August 5, 2022

DOJ announces forfeiture complaint for the return of ransom funds from North Korean hackers

On July 19, 2022, the US Department of Justice filed a complaint in the District of Kansas for the forfeiture of approximately $500,000 in cryptocurrency paid by healthcare providers in Kansas and Colorado as ransom to North Korean hackers.  The DOJ noted that the Kansas medical center’s rapid reporting and cooperation with law enforcement made it possible for the DOJ and FBI to identify a previously unknown North Korean ransomware strain, and to trace the funds to China-based money launderers. 

According to court documents, in May 2021, a group of North Korean hackers deployed ransomware known as “Maui” to encrypt files and servers of a medical center in Kansas, and after losing access to its encrypted servers for more than a week, the medical center paid the hackers approximately $100,000 in Bitcoin to regain the use of its computer systems.  The medical center reported the cyber incident to law enforcement and cooperated with FBI investigators.  With the help of the Kansas medical center, in April 2022, the FBI was also able to identify a Bitcoin payment of approximately $120,000 to one of the seized cryptocurrency accounts; investigators were able to confirm that the payment was connected with a ransom payment made by a medical provider in Colorado that had just been hacked using the same Maui ransomware strain.

In May 2022, the FBI seized the contents of two cryptocurrency accounts worth approximately $500 thousand dollars and included the ransoms paid by the two US healthcare providers.  While at the International Conference on Cyber Security, Deputy Attorney General Lisa Monaco issued a statement crediting the quick reporting and cooperation of the Kansas medical center with the disruption of illicit activities by a North Korean state-sponsored group. 

DOJ Press Release | Complaint