Staff Report –
A federal indictment unsealed on Wednesday in Los Angeles charges three North Korean computer programmers and a Canadian-American citizen with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks and financial crimes that make them the world’s most wanted bank robbers.
According to a press release from the U.S. Department of Justice, the hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (ì ì°½í), 31; Kim Il (ê¹ì¼), 27; and Park Jin Hyok (ë°ì§í), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic Peopleâs Republic of Korea (DPRK), which engaged in criminal hacking.
These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Park was previously charged in a criminal complaint unsealed in September 2018. In the new indictment, they are charged with stealing and extorting more than $1.3 billion in cash and cryptocurrency from financial institutions and companies. To do this they created and deployed multiple malicious cryptocurrency applications, and developed and fraudulently marketed a blockchain platform.
In the second case unsealed on Wednesday, filed in the U.S. District Court in Los Angeles on Nov. 17, 2020, it was revealed that a Canadian-American citizen has agreed to plead guilty in a money laundering scheme and admitted to being a high-level money launderer for multiple criminal schemes, including ATM âcash-outâ operations and a cyber-enabled bank heist orchestrated by North Korean hackers. Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, was charged and pleaded guilty for his role as a money launderer for the North Korean conspiracy.
âAs laid out in todayâs indictment, North Koreaâs operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the worldâs leading bank robbers,â Assistant Attorney General John C. Demers of the Justice Departmentâs National Security Division said in a statement. âThe Department will continue to confront malicious nation state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.â
Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, according to the F.B.I, as well as cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes.
âToday’s unsealed indictment expands upon the FBIâs 2018 charges for the unprecedented cyberattacks conducted by the North Korean regime,â FBI Deputy Director Paul Abbate said. âThe ongoing targeting, compromise, and cyber-enabled theft by North Korea from global victims was met with the outstanding, persistent investigative efforts of the FBI in close collaboration with U.S. and foreign partners. By arresting facilitators, seizing funds, and charging those responsible for the hacking conspiracy, the FBI continues to impose consequences and hold North Korea accountable for its/their criminal cyber activity.”
Alaumary is also being prosecuted for his involvement in a separate BEC scheme by the U.S. Attorneyâs Office for the Southern District of Georgia.
âThe scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,â Acting U.S. Attorney Tracy L. Wilkison for the Central District of California said. âThe conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.â
With respect to the North Korean co-conspiratorsâ activities, Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018. Alaumary also conspired with Ramon Olorunwa Abbas, aka âRay Hushpuppi,â and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorneyâs Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.
âThis case is a particularly striking example of the growing alliance between officials within some national governments and highly sophisticated cyber-criminals,â said U.S. Secret Service Assistant Director Michael R. DâAmbrosio. âThe individuals indicted today committed a truly unprecedented range of financial and cyber-crimes: from ransomware attacks and phishing campaigns, to digital bank heists and sophisticated money laundering operations. With victims strewn across the globe, this case shows yet again that the challenge of cybercrime is, and will continue to be, a struggle that can only be won through partnerships, perseverance, and a relentless focus on holding criminals accountable.â
The indictment alleges a broad array of criminal cyber activities undertaken by the conspiracy, in the United States and abroad, for revenge or financial gain. The schemes alleged include:
Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for âThe Interview,â a movie that depicted a fictional assassination of the DPRKâs leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banksâ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes â referred to by the U.S. government as âFASTCashâ â including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 â including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale â which would provide the North Korean hackers a backdoor into the victimsâ computers.
Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollarsâ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense.
Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.
According to the allegations contained in the hacking indictment, which was filed on Dec. 8, 2020, in the U.S. District Court in Los Angeles and unsealed Wednesday, Feb. 17, 2921, the three defendants were members of units of the RGB who were at times stationed by the North Korean government in other countries, including China and Russia. While these defendants were part of RGB units that have been referred to by cybersecurity researchers as Lazarus Group and APT38, the indictment alleges that these groups engaged in a single conspiracy to cause damage, steal data and money, and otherwise further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un.
Accompanying Mitigation Efforts
Throughout the investigation, the FBI and the Justice Department provided specific information to victims about how they had been targeted or compromised, as well as information about the tactics, techniques, and procedures (TTPs) used by the hackers with the goals of remediating any intrusion and preventing future intrusions. That direct sharing of information took place in the United States and in foreign countries, often with the assistance of foreign law enforcement partners. The FBI also collaborated with certain private cybersecurity companies by sharing and analyzing information about the intrusion TTPs used by the members of the conspiracy.
