How North Korean hackers became the world's greatest bank robbers

GlobalPost
Rows of students at Mangyongdae Revolutionary School, a prestigious academy in Pyongyang, sit at computers.

It was among the greatest heists against a United States bank in history — and the thieves never even set foot on American soil.

Nor did they target some ordinary bank. They struck an account managed by the Federal Reserve Bank of New York, an institution renowned for its security.

In vaults 80 feet below the streets of Manhattan, the bank holds the world’s largest repository of gold. Many of these gold bars belong to foreign governments, which feel safer storing their gold inside well-defended bunkers in America than at home.

By the same token, overseas governments also store cash with the Fed. But this is cash in the 21st-century sense: all ones and zeroes, not smudgy bills. The bank holds vast foreign wealth on humming servers wired up to the internet.

That’s what the thieves went after in February 2016: nearly $1 billion, sitting in a Fed-run account. This particular account happened to belong to Bangladesh. Having already hacked into the servers of the Bangladesh Central Bank, the criminals waited until a Friday — a day off in many Muslim-majority nations, Bangladesh included.

Then they started draining the account.

Posing as Bangladesh Central Bank staff, the hackers sent a flurry of phony transfer requests to the Fed totaling nearly $1 billion. The Fed started zapping cash into accounts managed by the thieves overseas, most of them in the Philippines. Much of the money was quickly pulled out as cash or laundered through casinos.

From there, the trail goes cold.

The hackers didn’t get the full billion they desired. Most of the bogus requests were caught and canceled by suspicious personnel. But they did end up with an amazing score: $81 million.

The culprits of this heist are loyal to one of the most impressive organized crime syndicates in the world. They don’t work for the Triads, nor the Sinaloa Cartel, nor Sicily’s Cosa Nostra. They are agents of the Reconnaissance General Bureau (or RGB), which is headquartered in Pyongyang. This is North Korea’s equivalent to the CIA.

Like the CIA, North Korea’s RGB is steeped in clandestine overseas plots: assassinations, abductions and lots of spying. But it is perhaps better understood as a mash-up between the CIA, the KGB and the Yakuza.

What distinguishes the bureau is its entrepreneurial streak — one with a distinctly criminal bent.

For decades, North Korea has been beleaguered by Western sanctions and barred from global markets. This has prodded the regime to seek revenue in darker realms that are beyond the law. These black-market enterprises have included heroin production, printing bogus $100 bills and counterfeiting name-brand cigarettes.

But all of those rackets have now been totally eclipsed by hacking. The bureau has trained up the world’s greatest bank-robbing crews, a constellation of hacking units that pull massive online heists.

These thieves also have one distinct advantage over other syndicates: They are absolutely confident that they’ll never be charged. So it goes when your own country sponsors your criminal mischief.

This is a new phenomenon, according to US intelligence officials. “A nation state robbing banks … that’s a big deal. This is different,” says Richard Ledgett. He was, until his recent retirement, the deputy director of the National Security Agency.

In recent years, North Korea has launched hacks against more than 100 banks and online exchanges in a total of 30 countries. The RGB appears to have successfully pilfered $650 million. That we know of.

And yet they are chronically overlooked — at least in the American media, where talk of online subterfuge is dominated by Russian political hacks. If you weren’t aware that North Korea pulled a heist on the Federal Reserve, note that the caper went down in February 2016, when the media spotlight was fixed on the US presidential race at the expense of, well, almost everything else.

Now that gaze has swung toward North Korea — and for good reason.

Not so long ago, North Korea spoke of smiting the US with its “treasured nuclear sword of justice.” Now it offers grand gestures of warmth. Kim Jong-un has released American prisoners. He has giddily stepped into South Korea — if only for a moment — and he is now readying peace talks with President Donald Trump, a man who has threatened the young autocrat’s life via Twitter. (This could all change in an instant, of course. The North Korean leader suspended talks with South Korea on Wednesday over joint US-Korea military exercises and threatened to cancel his summit with Trump.)

South Korean President Moon Jae-in and North Korean leader Kim Jong-un shake hands at the truce village of Panmunjom inside the demilitarized zone separating the two Koreas, South Korea, April 27, 2018.

South Korean President Moon Jae-in and North Korean leader Kim Jong-un shake hands at the truce village of Panmunjom inside the demilitarized zone separating the two Koreas, South Korea, April 27, 2018.

