Three hackers from a North Korean cyber intelligence agency have been charged in the US with masterminding a €13million heist on Bank of Valletta.  

The US Justice Department unsealed a federal indictment on Wednesday, charging three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of cyberattacks. 

The group stole and extorted more than $1.3 billion (€1.07 billion) of money and cryptocurrency from financial institutions and companies across the globe, including BOV.  

Hackers posed as the French stock market regulator to break into BOV’s IT systems and walk away with millions of euros in 2019.  

In May of 2019 the bank said it had recovered €10 million of the stolen funds.

At the time sources had told Times of Malta that the Malta Security Services and the state IT agency MITA were working with a team from the US Federal Bureau of Investigation after suspicions that the hack could have been part of a string of similar attacks across the world orchestrated by a hostile rogue state

'World's leading bank robbers'

North Korea was eventually identified as that state in a UN report later that year.  
The hacking indictment filed in the U.S. District Court in Los Angeles this week alleges that Jon Chang Hyok, 31; Kim Il, 27; and Park Jin Hyok, 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea, which engaged in criminal hacking.

These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). 

The indictment alleges a broad array of criminal cyber activities undertaken by the conspiracy “for revenge or financial gain”.

“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John C. Demers of the Justice Department’s National Security Division.

Fraudulent wire transactions

A second case unsealed in the US court also revealed that a Canadian-American citizen has agreed to plead guilty in a money laundering scheme and admitted to being a high-level money launderer for multiple criminal schemes, including ATM “cash-out” operations and a cyber-enabled bank heist orchestrated by the same North Korean hackers.

This American-Canadian is believed to be an associate of a Nigerian cyber criminal who was attested for his role in the heist in 2020. 

Ramoni Igbalode Abbas, aka “Hushpuppi”, was not one to shy away from publicity having attracted some 2.4 million followers on Instagram flaunting luxury cars, designer clothing, and a lavish, globetrotting lifestyle. 

Nigerian Instagram influencer Ramon Olorunwa Abbas, also known as Ray Hushpuppi, was arrested in June last year.Nigerian Instagram influencer Ramon Olorunwa Abbas, also known as Ray Hushpuppi, was arrested in June last year.

However he was last year accused of having conspired to “launder funds intended to be stolen through fraudulent wire transfers from a foreign financial institution, in which fraudulent wire transfers, totalling approximately €13 million were sent to bank accounts around the world in February 2019.”

Meanwhile, the charges against his North Korean co-conspirators include the “hack-and-dump” attack targeting US film makers Sony Pictures Entertainment. 

The attack was believed to have been sparked by the production company’s satirical film ‘The Interview’ which parodied North Korean dictator Kim Jong Un. 

The hacking group were also charged with a December 2014 targeting of AMC Theatres, which was scheduled to screen the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in North Korea.

Other crimes listed in the long charge sheet include the creation of the destructive software WannaCry 2.0, a form of ransomware, in May 2017, and the extortion of companies from 2017 through 2020.

The hackers also allegedly created and deployed malicious cryptocurrency applications from March 2018 through to at least September 2020 which would provide the North Korean team a backdoor into the victims’ computers.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.