The hack shows how hackers, once content to go after crypto companies one at a time, are broadening their targets.
A North Korean government-backed hacking group penetrated an American I.T. management company and used it as a springboard to target cryptocurrency companies, the firm and cybersecurity experts said on Thursday. The hackers broke into Louisville, Colorado-based JumpCloud in late June and used their access to the company’s systems to target “fewer than 5” of its clients, the firm said in a blog post. JumpCloud did not identify the affected customers, but cybersecurity firms CrowdStrike Holdings and Mandiant identified the hackers as members of a state-sponsored group called Labyrinth Chollima, or APT43. The hacking indictment unsealed by prosecutors on Thursday named Jon, Kim, and Park and accused them of using malware to steal multiple cryptocurrencies from the victims, including Bitcoin and Ripple. The indictment also alleged the hackers stole more than $1.9 million worth of crypto from one victim, a financial services company in New York. The stolen crypto was sent to two Chinese men, who cashed out the coins and transferred them to their banks.
Labyrinth Chollima is widely considered responsible for some of the isolated country’s most daring and disruptive cyber intrusions, with thefts of eye-watering sums. Blockchain analytics firm Chainalysis last year estimated that North Korea-linked groups had stolen an estimated $1.7 billion worth of digital cash across multiple hacks.
In recent months, the group has been targeting cryptocurrency companies, leading to several multimillion-dollar heists. In April, the U.S. Treasury Department’s Office of Foreign Assets Control attributed the hacking group’s theft of $540 million in Ethereum and USDC from a cryptocurrency exchange. It said it had issued sanctions against it.
The JumpCloud hack shows how hackers, once content to go away after crypto companies one at a time, have broadened their targets. It also underscores how hard it can be for public and private security firms to track and investigate cybercrime when the attackers are operating out of reach, often in countries that don’t cooperate with the United States on prosecuting crimes.
The indictment unsealed on Thursday names the three hackers, who face nine counts related to computer fraud and hacking conspiracy. It accuses them of stealing money and data from the victims, including information that could be used to disrupt the operations of those organizations or their financial and other assets. It also alleges that they conspired to further the strategic interests of the North Korean government and its leader, Kim Jong Un. The defendants could face up to 30 years in prison if convicted. The indictment was accompanied by an FBI request for a seizure warrant to seize the cryptocurrencies. The FBI will return the cryptocurrency to the victims, who will transfer it to their accounts on other crypto exchanges. The Justice Department’s cyber unit is working with other federal agencies on the case, including the FBI, and has sought assistance from the governments of Russia and China.