This article was published on June 20, 2022

Inside North Korea’s global cyber war: The intersection of hacking and organized crime

Geoff White shares findings about the notorious Lazarus Group


Inside North Korea’s global cyber war: The intersection of hacking and organized crime

While the vast majority of citizens in North Korea don’t have access to the global internet, the country has become a hacking superpower — but how?

Speaking at the TNW Conference 2022, author and investigative journalist Geoff White addressed this perplexing contradiction.

“The case of North Korea is unique in the world, and therefore its computer hackers are absolutely unique in the world as well,” he explained.

The fact that most governments employ computer hackers isn’t news. They employ them to obtain advantageous information that they can use to advance their country’s position.

As per White, North Korean hackers do something slightly different. They go after cash as well.

That’s because North Korea is economically isolated from the rest of the world, as it’s subject to international financial sanctions. It needs to find alternative monetary resources.

“So the accusation is it’s tasked its government hackers to go out and steal money for the regime,” White added. “Researchers call these hackers the Lazarus Group.

But hacking is just the start of it. If I hack your bank accounts, and I steal your money, that’s fine, but I’ve got to put it somewhere. I’ve got to launder the money and I’ve got to get access to it. Computer hackers aren’t necessarily the best at all of that other stuff.

But I’ll tell you who is… organized criminals. And so North Korea’s hackers have started working with organized crime, which can provide the necessary networks.

To elaborate how the country’s government hackers get into bed with organized criminals, White provided the TNW audience with two examples of alleged North Korean cyberattacks.

1. Cosmos Co Op bank

Back in 2018, the Lazarus Group infiltrated the Indian bank through phishing emails sent to employees.

Once inside the bank’s system, they navigated their way to the ATM payment system and manipulated every ATM withdrawal request that went into Cosmos Co Op bank.

They took the details of 450 genuine legitimate account holders (account number, pin code, personal data, etc.), and they sent those details to their accomplices around the world. Then, they had their accomplices create fake cloned ATM cards for those accounts.

That way, they made $11 million, withdrawn in 29 countries — within two hours and 13 minutes.

The question here is who coordinated the attack, White noted.

Based on investigators’ findings, it’s Park Yin Hyok. According to the US Department of Justice, he’s a member of the elite North Korean hacking unit.

But how could he coordinate the attack in 29 different countries from Pyongyang, North Korea’s capital city? For that he needs accomplices and what’s the best place to look? The dark web, of course.

There he found someone calling himself “Big Boss,” who turned out to have the necessary skill set. He can clone cards and also has a network of runners — money mules, who can go to the ATMs and make withdrawals.”

2. The Bank of Valletta

The first cooperation of the Lazarus Group and Big Boss was so successful that in 2019 they attacked the Bank of Valletta in Malta.

Once again, they found their way into the bank through phishing emails. But this time the hackers didn’t do any ATM withdrawals. White’s theory is that they used SWIFT, seeking to bypass the previous challenge of somehow sending the cashed out money to North Korea.

Now the problem with SWIFT is that you need a bank account to put the money into. But which account were they going to use? Kim Jong-un courtesy of Pyongyang central bank? I don’t think so.

They needed accounts that they could put the money in, and then launder it through. Luckily for the hackers, Big Boss had the perfect man for the job: “HushPuppi.” He had bank accounts around the world that can be used for money laundering.

This time they stole $13 million. Luckily, Big Boss was arrested shortly after in the US for another criminal activity, which led to the arrest of HushPuppi as well in Dubai.

While both are sentenced to prison, Park Yin Hyok is yet to face justice. “For its part, North Korea says these allegations are a smear campaign by the US and that they have nothing to do with these computer hacking campaigns,” White explained.

If you’re interested in finding out more about the activities of the Lazarus Group, you listen to Geoff White’s podcast The Lazarus Heist, or read his homonymous book.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with