Credit:

Korea Summit Press Pool via Reuters

For now, Kim Jong-un and Trump intend to meet in Singapore on June 12. This round and future rounds of talks — should they proceed without breaking down — will center on the fact that, against all odds, the leader of this impoverished nation has acquired humankind’s most powerful creation: the hydrogen bomb.

That we all know. But those with deep knowledge of North Korea’s RGB also tend to believe that North Korea has pulled off another stunning technological feat: amassing one of the most skilled hacking syndicates in the world.

Moreover, these bank heists are linked to the state’s nuclear arsenal. Missile tests provoke sanctions. Sanctions dry up North Korea’s foreign cash reserves. Pyongyang is then left scrambling to find alternate revenue streams in the underworld. None of these criminal enterprises are as lucrative as hacking — and none poses a greater threat to the US-dominated global financial system.

To make sense of North Korea’s hacking feats, I sought out Kim Heung-Kwang, a bespectacled 58-year-old computer scientist living in Seoul. Kim is familiar with the thinking of tech-savvy servants of the regime in Pyongyang.

He used to be one of them.


Kim isn’t all that easy to find. That’s how he likes it.

After agreeing to meet, Kim sends directions by text. Following them leads my co-producer, Sona Jo, and me into a drab cement structure on the outskirts of Seoul, far from the capital’s glitzy shopping promenades. Outside, it’s snowing softly and a chill pervades the unheated building. Reaching Kim’s chambers requires a steep climb up a freezing stairwell.

He answers the doorbell in a chipper mood — “Come in!” he says, in a sing-song melody — and promptly offers a cup of green tea. On the way here, I was braced for an awkward, slow-to-warm sort of encounter. That vibe has characterized some of my past interviews with North Korean defectors. They were, after all, reared from birth to despise Americans.

“Well, you’re jackals!” Kim says when I ask about his anti-American indoctrination. He’s laughing with his eyes, which crinkle when he smiles. “That’s what they say. Americans are our everlasting enemy. Bosses of a corrupt empire.”

But Kim is welcoming, exuding the demeanor of a gentle professor. I can’t say the same of the other man in the room: a tall guy, clad in a dark coat, who does not introduce himself but eyes us up and down before retreating to a corner in silence. I decide not to ask.

Kim Heung-Kwang, a computer networks specialist who now heads an association of highly educated North Korean defectors.

Kim Heung-Kwang, a computer networks specialist who now heads an association of highly educated North Korean defectors.

Credit:

Facebook

Kim has come a long way since he emerged scared, soaking wet and nearly possessionless from the Tumen River in 2003. That was the year he sneaked to the banks of the river, which divides his homeland from China, and bribed a North Korean guard. The soldier looked away as Kim swam through freezing waters toward China. But as he swam, Kim says, he was shot at by a second guard whom he’d neglected to bribe.

Ultimately, he made it to the far shore unscathed and, from China, made his way to South Korea. Today, he heads an alliance of highly educated North Korean defectors.

He keeps busy by running this alliance — called North Korea Intellectuals Solidarity — which comprises escaped North Korean lawyers, doctors, engineers, academics and programmers. The intel he has gathered from these associates suggests to him that North Korea’s hackers are “an absolute treasure to Kim Jong-un,” he says. “Because it is becoming clear that North Korean hackers are the best in the world.”

RelatedWhat it will take to to denuclearize North Korea

Kim is a computer scientist himself. He specializes in digital networks and claims he took part in early modem communication between Pyongyang and Hamhung, North Korea’s second-largest city and Kim’s hometown.

That’s also where he spent years as a university professor, teaching soldiers-to-be about online networks. Many of his students, he says, were swept into the RGB to fulfill their ultimate mission: infiltrating the networks of enemies overseas.

Kim believes this background, plus his access to intel shared among hundreds of highly placed defectors, qualifies him as an authority on North Korean hackers. They are, he says, profoundly underestimated on the world stage.

“They’re the geniuses of North Korea,” Kim says. “Let’s make this simple. You want to rank countries when it comes to government hacking? Well, most people will say America is number one, Russia is number two, China is number three and so on.”

“But tell me, honestly. Is anyone pulling off as many successful hacking operations as North Korea?”

Let’s review some of North Korea’s greatest hacks.

In 2014, North Korean agents crept into the digital infrastructure of Sony Pictures, which was preparing to release “The Interview,” a screwball comedy about assassinating Kim Jong-un. Pyongyang’s agents wiped data and leaked embarrassing emails until Sony caved and canceled the film’s mainstream release.

