victims, according to an alert published by the FBI and other U.S. agencies. Once infected, a victim’s computer could be entered and controlled by remote access. Later, hackers used other techniques including phishing and social engineering to infect victims’ computers.