The U.S. Department of Justice (DoJ) has announced the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments from several organizations by using a new ransomware strain known as Maui.
“The seized funds include ransoms paid by healthcare providers in Kansas and Colorado,” the DoJ said in a press release issued Tuesday.
The recovery of the bitcoin ransoms comes after the agency said it took control of two cryptocurrency accounts that were used to receive payments to the tune of $100,000 and $120,000 from the medical centers. The DoJ did not disclose where the rest of the payments originated from.
“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said Assistant Attorney General Matthew G. Olsen of the DoJ’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”
The disruption highlights the U.S. government’s continued success with cracking down on crypto-oriented criminal activities, enabling it to recoup ransomware payments associated with DarkSide and REvil as well as funds stolen in connection with the 2016 Bitfinex hack.
Earlier this month, U.S. cybersecurity and intelligence agencies issued a joint advisory calling attention to the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.
The incident targeting the unnamed Kansas facility is said to have occurred around the same time, prompting the Federal Bureau of Investigation (FBI) to uncover the never-before-seen ransomware strain.
It’s currently not known how the seizure was orchestrated, but it’s possible that it could have been carried out by following the money laundering trails to a cryptocurrency exchange that offers cash-out services to convert their illicit proceeds from bitcoin to fiat currency.
“It’s possible that the investigators traced the crypto to an exchange,” Tom Robinson, chief scientist and co-founder of blockchain analytics firm Elliptic, told The Hacker News. “Exchanges are regulated businesses and can seize their customers’ funds if compelled to do so by law enforcement.”
“Another possibility is that the cryptocurrency was seized directly from the launderer’s own wallet. This is more challenging to do as it would require access to the wallet’s private key – a passcode that allows cryptocurrency in a wallet to be accessed and moved.”
Besides espionage, North Korean threat actors have a storied history of directing financially-motivated hacks for the sanctions-hit nation in a multitude of ways, including targeting blockchain companies and leveraging cryptocurrency heists by making use of rogue wallet apps and exploiting crypto asset bridges.
Viewed in that light, ransomware adds yet another dimension to its multi-pronged approach of generating illegal revenues that help further its economic and security priorities.
The development also follows a notification from the FBI, which warned that threat actors are offering victims what appear to be investment services from legitimate companies to trick them into downloading rogue crypto wallet apps aimed at defrauding them.