DOJ and Cyber Command partner up in civil forfeiture claim targeting North Korea’s financial hacks

The DOJ and DOD are taking aim at North Korean government’s hacking of two cryptocurrency exchanges last year.
(Getty Images)

The U.S. Department of Justice has filed a civil forfeiture complaint targeting the North Korean government’s hacking of two cryptocurrency exchanges last year.

The hacks, which allegedly took place in July 2019 and September 2019, resulted in the theft of millions of dollars’ worth of cryptocurrency and financial instruments, according to the DOJ’s complaint, which was filed in a Washington, D.C. federal court on Thursday.

The filing comes amid a broad effort in the U.S. government to hold North Korea accountable for its hacking operations, particularly those that seek to fund the regime amid international sanctions.

It comes just one day after the U.S. government exposed details of other, more recent North Korean government financial hacking operations — aimed at stealing cash from ATMs around the globe.


But the complaint filed Thursday reveals a new wrinkle in the U.S. military’s efforts to target North Korean hacking: The DOJ said it was able to track down the details of the North Korean hacking operations, in part, due to assistance from U.S. Cyber Command, the Department of Defense’s offensive cyber-operations outfit. Over the course of the last two years, Cyber Command has been working to publicly oust North Korean hacking operations by sharing malware on the malware-sharing repository VirusTotal. The assistance provided in the complaint Thursday is a sign that the Pentagon’s “persistent engagement” strategy — its effort to compete with adversaries in cyberspace so frequently that their operations deteriorate — extends beyond just running cyber-operations to interfere with adversaries. It can also lead to legal action against hackers.

“At U.S. Cyber Command, we leverage a persistent engagement approach to challenge our adversaries’ actions in cyberspace,” Brig. Gen. Joe Hartman, the Commander of the Cyber Command Cyber National Mission Force, said in a statement. “This includes disrupting North Korean efforts to illicitly generate revenue. Department of Defense cyber operations do not occur in isolation. Persistent engagement includes acting through cyber-enabled operations as much as it does sharing information with our interagency partners to do the same.”

The DOJ on Thursday pointed to Cyber Command’s malware-sharing page on VirusTotal for those interested in learning more information about the alleged hacks.

According to the DOJ complaint, shortly before the hackers allegedly stole 401,981,748 Proton Tokens (PTT) from a virtual currency exchange in July 2019, for instance, the attackers worked with a piece of malware related to North Korean attacks against cryptocurrency exchanges dating to 2017. That piece of malware, “according to a website tracking malware submitted by community users,” is used in conjunction with a Korean word processor file and allows attackers to execute code and gain access to target computers and networks, the DOJ said.

The complaint was also filed in part to show the U.S. government is working to track down the broader network of criminals the North Korean government has allegedly recruited to operate on its behalf. Namely, the U.S. government wants to send a warning shot that Chinese nationals working to help North Korea’s illicit activities will be held accountable, according to Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.


Two Chinese nationals that the DOJ and Treasury Department have previously charged for helping North Korean virtual currency exchange hacks were also involved in the hacks detailed in the complaint revealed Thursday, the DOJ said.

“Today’s action publicly exposes the ongoing connections between North Korea’s cyber-hacking program and a Chinese cryptocurrency money laundering network,” Rabbitt said in a statement. “This case underscores the department’s ongoing commitment to counter the threat presented by North Korean cyber hackers by exposing their criminal networks and tracing and seizing their ill-gotten gains.”

You can read the filing in full below.

[documentcloud url=”” responsive=true]

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts