North Koreans piloted Bank of Valletta heist with Nigerian social media influencer

North Korean programmers who hacked Sony Entertainment over “The Interview” movie, accused of being behind Bank of Valletta heist in 2019

Ramon Abbas, aka Hushpuppi, was assisted North Korean hackers to carry out heists
Ramon Abbas, aka Hushpuppi, was assisted North Korean hackers to carry out heists

The Nigerian social media influencer behind the multi-million cyberattack on Bank of Valletta in February 2019, was part of a “North Korean-perpetrated cyber-enabled heist from a Maltese bank” according to the United States Department of Justice.

Ramoni Igbalode Abbas, aka “Hushpuppi”, had amassed 2.4 million followers on Instagram flaunting luxury cars, designer clothing, and private jets, when he was accused of having conspired to “launder funds intended to be stolen through fraudulent wire transfers from a foreign financial institution, in which fraudulent wire transfers, totalling approximately €13 million were sent to bank accounts around the world in February 2019.”

Both the date and amount in the latest US DOJ statement match that of the attack on Bank of Valletta in February 2019, which amounted to $14.7 million.

On Wednesday, the Justice Department filed charges on a national security cyber investigation that accused North Korean operatives of stealing digital wallets of cryptocurrency, dubbing them “the world’s leading bank robbers”.

The attacks stem from a North Korean programmer, who was working for the government of the Democratic People’s Republic of Korea (DPRK), now having been accused of the November 2014 destructive attack and hack-and-dump targeting Sony Pictures Entertainment over the film ‘The Interview’ which parodied dictator Kim Jong Un; and attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.

Abbas’s co-conspirator conspired with the persons who initiated the fraudulent wire transfers, to launder the funds that were intended to be stolen. Abbas specifically provided the co-conspirator with two bank accounts in Europe that Abbas anticipated would each receive €5 million of the fraudulently obtained funds. According to the FBI’s investigation, in a message on 16 January, 2019, the co-conspirator contacted Abbas for these two bank accounts, which he said would be from the country in which the bank is located. Abbas’s alleged role was to find bank accounts that could accept millions of dollars in stolen cash without raising red flags. Abbas provided co-conspirators with wire information for accounts in Romania, Bulgaria, Dubai, Mexico, and elsewhere. 

Accorindg to the latest US federal indictment, three North Korean computer programmers are now accused of participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.

A second case revealed that a Canadian-American citizen will plead guilty to being a high-level money launderer for multiple criminal schemes, including ATM “cash-out” operations and a cyber-enabled bank heist orchestrated by North Korean hackers.

“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John C. Demers of the Justice Department’s National Security Division.

The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok, 31; Kim Il, 27; and Park Jin Hyok, 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), which engaged in criminal hacking. These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38).

The broad array of criminal cyber activities include:

  • Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
     
  • Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
     
  • Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
     
  • Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
     
  • Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.
     
  • Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.