US seizes half a million dollars that were stolen by suspected North Korean hackers

The US Department of Justice has seized half a million dollars worth of bitcoin from suspected North Korean hackers.

Hackers attacked healthcare providers with a new variety of ransomware -software to hijack data- and extorted a various organizations.

The unusual and successful seizure comes as US authorities warn that North Korea is becoming a major ransomware threat.

At a conference Tuesday, Deputy Attorney General Lisa O. Monaco praised an unnamed Kansas hospital for alert early to the FBI about the attack.

“Not only did this allow us to recover their ransom payment, as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified strain of ransomware,” he said.

Hackers targeted hospital

According to court documents, the hackers used the ransomware strain called Maui to encrypt the files and servers of a medical center in Kansas in May 2021.

Typically, ransomware hackers use malicious software to encrypt data or lock users out of the system until a ransom is paid.


The Kansas hospital passed a week without being able to access their systems computer scientists. She then decided to pay approximately $100,000 in bitcoin to recover the use of the computers and equipment from him.

It is not illegal to pay ransoms to hackers, but it is discouraged by law enforcement organizations around the world.

The FBI said it was promptly notified of the payment by the medical center, which meant agents were able to identify unknown North Korea-linked ransomware and trace the cryptocurrency to a China-based money laundering group.

Agents also identified another $120,000 bitcoin payment made to one of the criminals’ cryptocurrency accounts.

It turned out to be from a medical provider in Colorado who had just paid a ransom after being hacked with Maui ransomware.

The FBI reported that it returned the money to the two health care providers, but did not say where the rest of the seized funds came from.

How did it happen?

It is not known how the FBI was able to seize the funds, but Tom Robinson, founder and chief scientist at Elliptic, which analyzes bitcoin payments, told the BBC it may have happened when hackers tried to change the cryptocurrency money into a traditional currency. .

“It is likely that investigators were able to trace the cryptocurrency to a currency exchange platform where the launderers would have sent the funds to collect. Currency exchange is a regulated business and they can confiscate their clients’ funds if they are forced by the authorities,” he said.

Police conducting a raid.

Seizure of stolen cryptocurrency usually involves arresting cybercriminals to gain access to their digital wallets.

“Another possibility is that the cryptocurrency was seized directly from the launderers’ own wallet. This is more difficult to do, as it would require access to the wallet’s private key,” he added.

U.S. authorities are increasingly using new tactics to recover extortion funds from cybercriminals operating in jurisdictions such as North Korea and Russia, where law enforcement agencies do not cooperate with Western requests for assistance.

“These seizures are still very rare and highlight the value of quickly reporting cyberextortion incidents and working with authorities,” said Jen Ellis of cybersecurity firm Rapid7.

“They will not be able to recover payment in all cases, but the more information they have about the tactics, techniques and procedures of attacking groups, the more likely they will be able to disrupt, deter and respond to attacks, which benefits everyone,” he said. .

hacker illustration

Getty Images

Last June, the US recovered most of the $4.4 million ransom paid by Colonial Pipeline to a cybercriminal gang believed to be based in Russia.

In November 2021, the US also recovered $6 million from another ransomware gang called REvil with strong ties to Russia.

North Korean ransomware

In addition to the traditional elements of state espionage, North Korea has been accused for many years of running hacks aimed at making money for the secretive country.

North Korea’s hacking activity is often attributed to so-called Group Lazaruswhich has been accused of trying to withdraw $1,000 million dollars from a Bangladeshi bank in 2016.

In the past year, the group has been linked to lucrative attacks on cryptocurrency platforms, but last month, US cybersecurity authorities issued a warning about North Korean hackers launching ransomware attacks on North Korean hospitals.

The authorities provided no evidence that North Korea was behind the attacksbut the Cyber ​​Security Council’s joint assessment of the Maui ransomware indicated that it had been “used by North Korean state-sponsored cyber actors since at least May 2021 to target healthcare organizations.”

Remember that you can receive notifications from BBC World. Download the new version of our app and activate it so you don’t miss out on our best content.