In 2017, North Korean hackers seized Microsoft computers worldwide with a worm known as WannaCry. Devices were rendered useless unless the owner paid a ransom in Bitcoin — the price of unfreezing the computer. More than 200,000 computers in 150 countries were affected.

And in the last three years alone, North Korean hackers have targeted banks and cryptocurrency exchanges in the following countries: South Korea, Thailand, India, the Philippines, Poland, Peru, Vietnam, Nigeria, Australia, Mexico, Japan and Singapore. In the US, they’ve gone after Wells Fargo, Citibank and, of course, the New York Federal Reserve.

All told, these heists have pulled in an estimated $650 million in just a few years.

“So even just from reading the news,” Kim says, “everyone should start to wonder if maybe North Korean hackers are now the very best in the world.”

This sentiment — laughable just a few years ago — is now shared in unlikely circles.

The $650 million figure comes from Simon Choi, among the more authoritative sources on North Korean hackers. At 34, he has spent much of his young life chasing their digital trail. He is a consultant to South Korea’s National Intelligence Service — formerly titled the Korean CIA — as well as the military’s cyberwarfare division.

“I think we’re only able to uncover about 30 percent of their total hacking,” Choi tells me. “This is just a portion of their activity.” When I asked Choi to rank North Korea’s hackers, he tells me that “their skill has come a long way. They are now No. 1 in the world in terms of hacking.”

This is no fluke, Kim says. Under the reign of Kim Jong-un — the regime’s first millennial dictator — the RGB has continually restructured itself to emphasize cybercrime. It now oversees an estimated 3,000 to 6,000 hackers.

The bureau was created in 2009, during the last years of Kim Jong-il’s rule. It was comprised of a variety of units devoted to spycraft, overseas killings, psychological warfare and cyberwarfare — all of them pulled under one roof. According to Kim, once Kim Jong-un ascended to the throne, and took over the RGB, he lavished even more resources on its elite hacking units.

Two of those units stand out as exemplary.

One is known as Unit 121 — sometimes called “Lazarus” or “Hidden Cobra” by outside spy agencies — which pulled off both the Sony Pictures and the Federal Reserve hacks, Choi says. (The FBI has actually looked into filing charges against North Korea for the Fed heist.)

The other is Unit 110, which, according to Choi, began as a specialty unit targeting rival nations’ military intelligence. It has since devoted more energy, Choi says, to bilking credit card systems, ATM networks and, more recently, online stores of cryptocurrency.

Such online finesse begs the question: How is this impoverished state launching so many successful attacks from its home soil — especially given its constant power outages and primitive digital infrastructure?

It isn’t, Kim says. The bureau simply deploys hacker cells to live abroad — many of them in China — where online speeds are much faster. There, North Korean agents may feign jobs as traders or importers but run operations at night.

Other digital clues left by North Korean hackers suggest they’re located in India, Malaysia, Nepal, Indonesia and as far away as Mozambique. Recorded Future, a firm monitoring cyberthreats worldwide, claims North Korean agents look at Amazon, Baidu (China’s Google equivalent), a fair amount of porn and, more embarrassing still, their own AOL accounts. They also use iPads and iPhones. (Kim Jong-un himself has been spotted using Apple computers.)

Kim Jong-un sits at a desk writing on a piece of paper. To the right of the photo you can see an iMac computer.

Kim Jong-un and his iMac.

Credit:

KCNA

What can’t be easily discerned from the hackers’ digital breadcrumbs is their ideology. But Kim says that “when they attack a bank, it’s not personal. They know it’s illegal under international law but their first motivation is pleasing their Dear Leader. Don’t imagine them feeling guilty or breaking some moral code. They don’t have the same moral code as you.”

“They just think, well, I have skills that can benefit my country and please the leader,” he says. “It’s a golden opportunity to prove their loyalty.”

Kim tells me, look, if you really want to understand the mentality of cadres inside North Korea’s reconnaissance bureau, you should speak to Mr. Jang, his colleague.

And that is how I ended up, days later, in a hipster-ish co-working cafe on the other side of town — sitting across from a nervous 49-year-old man in a blue jacket.


Jang Seyul is slow to speak, economical in his movements and seemingly allergic to loosening up. He won’t remove his coat. He flinches at the sight of my microphone. I sense that he’s only agreed to meet because Kim put in a request on our behalf.

The son of an army captain, Jang grew up comfortable, at least by North Korean standards. “We ate meat at least once a month. Mostly fish. And always on the birthdays of Kim Il-sung and Kim Jong-il. The military provided my household with rice and, to supplement that, my father raised pigs and dogs for food.”

As a young man, Jang was accepted into Mirim University. He says the institution is known within the military by a quasi-secret title: The Korean People’s Command Automation University. Wired Magazine calls it “North Korea’s School for Hackers.”

But Jang was not fated to become a hacker. He was instead taught software related to military strategy — “war games,” he says — and recruited to run battle simulation programs at the RGB.

Climbing this professional ladder was a gauntlet, each step bringing ferocious competition from other young men. For tech-related positions, either academic of professional, he says that “100 openings will attract thousands of applicants.”

He worked alongside hackers both in college and at the bureau. Those with brains would always rise fast, he says. “In North Korea, there are now very strong incentives to become engineers or IT specialists. Because if you become a cyberexpert, you can become a senior manager within the Communist Party,” he says. “Boys and men dream of pursuing this path.”

Hacking has a special cachet in North Korea, Jang says, because it affords a life grander than a rice farmer could ever imagine. The most skilled programmers are allowed to move their entire families from hardscrabble provinces into the capital of Pyongyang, a privilege denied to common servants of the state.

In the capital, he says, the hackers’ families can enjoy great luxuries: hot water around the clock, regular electricity, rare food items — such as bananas — that are beyond the basic soldier’s ration allotment. (Other North Korean defectors have corroborated that eating bananas — or any imported tropical fruit — indicates high status.)

But the very best cyberwarriors are deployed abroad and, by necessity, given free access to the internet. Of course, the web is a space seething with information the Kim dynasty hides from the general population. “So these people do learn about North Korea’s reputation as a dictatorship,” Jang says. “They know what they do is considered criminal.”

“But still, they may feel proud,” he says. “They’re earning money for their country by targeting the enemy.”

But all evidence indicates they’re not just targeting their traditional “enemy”: those wicked Americans and, as Pyongyang’s apparatchiks see it, their quasi-colony in South Korea. They’re hitting banks all across the world, especially poorly defended institutions in Southeast Asia.

So, how to justify robbing Bangladesh, one of the poorer countries in Asia, with a literacy rate worse than that of North Korea?

Jang breaks down the mental gymnastics: “In North Korea, we learn that America doesn’t just militarily invade countries around the world. It also manipulates the world using its dollar regime — the global financial system.”

In other words: Any one institution participating in the global banking network is fair game. The fact that US-imposed sanctions prevent North Korea from accessing these very networks only sweetens the justification, Jang says. “Through hacking, they feel they’re lifting those sanctions,” he says, and thus making up lost revenue.

For North Korean hackers, the alternative to maintaining this worldview — drifting into some fantasy of revolt — is almost unthinkable, he says. They have too much to lose: an unfiltered view of the web, relief from hunger and want, parents and siblings living cozily in Pyongyang.

RelatedFrom tyranny to reality TV: Meet the celebrity defector women of North Korea

“These apartments for the wealthy [in Pyongyang], they are under strict observation,” Jang says. “So the hacker’s family are like hostages in a sense.” If the hacker turns dissident, he says, “then the worst can happen.”

The worst?

“Yes,” Jang says. “Because they are soldiers, I think their families could be killed. All of them.”

There is an expression in North Korea, he tells me: “It is easy to wake up a person who is sleeping, but it’s very hard to wake up the man who is pretending to sleep.”


Watch CNN, or soak up statements from US and South Korean officials, and you will hear over and over that cash hacked by North Korea is funneled into its nuclear weapons program.

But this is an oversimplification, says Andrei Lankov, a scholar at Kookmin University in Seoul and an expert on the North Korean economy.

The professor’s authority on the subject is boosted by an unusual resume. Lankov was born in the now-defunct USSR and, in the mid-1980s, he was sent to study at North Korea’s answer to Harvard: Kim Il-sung University in Pyongyang. He still speaks Korean in the northern dialect and keeps close tabs on the regime.

As for the hacked money? He believes it’s used to buy goods and services including:

  1. “Chanel bags for the mistresses of top leaders.”
  2. “Antibiotics for sick children.”
  3. “Low-quality but calorie-rich rice to feed the malnourished population, including residents of homes for senior citizens.”
  4. “Spare parts for a new transcontinental missile capable of hitting New York.” 

In other words, Lankov says, the cash will help satisfy all of the state’s needs, large and small, benevolent and crooked. And cadres in Pyongyang don’t fret over the fact that it’s stolen.

