The programmers, who are part of a North Korean military intelligence agency, also are accused of creating and deploying “multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform,” according to a Department of Justice press release.
And the scheme also deployed repeated “spear-phishing campaigns” from 2016 through early 2020 that targeted employees of the U.S. Defense Department, the State Department, and workers at U.S.-cleared defense contractors, energy firms, aerospace companies and tech firms, authorities said.
Hackers also took control of bank ATMs to take out cash from them as part of the conspiracy, the indictment says.
During a press conference Wednesday, officials said that the development and marking in 2017 and 2018 of the so-called Marine Chain Token, which allowed investors to buy fractional ownership interests in marine shipping vessels with blockchain technology, allowed North Korea to “secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.”
Tracy Wilkinson, the acting U.S. Attorney for the Central District of California, said, “The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering.”
Wilkinson also said, “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
The indictment filed in U.S. District Court in Los Angeles charges Jon Chang, 31, 27-year-old Kim Il, and Park Jin Hyo 36, were members of units of the Reconnaissance General Bureau, a North Korean military intelligence agency which engaged in criminal hacking. Authorities noted that Park was previously charged in a September 2018 criminal complaint that detailed the cyberattack on Sony Pictures and the creation of the ransomware known as WannaCry.
At the same time Wednesday, officials announced that a Canadian-American citizen, 37-year-old Ghaleb Alaumary, agreed to plead guilty in a money-laundering scheme, and admitted to helping the indicted North Koreans “cash-out” their “cyber-enabled bank heist.”
Authorities said that Alaumary organized teams of people in the U.S. and Canada to launder millions of dollars obtained by the hackers through ATM cash-out transactions.
The conspiracy, which officials said was motivated for revenge or financial gain, depending on the target, included the 2014 attack on Sony for its satirical movie “The Interview,” which depicted the assassination of North Korea, as well as the targeting of AMC Theaters, which showed the film. Another alleged target was Mammoth Screen, which was producing a fictional series that depicted a British scientist taken hostage by North Korea, and which suffered a digital intrusion in 2015.
Authorities also said that the hackers from 2015 through 2019 tried to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta and Africa by breaking into their computer networks and sending fraudulent messages over the SWIFT bank messaging system.
The hackers are accused of targeting hundreds of cryptocurrency companies and stealing tens of millions dollars worth of cryptocurrency as part of the scheme.
One Slovenian cryptocurrency company was ripped off of $75 million in such currency, authorities said, and the hackers stole almost $25 million worth of cryptocurrency from an Indonesian cryptocurrency company in September 2018 and $11.8 million from New York financial services firm last summer by using the malicious CryptoNeuro Trader application.
The defendants also are accused of stealing $6.1 million from BankIslami Pakistan Limited as part of a series of ATM cash-out schemes, creation of the WannaCry 2.0 ransomware in 2017, “and the extortion and attempted extortion of victim companies,” the DOJ said.
And the scheme also allegedly developed multiple malicious cryptocurrency applications since March 2018 that gave North Korean hackers backdoors into victims’ computers. Those applications included Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale, officials said.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John Demers of the Justice Department’s National Security Division.
The case comes as the price of the leading cryptocurrency, bitcoin, has jumped by more than 400% over the past 12 months.
Bitcoin price has jumped more than 75% as an increasing number of corporations grow comfortable accepting it both as tender and as a store of value and medium of exchange.
At one point Wednesday, bitcoin was selling for $51,165, near its all-time record it hit earlier in the day, according to Coin Metrics.
JPMorgan has said it is considering allowing banking of cryptocurrency, and Bank of New York Mellon, the nation’s oldest bank, last week said that it will soon allow digital currencies to pass through the same financial network it currently uses for more traditional holdings like U.S. Treasury bonds and stocks.
Payments companies such as PayPal and Mastercard have stepped up efforts on their platforms to support cryptocurrency processing. And electric carmaker Tesla last week disclosed in a government filing that it had invested $1.5 billion into bitcoin and planned to accept the digital currency as payment for its products.
But bitcoin’s history of high-profile thefts and hacks have left some still doubting its security, particularly since it is often kept in digital wallets on independent networks.
In recent years, thieves have stolen billions of dollars’ worth of bitcoin. And the digital nature of those thefts often make it difficult for authorities to track down the crooks.
– CNBC’s Tom Franck contributed to this report