{ "id": "84071b86-bdf6-4373-88a8-56ca61ef2ca4", "created_at": "2026-04-06T02:11:27.733366Z", "updated_at": "2026-04-10T03:38:20.075439Z", "deleted_at": null, "sha1_hash": "6f5a5406cc464c2628b6676eec221c7c5dc59bfc", "title": "North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61125, "plain_text": "North Korean Regime-Backed Programmer Charged With\r\nConspiracy to Conduct Multiple Cyber Attacks and Intrusions\r\nPublished: 2018-09-06 · Archived: 2026-04-06 02:04:09 UTC\r\nA criminal complaint was unsealed today charging Park Jin Hyok (박진혁; a/k/a Jin Hyok Park and Pak Jin Hek),\r\na North Korean citizen, for his involvement in a conspiracy to conduct multiple destructive cyberattacks around\r\nthe world resulting in damage to massive amounts of computer hardware, and the extensive loss of data, money\r\nand other resources (the “Conspiracy”). \r\nThe complaint alleges that Park was a member of a government-sponsored hacking team known to the private\r\nsector as the “Lazarus Group,” and worked for a North Korean government front company, Chosun Expo Joint\r\nVenture (a/k/a Korea Expo Joint Venture or “KEJV”), to support the DPRK government’s malicious cyber\r\nactions. \r\nThe Conspiracy’s malicious activities include the creation of the malware used in the 2017 WannaCry 2.0 global\r\nransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures\r\nEntertainment (SPE); and numerous other attacks or intrusions on the entertainment, financial services, defense,\r\ntechnology, and virtual currency industries, academia, and electric utilities. \r\nThe charges were announced by Attorney General Jeff Sessions, FBI Director Christopher A. Wray, Assistant\r\nAttorney General for National Security John C. Demers, First Assistant United States Attorney for the Central\r\nDistrict of California Tracy Wilkison and Assistant Director in Charge Paul D. Delacourt of the FBI’s Los Angeles\r\nField Office.\r\nIn addition to these criminal charges, Treasury Secretary Steven Mnuchin announced today that the Department of\r\nthe Treasury’s Office of Foreign Assets Control (OFAC) designated Park and KEJV under Executive Order 13722\r\nbased on the malicious cyber and cyber-enabled activity outlined in the criminal complaint.\r\n“Today’s announcement demonstrates the FBI’s unceasing commitment to unmasking and stopping the malicious\r\nactors and countries behind the world’s cyberattacks,” said FBI Director Christopher Wray.  “We stand with our\r\npartners to name the North Korean government as the force behind this destructive global cyber campaign.  This\r\ngroup’s actions are particularly egregious as they targeted public and private industries worldwide – stealing\r\nmillions of dollars, threatening to suppress free speech, and crippling hospital systems.  We’ll continue to identify\r\nand illuminate those responsible for malicious cyberattacks and intrusions, no matter who or where they are.”\r\n “The scale and scope of the cyber-crimes alleged by the Complaint is staggering and offensive to all who respect\r\nthe rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General Demers.\r\n“The Complaint alleges that the North Korean government, through a state-sponsored group, robbed a central\r\nbank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created\r\ndisruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of\r\nmillions, if not billions, of dollars’ worth of damage.  The investigation, prosecution, and other disruption of\r\nhttps://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nPage 1 of 4\n\nmalicious state-sponsored cyber activity remains among the highest priorities of the National Security Division\r\nand I thank the FBI agents, DOJ prosecutors, and international partners who have put years of effort into this\r\ninvestigation.”\r\n“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks\r\nthat caused unprecedented economic damage and disruption to businesses in the United States and around the\r\nglobe,” said First Assistant United States Attorney Tracy Wilkison. “The scope of this scheme was exposed\r\nthrough the diligent efforts of FBI agents and federal prosecutors who were able to unmask these sophisticated\r\ncrimes through sophisticated means. They traced the attacks back to the source and mapped their commonalities,\r\nincluding similarities among the various programs used to infect networks across the globe. These charges send a\r\nmessage that we will track down malicious actors no matter how or where they hide. We will continue to pursue\r\njustice for those responsible for the huge monetary losses and attempting to compromise the national security of\r\nthe United States.”\r\n“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit\r\nrevenues in violation of our sanctions,” said Treasury Secretary Steven Mnuchin.  “The United States is\r\ncommitted to holding the regime accountable for its cyber-attacks and other crimes and destabilizing activities.”\r\nPark is charged with one count of conspiracy to commit computer fraud and abuse, which carries a maximum\r\nsentence of five years in prison, and one count of conspiracy to commit wire fraud, which carries a maximum\r\nsentence of 20 years in prison. \r\nAbout the Defendant Park and Chosun Expo Joint Venture\r\nAccording to the allegations contained in the criminal complaint, which was filed on June 8, 2018 in Los Angeles\r\nfederal court, and posted today:  Park Jin Hyok, was a computer programmer who worked for over a decade for\r\nChosun Expo Joint Venture (a/k/a Korea Expo Joint Venture or “KEJV”).  Chosun Expo Joint Venture had offices\r\nin China and the DPRK, and is affiliated with Lab 110, a component of DPRK military intelligence.  In addition to\r\nthe programming done by Park and his group for paying clients around the world, the Conspiracy also engaged in\r\nmalicious cyber activities.  Security researchers that have independently investigated these activities referred to\r\nthis hacking team as the “Lazarus Group.”  The Conspiracy’s methods included spear-phishing campaigns,\r\ndestructive malware attacks, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and\r\npropagating “worm” viruses to create botnets.\r\nThe Conspiracy’s Cyber Attacks, Heists, and Intrusions\r\nThe complaint describes a broad array of the Conspiracy’s alleged malicious cyber activities, both successful and\r\nunsuccessful, and in the United States and abroad, with a particular focus on four specific examples. \r\nTargeting the Entertainment Industry\r\nIn November 2014, the conspirators launched a destructive attack on Sony Pictures Entertainment (SPE) in\r\nretaliation for the movie “The Interview,” a farcical comedy that depicted the assassination of the DPRK’s leader. \r\nThe conspirators gained access to SPE’s network by sending malware to SPE employees, and then stole\r\nconfidential data, threatened SPE executives and employees, and damaged thousands of computers.  Around the\r\nsame time, the group sent spear-phishing messages to other victims in the entertainment industry, including a\r\nhttps://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nPage 2 of 4\n\nmovie theater chain and a U.K. company that was producing a fictional series involving a British nuclear scientist\r\ntaken prisoner in DPRK.\r\nTargeting Financial Services\r\nIn February 2016, the Conspiracy stole $81 million from Bangladesh Bank.  As part of the cyber-heist, the\r\nConspiracy accessed the bank’s computer terminals that interfaced with the Society for Worldwide Interbank\r\nFinancial Telecommunication (SWIFT) communication system after compromising the bank’s computer network\r\nwith spear-phishing emails, then sent fraudulently authenticated SWIFT messages directing the Federal Reserve\r\nBank of NY to transfer funds from Bangladesh to accounts in other Asian countries.  The Conspiracy attempted to\r\nand did gain access to several other banks in various countries from 2015 through 2018 using similar methods and\r\n“watering hole attacks,” attempting the theft of at least $1 billion through such operations.\r\nTargeting of U.S. Defense Contractors\r\nIn 2016 and 2017, the Conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with\r\nspear-phishing emails. These malicious emails used some of the same aliases and accounts seen in the SPE attack,\r\nat times accessed from North Korean IP addresses, and contained malware with the same distinct data table found\r\nin the malware used against SPE and certain banks, the complaint alleges. The spear-phishing emails sent to the\r\ndefense contractors were often sent from email accounts that purported to be from recruiters at competing defense\r\ncontractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense\r\n(THAAD) missile defense system deployed in South Korea. The attempts to infiltrate the computer systems of\r\nLockheed Martin, the prime contractor for the THAAD missile system, were not successful.\r\nCreation of Wannacry 2.0\r\nIn May 2017, a ransomware attack known as WannaCry 2.0 infected hundreds of thousands of computers around\r\nthe world, causing extensive damage, including significantly impacting the United Kingdom’s National Health\r\nService.  The Conspiracy is connected to the development of WannaCry 2.0, as well as two prior versions of the\r\nransomware, through similarities in form and function to other malware developed by the hackers, and by\r\nspreading versions of the ransomware through the same infrastructure used in other cyber-attacks.\r\nPark and his co-conspirators were linked to these attacks, intrusions, and other malicious cyber-enabled activities\r\nthrough a thorough investigation that identified and traced: email and social media accounts that connect to each\r\nother and were used to send spear-phishing messages; aliases, malware “collector accounts” used to store stolen\r\ncredentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese,\r\nand other IP addresses.  Some of this malicious infrastructure was used across multiple instances of the malicious\r\nactivities described herein.  Taken together, these connections and signatures—revealed in charts attached to the\r\ncriminal complaint—show that the attacks and intrusions were perpetrated by the same actors.  \r\nAccompanying Mitigation Efforts\r\nThroughout the course of the investigation, the FBI and the Department provided specific information to victims\r\nabout how they had been targeted or compromised, as well as information about the tactics and techniques used by\r\nthe conspiracy with the goals of remediating any intrusion and preventing future intrusions.  That direct sharing of\r\ninformation took place in the United States and in foreign countries, often with the assistance of foreign law\r\nhttps://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nPage 3 of 4\n\nenforcement partners. The FBI also has collaborated with certain private cybersecurity companies by sharing and\r\nanalyzing information about the intrusion patterns used by the members of the conspiracy.\r\nIn connection with the unsealing of the criminal complaint, the FBI and prosecutors provided cybersecurity\r\nproviders and other private sector partners detailed information on accounts used by the Conspiracy in order to\r\nassist these partners in their own independent investigative activities and disruption efforts.\r\nThe maximum potential sentences in this case are prescribed by Congress and are provided here for informational\r\npurposes only, as any sentencings of the defendant will be determined by the assigned judge.\r\nThis case is being prosecuted by Assistant United States Attorneys Stephanie S. Christensen, Anthony J. Lewis,\r\nand Anil J. Antony of the United States Attorney’s Office for the Central District of California, and DOJ Trial\r\nAttorneys David Aaron and Scott Claffee of the National Security Division’s Counterintelligence and Export\r\nControl Section.  The Criminal Division’s Office of International Affairs provided assistance throughout this\r\ninvestigation, as did many of the FBI’s Legal Attachés, and foreign authorities around the world.\r\nThe charges contained in the criminal complaint are merely accusations and the defendant is presumed innocent\r\nunless and until proven guilty.\r\nFor the U.S. Department of Treasury’s press release announcing corresponding sanctions please visit\r\nwww.treasury.gov\r\n.\r\nSource: https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nhttps://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and" ], "report_names": [ "north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441487, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f5a5406cc464c2628b6676eec221c7c5dc59bfc.pdf", "text": "https://archive.orkl.eu/6f5a5406cc464c2628b6676eec221c7c5dc59bfc.txt", "img": "https://archive.orkl.eu/6f5a5406cc464c2628b6676eec221c7c5dc59bfc.jpg" } }