Hacking for Dollars: North Korean Cybercrime

In mid-February 2021, the Department of Justice shared the content of what had been a sealed indictment charging three North Korean (DPRK) hacking “operatives” with a plethora of cybercrimes, including “cyber heists and extortion schemes, targeting both traditional and cryptocurrencies.”

Assistant Attorney General John C. Demers remarked, “The indictment refines the attribution of this crime spree to the DPRK military intelligence services, specifically the [Democratic People’s Republic of Korea] Reconnaissance General Bureau (RGB). Simply put, the regime has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars.”

Those familiar with DPRK’s modus operandi will recognize their efforts to acquire monies from abroad to fund activities (see the 2008 CRS report, “North Korea Crime-for-Profit Activities” PDF, 28 pages) which pegged the take at USD $500 million a year. This indictment reveals the DPRK engaged in their own variation on the theme of “dialing for dollars,” with their cyberespionage and hacking engagement which one could call “hacking for dollars;” and hack they did, this time to the tune of USD $1.2 billion.

That will buy some bandwidth and server time in any country.

U.S. Secret Service Assistant Director Michael R. D’Ambrosio said, “This case is a particularly striking example of the growing alliance between officials within some national governments and highly sophisticated cybercriminals. The individuals indicted today committed a truly unprecedented range of financial and cybercrimes: from ransomware attacks and phishing campaigns, to digital bank heists and sophisticated money laundering operations. With victims strewn across the globe, this case shows yet again that the challenge of cybercrime is, and will continue to be, a struggle that can only be won through partnerships, perseverance, and a relentless focus on holding criminals accountable.”

The three operatives are identified as Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, all members of the RGB. The 33-page indictment is, in essence, a road map highlighting the diverse avenues available to the cybercriminal, and highlighting the DPRK’s success in leaving behind a wide swath of hacking victims. Interestingly, the RGB trio physically operated from within the DPRK, Russia and China.

Their hacking activities are grouped in 44 separate “overt acts” within the DoJ indictment. These include:

Additionally, the indictment touches on how the trio destroyed victims’ data or rendered the victims’ devices inoperable. Sometimes, these destructive steps were meant to befuddle forensic investigators, other times, it was the specific intent of the operation.

The likelihood that any of the three charged will see the inside of a U.S. courtroom is slim; nevertheless, Demers is forceful in the attribution of the cybercrimes to the DPRK. In his statement, he noted that the DoJ’s criminal charges are based on “uniquely credible forms of attribution – we can prove these allegations beyond a reasonable doubt using only unclassified, admissible evidence.”

These revelations of DPRK skullduggery will not dissuade the regime from continuing their nefarious hacking efforts. They will morph and adjust, as necessary, in their efforts to obtain the needed foreign currency to fund future government operations.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher