The United States Department of Justice has seized and returned roughly $500,000 in fiat and crypto from a hacking group tied to the North Korean government, which included two crypto payments made by U.S. health care providers.
In a Tuesday announcement, the Justice Department said in conjunction with the FBI it had investigated a $100,000 ransomware payment in Bitcoin (BTC) from a Kansas hospital to a North Korean hacking group in order to regain access to its systems, as well as a $120,000 BTC payment from a medical provider in Colorado to one of the wallets connected to the aforementioned attack. In May, the FBI filed a seizure warrant for funds from the two ransom attacks and others laundered through China, which the Justice Department reported as worth roughly $500,000 total.
“These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay ramsons in order to regain control of their computer and record systems,” said Duston Slinkar, U.S. Attorney for the District of Kansas. “What these hackers don’t count on is the tenacity of the U.S. Justice Department in recovering and returning these funds to the rightful owners.”
U.S. Deputy Attorney General Lisa Monaco said in a speech for the International Conference on Cyber Security on Tuesday that authorities relied on victims from the private sector to report ransomware attacks and others “as soon as those crimes occur”:
“If you report that attack, if you report the ransom demand and payment, if you work with the FBI, we can take action; we can follow the money and get it back; we can help prevent the next attack, the next victim; and we can hold cybercriminals accountable. Those companies that work with us will see that we stand with them in the aftermath of an incident.”
— Justice Department (@TheJusticeDept) July 19, 2022
According to Monaco, the FBI and Justice Department traced the ransom payments through the blockchain in much the same way they found and seized more than $2 million in crypto following an attack on the Colonial Pipeline system in 2021. The Office of the Attorney General late announced the formation of a National Cryptocurrency Enforcement Team under the Justice Department, and a Virtual Asset Exploitation Unit under the FBI. Both teams were aimed at addressing cybercrimes used for “digital extortion” of funds, including crypto.
Hacking groups connected to either North Korea and Russia have reportedly been responsible for many major ransomware and cyber attacks in the United States and globally. In April, the Treasury Department’s Office of Foreign Assets Control named North Korean cyber-criminal Lazarus Group as the entity behind a March 2022 hack of Ronin Bridge, in which more than $600 million in crypto assets were removed.