The U.S. government aims to seize control of 280 illegal cryptocurrency accounts it claims were used by North Korean state-sponsored attackers in their efforts to hack cryptocurrency exchanges and funnel hundreds of millions in stolen funds through a Chinese money-laundering network.
The U.S. Department of Justice (DoJ) filed a civil forfeiture complaint against North Korea Thursday as part of a broader effort to shut down that it said were state-sponsored cyberattacks on currency exchanges by hackers.
The complaint details two specific attacks against virtual currency exchanges in 2019 allegedly carried out by North Korean hackers. The DoJ also claims threat actors in China were involved and helped launder more than $250 million stolen from more than a dozen exchanges.
“Today’s action publicly exposes the ongoing connections between North Korea’s cyber-hacking program and a Chinese cryptocurrency money-laundering network,” Acting Assistant Attorney General Brian Rabbitt of the DoJ’s Criminal Division said in a press statement.
According to the DoJ, the two hacks outlined in the complaint occurred in July and September 2019, respectively. In the former, a hacker allegedly stole over $272,000 worth of alternative cryptocurrencies and tokens, including Proton Tokens, PlayGame tokens, and IHT Real Estate Protocol tokens, which were then laundered through “several intermediary addresses and other virtual currency exchanges,” investigators said.
“In many instances, the actor converted the cryptocurrency into BTC (bitcoin), Tether or other forms of cryptocurrency–a process known as ‘chain hopping’–in order to obfuscate the transaction path,” according to the complaint.
In another attack, the DoJ said a North Korea-associated hacker gained access to an unnamed company’s virtual currency wallets, funds held by the company on other platforms, and funds held by the company’s partners. The hacker stole nearly $2.5 million and laundered it through over 100 accounts at another virtual currency exchange, according to the feds.
Last September the U.S. government sanctioned North Korean APT groups—including the prolific Lazarus group–behind the high-profile WannaCry ransomware attack and cyberattacks on Sony Pictures Entertainment. The sanctions froze any U.S.-related financials assets and barred any U.S. dealings with Lazarus and two of its alleged sub-groups, Bluenoroff and Andariel, which all are believed to be owned by the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence bureau.
Lazarus was most recently linked to a phishing campaign, revealed in research earlier this week that targeted admins at a cryptocurrency firm via LinkedIn messages. Researchers from F-Secure said the financially motivated campaign targets businesses worldwide through LinkedIn messages sent to targets’ personal LinkedIn accounts.
The DoJ complaint is the latest move by the U.S. government to crack down on what it says are cyber-criminal activity tied to North Korea, despite its own acknowledgement that it will be difficult to shut down the nation’s widespread hacking efforts entirely.
“Although North Korea is unlikely to stop trying to pillage the international financial sector to fund a failed economic and political regime, actions like those today send a powerful message to the private sector and foreign governments regarding the benefits of working with us to counter this threat,” Assistant Attorney General John Demers of the DoJ’s National Security Division said in a press statement.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.