US Sanctions Three Alleged Crypto Hacking Groups From North Korea

The U.S. Treasury mentioned cryptocurrency thefts as one of the reasons for the action against the Lazarus Group, Bluenoroff and Andariel.

AccessTimeIconSep 16, 2019 at 8:00 a.m. UTC
Updated Sep 13, 2021 at 11:27 a.m. UTC

The U.S. has sanctioned three North Korean entities for cyber crimes, mentioning cryptocurrency thefts as one of the reasons for the action.

In a Sept. 13 announcement, the U.S. Department of the Treasury identified the Lazarus Group, Bluenoroff and Andariel as entities now on its the sanctions list, who are believed to be responsible for the theft of $571 million worth of cryptos from five exchanges in Asia in 2017 and 2018.

The announcement comes just days after the North said that it would be holdings its second cryptocurrency-related conference, inviting the community to share information and do deals next February in Pyongyang.

The Treasury department said the stolen funds, including coins from cryptocurrency exchanges, are believed to have been used in the development of nuclear weapons and ballistic missiles.

As a result of the designation, all assets owned or controlled by any of the three entities are now blocked and must be reported to Office of Foreign Assets Control (OFAC). The announcement said that "U.S. persons," which broadly includes citizens, residents and companies incorporated in the U.S., are generally prohibited from dealing with the blocked entities. Anyone violating the sanctions could themselves be subject to designation by the Treasury.

Further, any financial institution in any country that deals with the blocked entities could lose their correspondent banking relationships with U.S. financial institutions, essentially locking them out of the dollar market.

Lazarus, which is the parent of the other two groups and also known as Apple Worm and Guardians of Peace, was involved in the WannaCry 2.0 ransomware attacks of 2017, the announcement added.

Bluenoroff, which came to the attention of security companies in 2014 and is sometimes known as APT38 or Stardust Chollima, has stolen funds from financial institutions, including $80 million from the Central Bank of Bangladesh, and has targeted cryptocurrency exchanges.

Andariel was first noticed by the internet security community in 2015 and is also attempting to engage in theft and sow confusion. It was said to be responsible for a 2016 hack into the personal computer of the South Korean Defense Minister.

All three groups are controlled by North Korea and related to the Reconnaissance General Bureau (RGB), according to the announcement.

A recent U.N. report alleges that the North has stolen $2 billion worth of crypto and fiat currencies in 35 separate attacks in 17 countries. South Korea's UPbit exchange may have been one of the targets, with the North using phishing attacks to gain control of the computers of customers.

North Korea image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.