The U.S. Department of Justice (DOJ) has charged three North Korean computer programmers with theft and extortion on various allegations, including stealing over $100 million in cryptocurrencies between 2017 and 2020.

The thefts are part of a broader conspiracy in which the alleged hackers stole over $1.3 billion, the DOJ announced Wednesday. In a related second case, a Canadian-American was charged with participating in a money laundering scheme.

In a statement, Assistant Attorney General John Demers said, “As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers.”

Jon Chang Hyok, Kim Il and Park Jin Hyok have been charged with criminal hacking and other crimes, and are allegedly a part of the Lazarus Group cybercrime ring, according to a press release. The three were allegedly behind the 2014 hack of Sony Pictures Entertainment, which appeared to be a retaliatory move for producing The Interview, a comedy film about the assassination of North Korean leader Kim Jong Un.

The hackers targeted “hundreds of cryptocurrency companies” and stole “tens of millions of dollars’ worth of cryptocurrency,” according to the press release.

This included “$75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor,” the press release said.

Just last week, the United Nations alleged that North Korea was funding its nuclear weapons program using funds from hacked cryptocurrency exchanges, alongside other thefts. The U.N. believes that over $300 million in crypto assets have been stolen by various North Korean hackers.

Initial coin offerings

The defendants raised funds using initial coin offerings (ICOs) as well, the indictment alleged. Specifically, it claims that Kim Il tried raising funds through the Marine Chain ICO, which the U.N. suspected was affiliated with the North Korean government last year.

The defendants created a digital token representing fractional ownership in marine shipping vessels and marketed it to individuals in Singapore, the indictment alleged.

“Defendant KIM IL and other conspirators would not disclose to these individuals that the conspirators were DPRK citizens or that they were communicating using false and fraudulent names. They also would not disclose to investors that a purpose of the Marine Chain Token was to evade United States sanctions on North Korea,” the indictment said.

It’s unclear how much the Marine Chain ICO raised.

Evan Kohlmann, the chief innovation officer of cybersecurity and risk intelligence firm Flashpoint, told CoinDesk, “Countries like North Korea will continue to create schemes to avoid U.S. sanctions. The DoJ indictment highlights the breadth of North Korean malicious cyber intrusions targeting entertainment, finance, defense, energy, government, and technology companies.”

Countries could try cashing out through ATMs in addition to using ICOs or malware to steal cryptocurrencies, he said.

Advisory

In addition to Wednesday’s indictment, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Treasury published a joint advisory about a crypto malware produced by North Korea.

The advisory, which includes seven malware analysis reports (MARs) with technical details about the AppleJeus malware, details how the program was installed on victim machines.

“This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application – seen on both Windows and Mac operating systems – appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate,” the notice said.

The threat actors targeted companies in the U.S., Canada, Brazil, Argentina, Australia, New Zealand, India, China, Russia, Israel, Saudi Arabia, South Korea and over a dozen others, according to the alert.

Read the full indictment below:

UPDATE (Feb. 17, 2021, 17:50 UTC): Edits and updates throughout.