Business Continuity Management / Disaster Recovery , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Feds Offer $5 Million to Help Disrupt North Korean Hackers

Expanded Rewards Follow FBI Attributing Ronin Network Hack to Lazarus Group
Feds Offer $5 Million to Help Disrupt North Korean Hackers
Source: U.S. State Department's Rewards for Justice program

The U.S. government is offering a reward of up to $5 million for information that helps it disrupt the illicit flow of funds to North Korea.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The State Department's Rewards for Justice program on Friday announced that it's seeking information that leads to "the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity" and anything that supports the country's weapons of mass destruction programs.

On the cybersecurity front, for example, the program "is seeking information on those who seek to undermine cybersecurity, including financial institutions and cryptocurrency exchanges around the world, for the benefit of the government of North Korea," which is based in Pyongyang.

The program says it's also interested in information pertaining to weapons sales and shipments, ship-to-ship transfers involving coal mined in North Korea or crude oil or petroleum being shipped to the country, the use of North Korean labor sent abroad to funnel money back to Pyongyang, money laundering, drugs and counterfeiting, the use of luxury goods, and human rights abuses.

The reward offer, focused on any financial mechanisms that aid Pyongyang, is an expanded version of the $5 million that the program first offered in April 2020 for "information about illicit DPRK activities in cyberspace, including past or ongoing operations."

Source: U.S. State Department

That offer still stands, and includes rewards for information pertaining to data breaches, destructive malware attacks, ransomware campaigns, extortion efforts and other illegal online activities that trace to North Korea.

In recent years, the U.S. government has continued to warn that North Korea has used a variety of hack attacks, including hitting numerous cryptocurrency exchanges as well as such banks as Bangladesh Bank, to help it evade crippling sanctions and fund its WMD programs.

By 2019, the United Nations estimated that cryptocurrency and online bank heists had enabled Pyongyang to not just stay afloat, but to also invest $2 billion in its development of nuclear weapons and intercontinental ballistic missiles, or ICBMs.

North Korean hackers are not the only focus of the Rewards for Justice program. Last November, for example, it offered up to $10 million for information leading to the arrest of two Iranians who have been charged with interfering in 2020 U.S. election. In January, a reward of up to $10 million was offered for information that helped disrupt any foreign cyber actors targeting the U.S., and especially attackers targeting critical infrastructure.

FBI Attributes Ronin Hack to North Korea

The announcement of the fresh $5 million reward for cracking down on the flow of funds to North Korea followed the FBI on Thursday attributing the March 23 theft of cryptocurrency worth $620 million to North Korean hackers.

Ronin, which is used by players of the game Axie Infinity, is a service based on decentralized finance, or DeFi, which refers to peer-to-peer or pool-based services that use public blockchains and Ethereum. It's run by Vietnam-based game developer Sky Mavis.

Ronin first reported the attack on March 29, saying hackers had used a social engineering attack to gain control of five of the nine "validator" nodes of the Ronin bridge required to approve any transaction, which allowed them to withdraw stored funds, including both Ethereum and USD Coin, or USDC, which is a digital stablecoin pegged to the U.S. dollar.

"Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft," the FBI says.

Lazarus Group has been tied to numerous attacks, most recently including a spear-phishing campaign that used a Trojanized DeFi application. Both it and the group given the codename APT38 by researchers are believed to be run by North Korea's primary intelligence agency, the Reconnaissance General Bureau.

The U.S. Treasury Department's Office of Foreign Assets Control on Thursday sanctioned the cryptocurrency wallet address that received the stolen funds and listed its owner as Lazarus Group, Ronin Network and blockchain analysis firms report. The OFAC sanctions prohibit anyone from conducting any transactions involving the wallet address.

Elliptic says the heist ranks as the second-largest cryptocurrency theft in history and that the attackers quickly began attempting to launder the 173,600 ethereum coins and 25.5 million USD coins they stole from Ronin.

Source: Elliptic

Elliptic says in a blog post that attackers first converted the stolen USDC to Ethereum using decentralized exchanges to evade anti-money laundering and "know your customer" checks and then tried to launder $16.7 million worth of Ethereum via centralized exchanges.

"As the affected exchanges publicly announced that they would work with law enforcement to establish their identity, the attacker changed their laundering strategy to instead make use of Tornado Cash - a popular smart contract-based mixer on the Ethereum blockchain," Elliptic reports.

Of the - by its count - $540 million worth of ETH and USDC stolen, Elliptic reports that this has been the destination of $107 million worth of the stolen ETH.

With authorities now tracking the stolen funds, exchanges that comply with AML, KYC and U.S. sanctions should be able to help prevent North Korea from laundering much more.

"With recent reports that North Korea may be again preparing for nuclear testing, today's sanctions activity highlights the importance of ensuring that Lazarus Group is not able to successfully launder the proceeds of these attacks," Elliptic says.

Developer Sentenced After Pyongyang Presentation

The U.S. government continues to pursue Americans and others who violate its sanctions on North Korea.

American developer Virgil Griffith (Photo: Lulu Lorien, via Wikimedia)

On Tuesday, the Department of Justice announced that U.S. citizen Virgil Griffith, 39, had pleaded guilty to conspiracy to violate the International Emergency Economic Powers Act, which prohibits Americans from exporting any goods, services or technology to North Korea without a license from OFAC.

The DOJ says Alabama-born Griffith, who has a doctorate from the California Institute of Technology in computation and neural systems, around 2018 had begun "formulating plans … to provide services to individuals in the DPRK by developing and funding cryptocurrency infrastructure there, including to mine cryptocurrency," as well as facilitate the transfer of cryptocurrency from the DPRK to South Korea.

In addition, despite being prohibited by the State Department from traveling to North Korea, Griffith attended the Pyongyang Blockchain and Cryptocurrency Conference in April 2019, where he delivered presentations that "provided instruction on how the DPRK could use blockchain and cryptocurrency technology to launder money and evade sanctions," the DOJ says. "Griffith knew that the DPRK could use these services to evade and avoid U.S. sanctions, and to fund its nuclear weapons program and other illicit activities."

At the time of his arrest at Los Angeles International Airport in November 2019, Griffith was a research scientist at the Ethereum Foundation and a resident of Singapore. He had been researching how to renounce his U.S. citizenship and purchase citizenship with a new country, according to a criminal complaint.

Facing up to 20 years in prison, Griffith last week was sentenced to serve five years and three months in prison and ordered to pay a fine of $100,000.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.