U.S. authorities on Thursday moved to seize 280 cryptocurrency accounts they said were used by North Korean hackers who stole more than a quarter of a billion dollars from cryptocurrency companies around the world, including one in the U.S.
The U.S. Justice Department said the accounts targeted in the civil forfeiture filing were used by the North Korean hackers and their Chinese agents to launder some of the money stolen from more than a dozen virtual currency exchanges, a series of cyber thefts over the past two years amounting to more than $300 million.
“Today’s action publicly exposes the ongoing connections between North Korea’s cyber-hacking program and a Chinese cryptocurrency money laundering network,” said Acting Assistant Attorney General Brian Rabbitt of the Justice Department’s Criminal Division.
The filing is the first publicly announced case of a U.S.-based virtual currency company being targeted by North Korea, officials said. The company, which the Justice Department said focused on the Algorand blockchain, is referred to in the filing only as “Exchange 10.”
Along with a flurry of other recent actions taken by other federal agencies, Thursday’s filing shows that even while top Trump officials say tensions with nuclear-armed Pyongyang have cooled, U.S. law-enforcement and national-security officials view North Korea as a significant threat to national security and the global financial system. Pyongyang’s regime uses the proceeds from cyber theft to fund its military and its nuclear-weapons program, according to United Nations experts and U.S. officials.
“North Korea flouts sanctions by hacking international financial networks and cryptocurrency exchanges to generate revenue that funds its weapons development activities,” Gen. Paul Nakasone, the commander of U.S. Cyber Command, wrote in a Foreign Affairs article co-authored with a senior Cyber Command adviser.
North Korea’s mission to the U.N. didn’t immediately respond to a request for comment, but officials have previously denied the country’s agents have hacked financial institutions.
Justice Department and Internal Revenue Service agents said North Korean hackers used malware to gain entry to the exchanges and steal from user accounts, then laundered the proceeds through Chinese middlemen. U.S. officials said the hackers were associated with one of the hacker collectives the U.S. says is run by North Korea’s intelligence bureau, the so-called Lazarus Group, leaving digital footprints that led back to the country.
In March, the Justice Department indicted and sanctioned two Chinese nationals accused of helping North Korean hackers launder the money stolen from the cryptocurrency exchanges. Federal prosecutors at the time accused them of helping the hackers convert the funds, including through exchanging the bitcoin for prepaid Apple iTunes gift cards. The U.S. attorney’s office in Washington also filed a civil action to seize related assets allegedly held in 113 virtual currency accounts, and the U.S. Treasury Department simultaneously blacklisted the two men.
Within hours of that March forfeiture filing, authorities saw accounts linked to the alleged thefts that had been dormant for months being flushed, said Assistant U.S. Attorney Zia Faruqui. U.S. agents tracking money movements through those accounts discovered that the hackers had targeted several more currency exchanges and were laundering the proceeds from those cyberheists through accounts controlled by the same Chinese bitcoin traders, he said.
Jessi Brooks, another assistant U.S. Attorney in the national-security division, said Thursday’s case reflects the department’s decision to target the use of virtual currency platforms for money laundering by nation states and terrorists.
U.S. officials say they have documented a pickup in North Korea’s cyberattacks in recent months.
U.S. and U.N. officials say North Korea relies on a range of sophisticated cyber capabilities to evade global sanctions and expand its regime’s geopolitical relevance, as the country is otherwise shut out from the international financial system.
On Wednesday several U.S. agencies issued a joint alert warning that hackers tied to the North Korean government are trying to rob banks across the globe by draining ATMs and initiating fraudulent money transfers, as part of a resurgent cash-grab campaign that authorities said dates back to February of this year.
Underscoring the view that North Korea’s cyber thefts are a national-security threat, a U.S. Army report published last month described North Korea’s multibillion-dollar cyber-theft activities as a critical part of Pyongyang’s electronic warfare operations. It estimates the country has an estimated 6,000 hackers within its special cyberwarfare unit, many positioned around the world. The report said some of the hackers are members of the groups named by the Justice Department, the U.S. Treasury and other agencies as responsible for hacks against the global financial system.
The North Korean hackers’ methods of pilfering funds include direct hacking of banks and cryptocurrency exchanges, cryptocurrency mining operations, and low-level internet scams such as automating activity in online computer games to cash out in-game points or items for money.