3 Named In Sony Hacks, WannaCry Attack, $1.3 Billion Conspiracy

LOS ANGELES, CA — Federal prosecutors unsealed an explosive indictment in Los Angeles Wednesday accusing North Korean hackers of a $1.3 billion conspiracy targeting international businesses and of perpetrating the infamous Sony Pictures email hack of 2014 and the WannaCry ransomware attack of 2017.

The indictment accuses the three alleged hackers of working for the military intelligence agency of the Democratic People's Republic of Korea at times stationed in Russia and China. According to prosecutors, the three defendants are the "world's leading 21st-century nation-state bank robbers" using keyboards instead of guns to commit brazen robberies. The wide-ranging hacking and extortion scheme targeted banks, cryptocurrency companies, and U.S. agencies and defense firms, prosecutors allege. The whereabouts of the three alleged hackers — Jon Chang Hyok, 31, Kim Il, 27, and Park Jin Hyok, 36 — are unknown.

Their alleged hacks have caused international uproars over the years. High-profile attacks named in the indictment include the hack of Sony Pictures executive emails in an effort to embarrass the company for releasing the comedy "The Interview," which mocked North Korean dictator Kim Jong-Un. Prosecutors also blame the trio for WannaCry ransomware attack of 2017 that exploited the Microsft operating system to infect hundreds of thousands of computers worldwide.

"The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering," Acting U.S. Attorney Tracy L. Wilkison said. "The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to exact revenge and obtain money to prop up its regime."

Jon, Kim and Park are charged with one count of conspiracy to commit computer fraud and abuse, which carries a statutory maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud and bank fraud, which carries a maximum sentence of 30 years in prison. Park was previously charged in a criminal complaint unsealed in September 2018.

A second case unsealed Wednesday accuses Ghaleb Alaumary, a 37-year- old Canadian-American citizen from Mississauga, Ontario of being a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to conspiracy to engage in money laundering, a charge filed on Nov. 17, according to the U.S. Attorney's Office.

Prosecutors say Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise schemes, and other online fraud scams. Alaumary is also being prosecuted by the U.S. Attorney's Office for the Southern District of Georgia for his alleged involvement in a separate BEC scheme

According to prosecutors, the military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38).

The indictment details the defendants' alleged involvement in:

• the destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for "The Interview," a movie that depicted a fictional assassination of the DPRK's leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion of Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
• attempts from 2015-19 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta and Africa by hacking the banks' computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication messages.
• thefts through ATM cash-out schemes -- referred to by the U.S. government as "FASTCash" -- including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
• creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017-20 involving the theft of sensitive data and deployment of other ransomware.
• development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 -- including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader and Ants2Whale -- which would provide the North Korean hackers a backdoor into the victims' computers.
• targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
• multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the United States Department of State, and the United States Department of Defense.
• development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.

"As laid out in today's indictment, North Korea's operatives, using keyboards rather than masks and guns, are the world's leading 21st-century nation-state bank robbers," said Assistant Attorney General John Demers of the Justice Department's National Security Division. "The department will continue to confront malicious nation-state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same."

City News Service contributed to this report.