DOJ Charges 3 North Korean Hackers With Stealing $100M+ From Crypto Firms

The hackers allegedly stole over $1.3 billion overall through various schemes.

AccessTimeIconFeb 17, 2021 at 4:54 p.m. UTC
Updated Sep 14, 2021 at 12:12 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The U.S. Department of Justice (DOJ) has charged three North Korean computer programmers with theft and extortion on various allegations, including stealing over $100 million in cryptocurrencies between 2017 and 2020.

The thefts are part of a broader conspiracy in which the alleged hackers stole over $1.3 billion, the DOJ announced Wednesday. In a related second case, a Canadian-American was charged with participating in a money laundering scheme.

In a statement, Assistant Attorney General John Demers said, "As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers."

Jon Chang Hyok, Kim Il and Park Jin Hyok have been charged with criminal hacking and other crimes, and are allegedly a part of the Lazarus Group cybercrime ring, according to a press release. The three were allegedly behind the 2014 hack of Sony Pictures Entertainment, which appeared to be a retaliatory move for producing The Interview, a comedy film about the assassination of North Korean leader Kim Jong Un.

The hackers targeted "hundreds of cryptocurrency companies" and stole "tens of millions of dollars' worth of cryptocurrency," according to the press release.

This included "$75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor," the press release said.

Just last week, the United Nations alleged that North Korea was funding its nuclear weapons program using funds from hacked cryptocurrency exchanges, alongside other thefts. The U.N. believes that over $300 million in crypto assets have been stolen by various North Korean hackers.

Initial coin offerings

The defendants raised funds using initial coin offerings (ICOs) as well, the indictment alleged. Specifically, it claims that Kim Il tried raising funds through the Marine Chain ICO, which the U.N. suspected was affiliated with the North Korean government last year.

The defendants created a digital token representing fractional ownership in marine shipping vessels and marketed it to individuals in Singapore, the indictment alleged.

"Defendant KIM IL and other conspirators would not disclose to these individuals that the conspirators were DPRK citizens or that they were communicating using false and fraudulent names. They also would not disclose to investors that a purpose of the Marine Chain Token was to evade United States sanctions on North Korea," the indictment said.

It's unclear how much the Marine Chain ICO raised.

Evan Kohlmann, the chief innovation officer of cybersecurity and risk intelligence firm Flashpoint, told CoinDesk, “Countries like North Korea will continue to create schemes to avoid U.S. sanctions. The DoJ indictment highlights the breadth of North Korean malicious cyber intrusions targeting entertainment, finance, defense, energy, government, and technology companies."

Countries could try cashing out through ATMs in addition to using ICOs or malware to steal cryptocurrencies, he said.


In addition to Wednesday's indictment, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Treasury published a joint advisory about a crypto malware produced by North Korea.

The advisory, which includes seven malware analysis reports (MARs) with technical details about the AppleJeus malware, details how the program was installed on victim machines.

"This report catalogues AppleJeus malware in detail. North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application – seen on both Windows and Mac operating systems – appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate," the notice said.

The threat actors targeted companies in the U.S., Canada, Brazil, Argentina, Australia, New Zealand, India, China, Russia, Israel, Saudi Arabia, South Korea and over a dozen others, according to the alert.

Read the full indictment below:

UPDATE (Feb. 17, 2021, 17:50 UTC): Edits and updates throughout.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.