Feds Indict North Korean Hackers for Years of Heists

Most surprising, perhaps, is the extent of the hackers’ alleged schemes as cryptocurrency scammers and even would-be entrepreneurs. The indictment outlines how the North Koreans—specifically Kim Il—made plans to launch a cryptocurrency token scheme called Marine Chain, which would sell a blockchain-based stake in marine vessels including cargo ships. According to the British think tank the Royal United Services Institute, Marine Chain was identified by the United Nations as a North Korean sanctions-evasion scheme in 2018; it’s not clear if it ever got off the ground.

In another cryptocurrency theft scheme, the hackers are charged with creating a long list of malicious cryptocurrency apps with names like WorldBit-Bot, iCryptoFx, Kupay Wallet, CoinGo Trade, Dorusio, Ants2Whales, and CryptoNeuro Trader, all designed to surreptitiously steal victims’ cryptocurrencies. The US Cybersecurity and Infrastructure Security Agency issued an advisory Wednesday about the malware family integrated into those apps known as AppleJeus, warning that the malicious apps have been distributed by hackers posing as legitimate cryptocurrency firms, who sent the apps in phishing emails or tricked users into downloading them from fake websites. Security firm Kaspersky had warned about versions of AppleJeus as early as 2018.

The indictment demonstrates the United States’ growing willingness to indict foreign hackers for cyberattacks and cybercriminal schemes that don’t merely target US institutions, says Greg Lesnewich, a threat intelligence analyst at security firm Recorded Future. For some of the charges, he points out, Americans were impacted only as the holders of cryptocurrency stolen from international exchanges. “It’s an expansion of what the US is willing to prosecute for, even if the victims aren’t US entities,” he says.

At the same time, Lesnewich says the long arc of the crimes the indictment describes also show North Korea has expanded its ambitions to use and steal cryptocurrency in any way that might help fund its sanctions-starved government. “They’re using very ingenious methods to steal cryptocurrency now,” says Lesnewich. “They’re clearly putting some of their ‘best’ people on this to solve this problem in a diverse number of ways.”

While none of the three North Koreans have been arrested and extradited—and given that they’re in North Korea, likely never will be—prosecutors also unsealed charges against Ghaleb Alaumary, a 37-year-old Canadian man who allegedly served as a money launderer for the North Koreans’ bank heists. Alaumary, who has already pleaded guilty to the money-laundering charges, had previously been arrested and charged with a business-email-compromise hacking scheme in the Southern District of Georgia.

As for Park, Jon, and Kim, the Justice Department has little expectation of ever laying hands on them, assistant attorney general John Demers acknowledged in Wednesday’s press conference. But he argued that the indictment nonetheless sends a message to the North Korean regime and to any other states contemplating similar rogue behavior that they and their hackers will be identified and, whenever possible, held accountable, including with other diplomatic tools such as sanctions. “You think you’re anonymous behind a keyboard, but you’re not,” Demers said, holding out the indictment as proof. “We lay out how we can prove attribution not to a nation state level, or a unit level within a military or intelligence organization, but to an individual hacker.”


More Great WIRED Stories