DOJ Charges Members of North Korean Hacker Group “Lazarus”

The U.S. Department of Justice has charged three members of “Lazarus,” a DPKR-sponsored hacker cell that, since its inception, has reportedly stolen over a billion dollars—much of which was in Bitcoin and other cryptocurrencies and attained through various cyber campaigns. The DOJ has called the group “a criminal syndicate with a flag” for its role in a mixture of government espionage and criminal activity.

In an indictment unveiled Wednesday, federal authorities named Jon Chang Hyok, Kim Il, and Park Jin Hyok as members of the group. The men are part of a North Korean military intelligence unit, the Reconnaissance General Bureau (RGB), that “knowingly and intentionally conspired with each other, and with persons known and unknown” to form the hacker group “Lazarus,” the indictment states.

While the hacker trio are charged with many crimes, the fact that they most likely reside in North Korea means extradition and prosecution is probably impossible. One of the hackers, Jin Hyok, had already been indicted on related charges by the U.S. back in 2018 for his role in the Sony hack as well as the global WannaCry ransomware outbreak of 2017.

Feds also charged a Canadian national, Ghaleb Alaumary, 37, of Mississauga, Ontario, accusing him of acting as a long-time money launderer for Lazarus.

Enumerated in Wednesday’s indictment is a list of the hackers’ crimes: these include the infamous 2014 Sony hack, conducted after the studio released The Interview (the Seth Rogan comedy wherein a fictional Kim Jong-Un is assassinated by the CIA); ongoing spear-phishing campaigns against U.S. defense firms and staff; WannaCry; and the theft of millions and millions of dollars from banks, financial firms and crypto companies all over the world. The indictment reads:

The conspirators hacked into the computers of victims to cause damage, steal data and money, and otherwise further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un…The hackers’ victims and intended victims included entertainment companies, financial institutions, cryptocurrency companies (including cryptocurrency exchanges, traders, and marketplaces), online casinos, cleared defense contractors, energy utilities, and individuals.

One of the most notable criminal activities highlighted in the indictment is its ongoing digital robbery campaigns. Over the last several years, Lazarus has apparently targeted hundreds of cryptocurrency companies and financial services firms all over the world, exploiting victims via backdoors and other malicious strategies, and thieving tens of millions of dollars in the process. The group has also allegedly hacked into banks all over the world.

It would be easy to view the exploits of Lazarus as merely those of corrupt, out-of-control government bureaucrats. But this crime isn’t just for kicks. Rather, it’s a strategic imperative for a cash-strapped third-world country that has been economically cut off from the majority of the world via sanctions and other restrictions. The U.S. says the North Korean regime uses the spoils from its hackers’ digital robberies to fund many of the regime’s illicit activities, including its illegal nuclear weapons program.

“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John C. Demers of the Justice Department’s National Security Division.

John Hultquist, VP of cyber firm FireEye’s Mandiant Threat Intelligence, similarly said that North Korea “relies on a variety of cybercriminal schemes to fund the regime,” due partially to the incredible pressure put on it by externally imposed sanctions.

This may seem unusual but, in many ways, a blend of official state espionage and rampant criminal activity is not that uncommon for hacker groups. Many state-sponsored threat actors engage in crime, frequently doing it for reasons similar to Lazarus: i.e., to supplement the group’s own incomes or to fuel the strategic interests of the state. Other examples have been observed in China, Russia, and Iran, among many others.