The FBI and U.S. Justice Department last year thwarted attempts by North Korean state-sponsored hackers to cripple an American hospital—seizing $500,000 in cryptocurrency and ransom payments in the process.
In a Tuesday statement, the DOJ’s Deputy Attorney General Lisa O. Monaco said the North Korean group hacked a Kansas hospital’s system in 2021 and demanded a ransom, threatening to cripple the center’s servers if their demands were not met.
The hospital’s staff paid the ransom after the cyber criminals threatened to double the amount within 48 hours, the statement said. The DOJ statement did not specify if the ransom payment was paid in cryptocurrency.
“In that moment, the hospital’s leadership faced an impossible choice—give in to the ransom demand or cripple the ability of doctors and nurses to provide critical care,” Monaco said today at the International Conference on Cyber Security (ICCS) 2022 in New York. “But they also notified the FBI, which was the right thing to do for themselves and for future victims,” she added.
State-sponsored hackers from the hermit kingdom are regularly up to no good: a January report showed North Korean hackers stole $400 million in Bitcoin and Ethereum last year. And in April, the U.S. government released a cybersecurity advisory on North Korean illicit activity in the crypto space.
Monaco’s statement added that FBI and DOJ prosecutors were able to trace the actions of the hackers and, by analyzing public blockchain data, found where the criminals kept the stolen funds: in the accounts of China-based money launderers who regularly help North Korean hackers turn crypto to cash.
U.S. authorities used the same tactics they did when they recovered the Bitcoin stolen during the 2021 Colonial Pipeline attack, noted Monaco.
During their search they picked up a number of other ransom payments—including another hospital in Colorado—as well as stolen cryptocurrency, totaling half a million dollars. The DOJ did not specify which cryptocurrency the hackers had stashed away, though ransomware attackers will typically collect in either Bitcoin or a privacy coin like Monero.
Monaco added that a few weeks ago, the authorities were able to seize these assets. “And today, we have made public the seizure of those ransom payments, and we are returning the stolen funds to the victims,” she said.