The US Department of Justice (DOJ) unsealed an indictment on Wednesday charging three North Korean computer programmers with conspiracy to commit a wide range of cybercrimes, including attempts to steal or extort up to $1.3 billion from companies and financial institutions.
The indictment alleges that the three men, Jon Chang Hyok, Kim Il and Park Jin Hyok, were members of the Reconnaissance General Bureau (RGB), which is a military intelligence agency in the Democratic People’s Republic of Korea (DPRK). The agency is known in the cybersecurity community to have engaged in criminal hacking. Park was also subject of a previous criminal complaint in 2018, which alleged his involvement in similar cyberattacks, including the 2014 attack on Sony Pictures Entertainment in retaliation for its movie “The Interview,” a comedy that featured the assassination of North Korea’s leader, Kim Jong Un.
Acting US Attorney for the Central District of California Tracy Wilkison said, “the scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering.” The alleged crimes include the creation of the highly destructive WannaCry 2.0 ransomware, development of malicious cryptocurrency applications that allowed the hackers backdoor access to victims’ computers, spear-phishing campaigns that targeted employees of defense and government contractors as well as employees of the Departments of State and Defense, the theft of tens of millions of dollars worth of various cryptocurrencies, and millions of dollars from ATM cash-out schemes.
An additional charge was unsealed against Ghaleb Alaumary of Canada, who is accused of assisting the three as a money launderer for their schemes. Alaumary has pleaded guilty to the charge of conspiracy to commit money laundering, which carries a maximum of 20 years in prison. Jon, Kim and Park have been charged with conspiracy to commit computer fraud and abuse, which has a 5-year maximum sentence, and one count of conspiracy to commit wire fraud and bank fraud, which could lead to up to 30 years in prison.