{
	"id": "41986e5a-87ca-45bf-9e59-2ccf41092b3c",
	"created_at": "2026-04-06T00:12:10.084515Z",
	"updated_at": "2026-04-10T13:12:39.676396Z",
	"deleted_at": null,
	"sha1_hash": "743427208d044505d6c0105e7d0d836401483243",
	"title": "South Korea Sanctions Pyongyang Hackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110688,
	"plain_text": "South Korea Sanctions Pyongyang Hackers\r\nBy Jayant Chakravarti\r\nArchived: 2026-04-05 18:41:59 UTC\r\nBlockchain \u0026 Cryptocurrency , Cryptocurrency Fraud , Fraud Management \u0026 Cybercrime\r\nSeoul Cracks Down on North Korea's Flourishing Cryptocurrency Theft Industry (@JayJay_Tech) • February 13,\r\n2023    \r\nNorth Korean leader Kim Jong-un watches a missile demonstration in August 2019. (Photo: Korean\r\nCentral News Agency)\r\nSouth Korea sanctioned four North Korean individuals and seven organizations for conducting illegal cyber\r\nactivities to finance the totalitarian regime's nuclear and missile development programs.\r\nSee Also: Revolutionizing Cross-Border Transactions with Permissioned DeFi\r\nSeoul accused the individuals and institutions of stealing virtual currency, conducting ransomware attacks and\r\nobtaining IT work at front companies using fake documents to raise funds.\r\nAmong the individuals is Park Jin-Hyok, an alleged member of Reconnaissance General Bureau, North Korea's\r\nmilitary intelligence agency. Park is already named in a U.S. federal indictment for allegedly participating in a\r\ncampaign to steal more than $1.3 billion of money and cryptocurrency from financial institutions and companies\r\nworldwide.\r\nhttps://www.bankinfosecurity.com/south-korea-sanctions-pyongyang-hackers-a-21193\r\nPage 1 of 2\n\nThe United States also charged Park for carrying out the global WannaCry 2.0 ransomware attacks, an $81 million\r\nheist from Bangladesh Bank in 2016, and numerous other attacks.\r\nSeoul also sanctioned Jo Myong Rae, the head of the Computer Technology Research Institute, and Chosun Expo\r\nJoint Venture, a front company with offices in China and North Korea. The sanctions list also blacklists state\r\nhacking groups such as Lazarus, Bluenoroff and Andariel, and the state Technical Reconnaissance Bureau.\r\nThe government said the targeted sanctions against North Korean entities to prevent cryptocurrency theft were a\r\nlong time in the making. It established in August 2022 a working group with the U.S. to discuss potential\r\nsanctions against North Korean hackers and conducted a joint symposium with the U.S. in November to share\r\ninformation with the private sector about North Korea's hacking techniques.\r\nSouth Korea also established a National Cyber Security Cooperation Center in November 2022 to enable joint\r\nresponse of public and private sectors against North Korea's cyberattacks. Seoul also partnered with domestic and\r\nforeign cryptocurrency exchanges to freeze stolen funds, identify crypto wallet addresses used by hackers and\r\nestablished a procedure to record senders and recipients for all crypto transactions. It has now listed eight virtual\r\nasset wallet addresses associated with Lazarus.\r\nStolen cryptocurrency has become a principle source of hard currency for North Korea. The country exported just\r\n$82 million worth of goods and services in 2021, but its hackers stole over $1.2 billion in cryptocurrency since\r\n2017. Blockchain analysis firm Chainalysis says North Korean cybercriminals had \"a banner year in 2021,\"\r\nstealing about $400 million worth of digital assets.\r\nThe FBI last year blamed Lazarus for stealing $620 million in ethereum from online game Axie Infinity. It also\r\nsaid last week that Lazarus stole $100 million worth of ethereum from Harmony Horizon, a cross-chain bridge for\r\nethereum.\r\nSource: https://www.bankinfosecurity.com/south-korea-sanctions-pyongyang-hackers-a-21193\r\nhttps://www.bankinfosecurity.com/south-korea-sanctions-pyongyang-hackers-a-21193\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bankinfosecurity.com/south-korea-sanctions-pyongyang-hackers-a-21193"
