Civil forfeiture complaint will seize 280 cryptocurrency wallets related to cyberattacks
The US Department of Justice (DOJ) files a civil forfeiture complaint yesterday to gain control of 280 cryptocurrency wallets connected to North Korean cyberattacks. The accounts are connected to the compromise of two cryptocurrency exchanges. In the cyberattacks millions of dollars in cryptocurrency was stolen by North Korean threat actors and laundered through Chinese cryptocurrency traders.
“Today’s action publicly exposes the ongoing connections between North Korea’s cyber-hacking program and a Chinese cryptocurrency money laundering network,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.
The US government refers to North Korea’s state sponsored threat actors as HIDDENCOBRA. Last week, four federal agencies disclosed information about a subset of HIDDENCOBRA, referred to as BeagleBoyz. This group of North Korean hackers has attempted to steal nearly $2 billion USD since they were first detected in 2015. Their latest cyberattacks include the FASTCash ATM cash-out and money transfer scheme which is actively targeting banks worldwide including those in the United States.
Crypto chain hopping is a form of money laundering used by cyber criminals to move stolen money. Threat actors convert stolen currency into crypto currency then swap between exchanges and cryptocurrenices like Bitcoin or Ethereum. The object is to make it more difficult to trace. Crypto chain hopping is named for the technology behind cryptocurrencies – blockchain. Like all other criminal activity, chain hopping is available as a service to mule money across borders and currencies.
What is the purpose of civil forfeiture?
Civil forfeiture, also called civil asset forfeiture or civil judicial forfeiture, is a legal proceeding that allows the courts to seize property that has been involved in a crime. In this case, the DOJ seeks to gain control of cryptocurrency wallets that North Korean threat actors have used to move stolen money.
Because this is a civil forfeiture filing, no criminal charges are necessary to seize the money.
The investigation was conducted by IRS Criminal Investigation (IRS-CI) Washington, D.C. Cyber Crimes Unit, the FBI Field Offices in Chicago and Atlanta, the US Immigration and Customs Enforcement’s Homeland Security Investigations (HIS) Colorado Springs Office, and the support of the FBI Field Office in San Francisco.
“These actors stole millions of dollars’ worth of cryptocurrency and ultimately laundered the funds through Chinese over-the-counter (OTC) cryptocurrency traders,” says the DOJ press release.
North Korean Cyberattacks
Just this week the Feds in a joint advisory warning of ongoing North Korea threat actors targeting banks across the globe. BeagleBoyz threat actors are part of North Korea’s HIDDENCOBRA advanced persistent threat group, APT38.
Advanced Persistent Threat Group 38, is also known as Lazarus, APT38, Bluenoroff, HIDDEN COBRA, and Stardust Chollima to cyber security researchers.
Earlier in the month US DHS issued Malware Analysis Report (AR20-232A) detailing a new Trojan malware, called BLINDINGCAN, used by North Korea’s HIDDENCOBRA.
HIDDENCOBRA is also targeting defense contractors and people with high-level security clearances related to the US defense industry with fake job postings. The object is to infect the victim’s computer with malware and exfiltrate sensitive US defense systems information.