Hackers tied to a North Korean military intelligence agency stole USD 1.3 billion in money and cryptocurrency from companies and financial institutions, according to U.S. prosecutors
By Samuel Rubenfeld
Thursday, February 18, 2021
A Canadian-American dual national pleaded guilty to a criminal charge related to his role as a money launderer in a number of schemes, including a vast North Korean cybercriminal conspiracy, prosecutors said.
Ghaleb Alaumary, who lived in Mississauga, Ontario, Canada, admitted to laundering about USD 47.5 million stolen from an English soccer club, a U.S. federal contractor and others, including banks victimized by the billion-dollar North Korean cybercrime conspiracy, according to court records reviewed by Kharon.
Hackers tied to a North Korean military intelligence agency were charged in an indictment unsealed Wednesday with participating in the wide-ranging cybercriminal conspiracy to steal and extort more than USD 1.3 billion of money and cryptocurrency through ATM cash-out schemes, ransomware, extortion, cyberheists on banks and other methods.
Alaumary, who is nicknamed “G,” “Backwood" and “Big Boss,” had pleaded guilty in November 2020 and “was a prolific money launderer,” prosecutors said Wednesday. He’s also being prosecuted in Georgia for his involvement in a separate business email compromise (BEC) scheme, prosecutors said.
Between August 2018 and October 2019, Alaumary had worked with at least four unindicted co-conspirators and Ramon Olorunwa Abbas, a Nigerian social media influencer who goes by the name “Ray Hushpuppi,” according to Alaumary’s plea agreement.
Abbas, known for flaunting his lavish lifestyle, was charged by U.S. prosecutors last year in an unrelated case in which he allegedly conspired to launder hundreds of millions of dollars from BEC frauds and other scams. The trial in Abbas’ case is scheduled for May 2021, according to the court docket.
Though Alaumary’s plea agreement does not directly attribute the origin of the funds he laundered, the transactions involved “property that represented the proceeds of wire fraud and computer fraud/hacking,” and some of the money came from victims cited in the North Korean cybercrime conspiracy indictment, Kharon found.
Alaumary managed a crew of people in the ATM cash-out scheme who withdrew funds at his direction after the hackers had credited money to debit card accounts, according to the indictment of the North Korean hackers, as well as his plea deal.
He also communicated with one of the North Korean hackers regarding bank accounts that could receive false wire transfers from a Maltese lender, the indictment said. Alaumary worked to locate an appropriate account, often a U.S. business bank account, into which funds from the cyberheist and BEC schemes could be deposited, according to his plea deal.
Abbas helped Almaury find an account at a Romanian bank that could receive funds from the victimized Maltese bank, saying the account can handle “large amounts,” according to a statement of facts attached to the plea deal. “[M]y associates want u to clear as soon it hits...If they don’t notice we keep pumping,” Almaury said to Abbas, the statement of facts said.
After obtaining the money through an ATM cash-out, bank cyber-heist or BEC scheme, Alaumary, Abbas and the others “would further launder the funds through a variety of means,” including wire transfers to other accounts; cash withdrawals; or exchanging the funds for cryptocurrency, according to the statement of facts. Alaumary and his co-conspirators attempted to fraudulently obtain and launder hundreds of millions of dollars this way, the statement of facts said.
In Georgia, Alaumary appears to be charged in two separate criminal cases, court records show. In one, sentencing is scheduled for June 2021, according to a court order filed in January. In the other, proceedings have been paused amid the COVID-19 pandemic. Both cases concern the use of personal identifying information (PII) obtained from individuals without their consent to establish accounts in their names for depositing laundered funds, according to court records reviewed by Kharon.
The North Korean cybercrime conspiracy involved three members of Reconnaissance General Bureau (RGB) units who were at times stationed by the government in other countries, including Russia and China, according to prosecutors.
The RGB was sanctioned by the U.S. in 2010, and by the United Nations in 2016. In addition to its role as the main entity responsible for North Korean malign cyber activities, the RGB is also the country’s principal intelligence agency and is involved in the arms trade, the U.S. Treasury Department said in September 2019 when imposing sanctions on three of its hacking units.
Park Jin Hyok, one of the individuals indicted in the case, had previously been charged in a 2018 criminal complaint; the latest allegations expand upon that original case, prosecutors said Wednesday. Park was sanctioned by the U.S. alongside his employer, Korea Expo Joint Venture, a company that operated online gambling sites, Kharon reported in March 2019.
Park and his co-defendants, Kim Il and Jon Chang Hyok, are wanted by the FBI. They broke into victims’ computers to cause damage, steal data and money, and otherwise advance the strategic and financial interests of the North Korean government and its leader, Kim Jong Un, prosecutors said.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said John Demers, assistant attorney general of the Justice Department’s National Security Division.
The North Korean schemes alleged in the indictment involved attacks on the entertainment industry, heists from banks and cryptocurrency firms, ATM cash-out thefts, ransomware and extortion, and the creation and deployment of malicious cryptocurrency applications, prosecutors said. In another scheme, the hackers allegedly developed and marketed a blockchain-supported token enabling investors to buy fractional ownership stakes in shipping vessels in order to secretly obtain the investors’ funds, prosecutors said.
Often, the intrusions started with spear-phishing emails designed to make victims download malware, while in other cases the messages would encourage victims to download or invest in cryptocurrency-related software programs the hackers created, the indictment said. To hone their messages, the hackers researched their intended victims and sent tests to each other or themselves, using false personas when they landed on their targets, the indictment said.
In addition to the criminal charges, prosecutors also obtained warrants authorizing the seizure of cryptocurrency stolen by the hackers held at two exchanges. The assets, worth about USD 1.9 million, were taken from a financial services company based in New York, prosecutors said.
The U.S. government also issued a cybersecurity advisory on Wednesday about North Korean government malicious activity it refers to as “AppleJeus,” highlighting technical details, as well as mitigations for networks already compromised or seeking to defend themselves.
North Korean hackers have used the malware, posing as cryptocurrency trading platforms, since 2018, the advisory said. The most recent version, known as Ants2Whale, was developed in September 2020, according to the indictment, and was identified late last year, the advisory said.
Latest on Kharon