“They see themselves as victims,” Lankov says, “and they see international law as completely meaningless, full of hypocrisy, used by the great powers to perpetrate their privileged positions.”

This is the worldview that goaded the state to export heroin in the 1970s — its first big plunge into mafia-style criminality — and later churn out counterfeit cigarettes and fake US cash.

“For a long time, they pinned their hope on narcotics. Then they discovered the money is not all that good. Yet the damage to their reputation is terrible. So they quit,” he says. “But now, with hacking, they have found their next great hope … and I would not be surprised if hacking now plays a major role in their revenue structure.”

When it comes to North Korea’s total income, hacking still can’t match selling coal to China or even sending laborers overseas, where North Koreans are dispatched to saw down trees in Siberia or weld steel in the Middle East. At the moment, however, both of those revenue streams are strangled by UN-imposed sanctions.

This only elevates the demand for hackers further still. And there is no shortage of students willing to learn the trade.

“If your only capital is the brain matter in your hat,” Lankov says, “becoming a government hacker is probably the best career — especially for a brainy boy from the countryside.”

A kid who might end up plucking radishes in decades past may, with the right training, join a crew that generates a few million dollars with a single big online heist. That influx of cash wouldn’t move the needle for a superpower such as China or America. But in North Korea — where the $28 billion national economy is on par with that of Gary, Indiana — it can secure great status and adulation.

Lankov says the ruling party does worry that its hackers will absorb anti-regime information online. “But they’re bringing in so much money,” he says, “that the state is going to overlook this problem.”

“Look, [the typical hacker] is probably not going to run away,” Lankov says. “The system is designed in such a way that escape is almost impossible. And he’s not going to start an opposition movement. Because that is very painful way of suicide.”


This talk of Pyongyang’s stranglehold on its cyberexperts brings me back to Kim, the computer specialist, sitting in his chilly office in Seoul — the one where that shifty-eyed man watches over him as he works.

Since his escape, Kim says he’s received menacing phone calls. Emails. Faxes even. All indicating that, if he doesn’t shut up, he’s going to be murdered.

“I’m on their blacklist,” he says, removing his glasses to rub his temples. “There’s a standing order to have me killed. You may have noticed the man who’s always with me?”

He nods at that stone-faced man in the dark coat, sitting in a chair by the front door.

“He’s a South Korean agent,” Kim explains. “He’s actually here to protect me.”

For North Korean defectors, these are strange and dizzying times. Though much of the world mocks or shrugs off North Korea’s threats to its rivals, Kim takes every menacing statement from Pyongyang very seriously.

A group of people stand watching a television. Their backs are to the photographer. On the wall is a television they are looking at that shows two men shaking hands.

People watch a TV showing a live broadcast of the inter-Korean summit as South Korean President Moon Jae-in shakes hands with North Korean leader Kim Jong-un, at a railway station in Seoul, South Korea, April 27, 2018. 

Credit:

Jorge Silva/Reuters

But there is now a sense that North Korea’s relationship to the world is in wild flux. The rogue state was only recently fantasizing about bombing Washington, DC, into “ashes and darkness” — and yet it now speaks vaguely of “denuclearization.”

But it is unclear whether this peace-and-unity vibe will extend into the digital battlefield. Should we expect North Korea to suddenly rein in its hackers — the RGB units that have harnessed its best and brightest minds to help keep the regime afloat?

You might imagine that Kim the North Korean cyberexpert-turned-academic — who spends his days and nights pondering over the regime’s next move — would have arrived at a tidy answer. But he sounds just as uncertain as anyone else. His instincts tell him to wait for that much-hyped potential meeting between Trump and Kim Jong-un before analyzing the situation further.

Perhaps North Korea will bring its hackers to heel in hopes of securing a sweeter prize: the end of crushing sanctions. Maybe Kim Jong-un will walk away from from the table, as he is threatening. But if this summit ends in disaster, he says, Pyongyang will feel emboldened to unleash its online bank robbers for even more brazen heists.

“Maybe [Trump and Kim Jong-un] will have a romance. Or maybe it’ll be an action movie,” Kim says. “Let’s just say this: If the two ever meet, it will bring together the two weirdest men in the world.”

Patrick Winn reported from Seoul. Essential reporting for this story was provided by Sona Jo, a South Korea-based filmmaker.

Sign up for our daily newsletter

Sign up for The Top of the World, delivered to your inbox every weekday morning.