U.S. Seizes Crypto Funds from North Korean Ransomware Attack

News

U.S. authorities seized approximately half a million dollars worth of cryptocurrency from North Korean hackers that targeted healthcare providers, according to a Department of Justice announcement on Tuesday.

The hackers used a new strain of ransomware, known as ‘Maui’, to encrypt the files and servers of a medical center in Kansas in 2021, locking users out of the system until the ransom was paid. The hospital paid the hackers $100,000 worth of bitcoin to regain access to their servers.

After the hit, the Kansas facility notified the FBI, which then identified the never-before-seen  North Korean ransomware strain, and traced the extorted cryptocurrency funds to China-based money launderers through the blockchain.

FBI agents later spotted a ransom payment worth $120,000 in bitcoin from a Colorado healthcare provider, which was hacked by the same Maui strain, to one of the seized criminal cryptocurrency accounts.

At the International Conference on Cyber Security which took place the same day, Deputy Attorney General Lisa O. Monaco said there was an “increased blurring of the line between state-sponsored cyber attacks and attacks by criminal groups,” and attributed the Maui attack to a North Korean state-sponsored group.

U.S. authorities have started the process of returning the money to the two healthcare providers, but have not said where the rest of the seized funds come from.

Earlier this month, U.S. cybersecurity authorities issued an alert warning hospitals against Maui, saying the ransomware “has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.”

According to a 2022 crypto crime report by Coincub, North Korea ranks as the top location in the world for crypto crimes, followed respectively by the U.S., Russia, China, and the U.K. The pariah nation has over 15 instances of documented crypto crimes, with illicit proceeds estimated at $1.6 billion.

North Korean cyberattacks are often attributed to the so-called Lazarus cybercrime group, which the U.S. Treasury Department linked to a $615 million cryptocurrency heist in April of this year.