	],
	"report_names": [
		"south-korea-sanctions-pyongyang-hackers-a-21193"
	],
	"threat_actors": [
		{
			"id": "838f6ced-12a4-4893-991a-36d231d96efd",
			"created_at": "2022-10-25T15:50:23.347455Z",
			"updated_at": "2026-04-10T02:00:05.295717Z",
			"deleted_at": null,
			"main_name": "Andariel",
			"aliases": [
				"Andariel",
				"Silent Chollima",
				"PLUTONIUM",
				"Onyx Sleet"
			],
			"source_name": "MITRE:Andariel",
			"tools": [
				"Rifdoor",
				"gh0st RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "110e7160-a8cc-4a66-8550-f19f7d418117",
			"created_at": "2023-01-06T13:46:38.427592Z",
			"updated_at": "2026-04-10T02:00:02.969896Z",
			"deleted_at": null,
			"main_name": "Silent Chollima",
			"aliases": [
				"Onyx Sleet",
				"PLUTONIUM",
				"OperationTroy",
				"Guardian of Peace",
				"GOP",
				"WHOis Team",
				"Andariel",
				"Subgroup: Andariel"
			],
			"source_name": "MISPGALAXY:Silent Chollima",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc6e3644-3249-44f3-a277-354b7966dd1b",
			"created_at": "2022-10-25T16:07:23.760559Z",
			"updated_at": "2026-04-10T02:00:04.741239Z",
			"deleted_at": null,
			"main_name": "Andariel",
			"aliases": [
				"APT 45",
				"Andariel",
				"G0138",
				"Jumpy Pisces",
				"Onyx Sleet",
				"Operation BLACKMINE",
				"Operation BLACKSHEEP/Phase 3.",
				"Operation Blacksmith",
				"Operation DESERTWOLF/Phase 3",
				"Operation GHOSTRAT",
				"Operation GoldenAxe",
				"Operation INITROY/Phase 1",
				"Operation INITROY/Phase 2",
				"Operation Mayday",
				"Operation VANXATM",
				"Operation XEDA",
				"Plutonium",
				"Silent Chollima",
				"Stonefly"
			],
			"source_name": "ETDA:Andariel",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "771d9263-076e-4b6e-bd58-92b6555eb739",
			"created_at": "2025-08-07T02:03:25.092436Z",
			"updated_at": "2026-04-10T02:00:03.758541Z",
			"deleted_at": null,
			"main_name": "NICKEL HYATT",
			"aliases": [
				"APT45 ",
				"Andariel",
				"Dark Seoul",
				"Jumpy Pisces ",
				"Onyx Sleet ",
				"RIFLE Campaign",
				"Silent Chollima ",
				"Stonefly ",
				"UN614 "
			],
			"source_name": "Secureworks:NICKEL HYATT",
			"tools": [
				"ActiveX 0-day",
				"DTrack",
				"HazyLoad",
				"HotCriossant",
				"Rifle",
				"UnitBot",
				"Valefor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0",
			"created_at": "2022-10-25T15:50:23.240383Z",
			"updated_at": "2026-04-10T02:00:05.299433Z",
			"deleted_at": null,
			"main_name": "APT38",
			"aliases": [
				"APT38",
				"NICKEL GLADSTONE",
				"BeagleBoyz",
				"Bluenoroff",
				"Stardust Chollima",
				"Sapphire Sleet",
				"COPERNICIUM"
			],
			"source_name": "MITRE:APT38",
			"tools": [
				"ECCENTRICBANDWAGON",
				"HOPLIGHT",
				"Mimikatz",
				"KillDisk",
				"DarkComet"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd",
			"created_at": "2022-10-25T16:07:23.766784Z",
			"updated_at": "2026-04-10T02:00:04.7432Z",
			"deleted_at": null,
			"main_name": "Bluenoroff",
			"aliases": [
				"APT 38",
				"ATK 117",
				"Alluring Pisces",
				"Black Alicanto",
				"Bluenoroff",
				"CTG-6459",
				"Copernicium",
				"G0082",
				"Nickel Gladstone",
				"Sapphire Sleet",
				"Selective Pisces",
				"Stardust Chollima",
				"T-APT-15",
				"TA444",
				"TAG-71",
				"TEMP.Hermit"
			],
			"source_name": "ETDA:Bluenoroff",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434330,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/743427208d044505d6c0105e7d0d836401483243.pdf",
		"text": "https://archive.orkl.eu/743427208d044505d6c0105e7d0d836401483243.txt",
		"img": "https://archive.orkl.eu/743427208d044505d6c0105e7d0d836401483243.jpg"
	}
}