US seizes stolen funds from suspected North Korean hackers

Getty Images Deputy Attorney General Lisa O. MonacoGetty Images
Deputy Attorney General Lisa O. Monaco says the Department of Justice is attacking malicious cyber-activity from all angles

The US Department of Justice has seized $500,000 (£417,000) worth of Bitcoin from suspected North Korean hackers.

The hackers attacked healthcare providers with a new strain of ransomware, extorting the funds from several organisations.

US authorities say they have already returned ransom payments to two hospital groups.

The rare successful seizure comes as US authorities warn that North Korea is becoming a major ransomware threat.

In a conference on Tuesday, Deputy Attorney General Lisa O. Monaco praised an unnamed Kansas hospital for alerting the FBI early about the ransomware attack.

"Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain," she said.

Hackers targeted hospital

According to court documents, hackers used the ransomware strain called Maui to encrypt the files and servers of a medical centre in Kansas in May 2021.

Typically, ransomware hackers will use malicious software to scramble data or lock users out of the system until a ransom is paid.

Watch: What is ransomware and how does it work?

The Kansas hospital spent a week not being able to access its IT systems, then decided to pay approximately $100,000 in Bitcoin to regain the use of its computers and equipment.

It is not illegal to pay hacker ransoms, but it is discouraged by law enforcement organisations around the world.

The FBI says it was swiftly notified about the payment by the medical centre, which meant officers were able to identify the never-before-seen ransomware linked to North Korea and trace the cryptocurrency to China-based money launderers.

Agents were also able to identify another $120,000 Bitcoin payment made to one of the criminal cryptocurrency accounts. This turned out to be a medical provider in Colorado which had just paid a ransom after also being hacked by the Maui ransomware criminals.

The FBI says it has returned the money to the two healthcare providers, but has not said from where the rest of the seized funds have come.

How seizure happened

It is not known how the FBI was able to seize the funds but Tom Robinson, founder and chief scientist of Elliptic, which analyses Bitcoin payments, told the BBC the seizure may have come about as the hackers tried to exchange their Bitcoin to traditional currency.

"It's likely that the investigators were able to trace the cryptocurrency to an exchange platform, where the launderers would have sent the funds in order to cash out. Exchanges are regulated businesses and can seize their customers' funds if compelled to do so by law enforcement," he said.

Europol Police conducting a raidEuropol
Seizing stolen cryptocurrency usually involves arresting cyber-criminals to gain access to their digital wallets

"Another possibility is that the cryptocurrency was seized directly from the launderers' own wallet. This is more challenging to do as it would require access to the wallet's private key - a passcode that allows cryptocurrency in a wallet to be accessed and moved."

US authorities are increasingly using new tactics to steal back extorted funds from cyber-criminals operating in jurisdictions like North Korea and Russia, where law enforcement agencies do not co-operate with Western requests for assistance.

"These seizures are still very rare, and it highlights the value of speedy reporting of cyber-extortion incidents, and working with law enforcement," says Jen Ellis, from cyber-security firm Rapid7.

"They won't be able to recoup the payment in every case, but the more information they have on attacker groups' tactics, techniques, and procedures, the more likely they are to be able to disrupt, deter, and respond to attacks, which benefits everyone."

Last June, the US recovered most of the $4.4m ransom paid by Colonial Pipeline to a cyber-criminal gang thought to be based in Russia.

In November 2021, the US also clawed back $6m from another ransomware gang called REvil with heavy links to Russia.

North Korean ransomware

As well as traditional state espionage elements, North Korea has for many years been accused of directing hacks aimed at making money for the pariah state.

North Korean hacking activity is often attributed to the so-called Lazarus Group of hackers, which has been accused of attempting to take $1bn from a Bangladesh bank in 2016.

In the last year, the group has been linked to lucrative attacks on cryptocurrency platforms, but last month the US cyber-authorities issued a warning about North Korean hackers launching ransomware attacks against US hospitals.

The authorities did not provide evidence that North Korea was behind the attacks, but the joint Cybersecurity Advisory assessment of the Maui ransomware stated that it had been "used by North Korean state-sponsored cyber-actors since at least May 2021 to target healthcare organisations."