February 19, 2021 | Policy Brief

DOJ Charges Reveal North Korean Cybercrime and Money Laundering Schemes

February 19, 2021 | Policy Brief

DOJ Charges Reveal North Korean Cybercrime and Money Laundering Schemes

The U.S. Department of Justice (DOJ) on Wednesday indicted three North Korean cyber operatives and a Canadian-American money launderer for numerous cyberattacks against banks, virtual currency exchanges, entertainment companies, defense firms, online casinos, and several other victims worldwide. The indictment provides new insights regarding the critical support that North Korean hackers receive from foreign partners and accomplices.

DOJ charged Jon Chang Hyok, Kim Il, and Pak Jin Hyok for conducting numerous cyberattacks in an attempt to “steal or extort more than $1.3 billion from victims.” The trio pursued that goal via cybertheft from financial institutions and cryptocurrency exchanges, the creation and distribution of malicious cryptocurrency applications, and the development of their own fraudulent blockchain-supported virtual currency platform.

DOJ also charged Ghaleb Alaumary, a Canadian-American money launderer, for helping the indicted North Korean hackers launder millions of dollars stolen from ATM machines since 2018. First, the North Korean hackers would identify and attack a bank’s computer that facilitates ATM transaction data. Such attacks enabled the hackers to remotely approve ATM withdrawal requests and subsequently allow selected ATM machines to dispense cash that co-conspirators would pick up.

The indictment underscores how Pyongyang’s cyber units are innovating and diversifying their methods of cybercrime as external pressure from U.S. authorities intensifies.

Wednesday’s indictment is DOJ’s second set of criminal charges against individuals supporting North Korea’s malicious cyber operations. In September 2018, DOJ charged programmer Pak Jin Hyok, the same person indicted on Wednesday, for supporting numerous North Korea-linked cyberattacks. The three North Korean hackers remain at large, while Alaumary agreed to plead guilty to his charges.

The 2018 charge against Pak was Washington’s first indictment targeting a North Korean individual for a government-backed cyberattack. It demonstrated that the U.S. government and law enforcement agencies are capable of identifying both the government sponsor and the individual responsible for state-sponsored cyber schemes.

The latest charges against Jon Chang Hyok, Kim Il, and Pak Jin Hyok reflect ongoing U.S. efforts to impose costs on Pyongyang’s hackers in order to deter future malign activity. Unfortunately, though, naming and shaming North Korea’s cyber operatives alone will not suffice to stop future attacks. In 2018, the FBI’s cyber division warned American companies that North Korean hacking “will continue unabated, regardless of the U.S. government public attribution of North Korea.”

The U.S. government could further improve the efficacy of law enforcement efforts by making a priority of targeting North Korea’s foreign accomplices, like Alaumary, who support the hackers’ activities through money laundering and other non-technical capacities. DOJ has already begun to do this by charging not only Alaumary but also two Chinese currency traders, Tian Yinyin and Li Jiadong, last March for helping North Korean hackers launder $250 million in stolen cryptocurrency.

Washington should build upon these efforts. Previous indictments provide copious evidence of North Korea’s tactics, techniques, and partnerships supporting broad illicit operations. This evidence could serve as a roadmap for further action. Specifically, U.S. officials should continue investigating Alaumary’s entire money laundering network, which consists of “organized teams of co-conspirators in the United States and Canada,” according to the DOJ press release announcing Alaumary’s indictment.

Similarly, the charges against Tian and Li revealed the complicit role of nine Chinese banks in transferring North Korea’s stolen funds. Treasury should reach out to these banks to ensure they have blocked any further transactions and are no longer complicit in this illicit activity. Treasury should also be prepared to impose any necessary penalties, whether fines or sanctions, if Washington discovers repeated offenses.

Mathew Ha is a research analyst focused on North Korea at the Foundation for Defense of Democracies (FDD), where he also contributes to FDD’s Center on Economic and Financial Power (CEFP) and Center on Cyber and Technology Innovation (CCTI). For more analysis from Mathew, CEFP, and CCTI, please subscribe HERE. Follow Mathew on Twitter @MatJunsuk. Follow FDD on Twitter @FDD and @FDD_CEFP and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Blockchain and Digital Currencies China Cyber Cyber-Enabled Economic Warfare North Korea Sanctions and Illicit Finance