In addition to the criminal charges, the FBI and the Department of Homeland Securityâs Cybersecurity and Infrastructure Security Agency, in collaboration with the U.S. Department of Treasury, today released a joint cybersecurity advisory and malware analysis reports (MARs) regarding North Korean cryptocurrency malware. The joint cybersecurity analysis and MARs highlight the cyber threat North Korea â which is referred to by the U.S. government as HIDDEN COBRA â poses to cryptocurrency and identify malware and indicators of compromise related to the âAppleJeusâ family of malware (the name given by the cybersecurity community to a family of North Korean malicious cryptocurrency applications that includes Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale).
The joint cybersecurity advisory and MARs collectively provide the cybersecurity community and public with information about identifying North Korean malicious cryptocurrency applications, avoiding intrusions, and remedying infections.
The U.S. Attorneyâs Office and FBI also obtained seizure warrants authorizing the FBI to seize cryptocurrency stolen by the North Korean hackers from a victim in the indictment â a financial services company in New York â held at two cryptocurrency exchanges. The seizures include sums of multiple cryptocurrencies totaling approximately $1.9 million, which will ultimately be returned to the victim.
Jon, Kim, and Park are charged with one count of conspiracy to commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud and bank fraud, which carries a maximum sentence of 30 years in prison.
In relation to the case filed in Los Angeles, Alaumary has agreed to plead guilty to one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.
The investigation of Jon, Kim, and Park was led by the FBIâs Los Angeles Field Office, which worked closely with the FBIâs Charlotte Field Office. The U.S. Secret Serviceâs Los Angeles Field Office and Global Investigative Operations Center provided substantial assistance. The FBIâs Cyber Division also provided substantial assistance.
The investigations of Alaumary were conducted by the U.S. Secret Serviceâs Savannah Field Office, FBIâs Los Angeles Field Office, and the U.S. Secret Serviceâs Los Angeles Field Office and Global Investigative Operations Center. The FBIâs Criminal Investigative Division also provided substantial assistance.
The case against Jon, Kim, and Park is being prosecuted by Assistant U.S. Attorneys Anil J. Antony and Khaldoun Shobaki of the Cyber and Intellectual Property Crimes Section, with substantial assistance from Trial Attorney Scott Claffee of the Department of Justice National Security Divisionâs Counterintelligence and Export Control Section.
Assistant U.S. Attorneys Antony and Shobaki are also prosecuting the case against Alaumary, in which the U.S. Attorneyâs Office for the Southern District of Georgia and the Criminal Divisionâs Computer Crimes and Intellectual Property Section (CCIPS) provided substantial assistance. Assistant U.S. Attorneys Antony and Shobaki, along with Assistant U.S. Attorney Jonathan Galatzan of the Asset Forfeiture Section, also obtained the seizure warrants for cryptocurrency stolen from the financial services company in New York.
The Criminal Divisionâs Office of International Affairs provided assistance throughout these investigations, as did many of the FBIâs Legal Attachés, as well as foreign authorities around the world. Numerous victims cooperated and provided valuable assistance.
Before you continue, I’d like to ask if you could support our independent journalism as we head into one of the most critical news periods of our time in 2024.
The New American Journal is deeply dedicated to uncovering the escalating threats to our democracy and holding those in power accountable. With a turbulent presidential race and the possibility of an even more extreme Trump presidency on the horizon, the need for independent, credible journalism that emphasizes the importance of the upcoming election for our nation and planet has never been greater.
However, a small group of billionaire owners control a significant portion of the information that reaches the public. We are different. We don’t have a billionaire owner or shareholders. Our journalism is created to serve the public interest, not to generate profit. Unlike much of the U.S. media, which often falls into the trap of false equivalence in the name of neutrality, we strive to highlight the lies of powerful individuals and institutions, showing how misinformation and demagoguery can harm democracy.
Our journalists provide context, investigate, and bring to light the critical stories of our time, from election integrity threats to the worsening climate crisis and complex international conflicts. As a news organization with a strong voice, we offer a unique, outsider perspective that is often missing in American media.
Thanks to our unique reader-supported model, you can access the New American journal without encountering a paywall. This is possible because of readers like you. Your support keeps us independent, free from external influences, and accessible to everyone, regardless of their ability to pay for news.
Please help if you can.
American journalists need your help more than ever as forces amass against the free press and democracy itself. We must not let the crypto-fascists and the AI bots take over.
See the latest GoFundMe campaign here or click on this image.
Don't forget to listen to the new song and video.
Just because we are not featured on cable TV news talk shows, or TikTok videos, does not mean we are not getting out there in search engines and social media sites. We consistently get over a million hits a month.
Click to Advertise Here