Cold Open
Shimomura opened his eyes. The clock said 4:30 a.m. It was a Sunday morning, May 14, 2016. He got up and pulled on some jeans. Then, he pulled on an old t-shirt, slipping it over the ornate, colorful tattoo that covered most of his back.
Normally, he’d be wearing one of his impeccably tailored suits, like he did most days. His love of slick, high-end suits marked him for what he was: a yakuza. But today, he needed to be a bit more discreet.
He picked up the white plastic card from his dresser. It was the size of a credit card, but smooth and blank except for a magnetic card stripe. He slid it into his wallet and headed out the door.
As he walked through the streets of Nagoya, Shimomura—not his real name—thought over the last few days.
One of his bosses in the Yamaguchi-gumi crime family had asked him a simple question: want to make a bunch of money, fast?
The boss invited Shimomura to a bar to go over the details. They met the next day, along with two other yakuza. Shimomura didn’t know them, but they were Korean-Japanese—like he was. The boss handed out three white cards and sent them on their way.
Shimomura didn’t know where these cards had come from, and he didn’t particularly care. It was easy money.
Relatively speaking. When Shimomura arrived at the 7-11, it was empty except for the cashier. He was immediately nervous. To settle himself, he bought a Coke and a rice ball.
He gulped them down, then went over to the ATM. He took one more look to make sure the cashier wasn’t watching him, then he slipped the card into the machine. He selected the “Japanese” language option—since that wasn’t the default, Shimomura figured the cards must be foreign.
He typed in the amount: 100,000 yen, or about 900 dollars. He entered the pin, hit “withdrawal,” and held his breath.
And then, the machine spit out the cash. It worked!
The cashier didn’t look up.
He entered the card again and repeated the process. Another 100,000 yen came out. He did it again and again, nineteen times in total. But not more than that, or the bank would put a stop on the card. That wouldn’t do. He still had more 7-11s to hit.
By 8 a.m., Shimomura now had 3.8 million yen. His next instructions were to bring the cash to the bar and hand over the pile. He’d get to keep 5%.
Sure, he could just take off with all the money, but that could mean losing a pinkie, or something worse. Much worse.
Shimomura dropped off the cash and took his cut. One of the other two card cashers had indeed run off with the cash. Don’t wanna be that guy, Shimomura thought.
A few days later, Shimomura was in another convenience store when he noticed a newspaper headline.
$16 Million Stolen in ATM Heist, it said.
What the hell? He picked up the paper. 1,700 ATMs across the country had been hit.
It was the same story. Piles of cash stolen from 7/11s, using what turned out to be cloned cards hacked from a South African bank.
This had been a much bigger operation than he’d thought. He was just a tiny cog in an international money-grabbing scheme.
The papers didn’t know who was controlling it. It would be five years before Shimomura learned the truth: it was the North Korean military, and its army of hackers called “The Lazarus Group.”
On this episode: Kim Jong Un, cyberwarfare, bank heists, high roller casinos, nuclear weapons, and a whole lot of cognac. I’m Keith Korneluk and this is Modem Mischief.
You’re listening to Modem Mischief. In this series, we explore the darkest reaches of the Internet. We’ll take you into the minds of the world’s most notorious hackers and the lives affected by them. We’ll also show you places you won’t find on Google and what goes on down there. This is the story of Michael Calce, aka Mafiaboy.
Act One
On December 8, 2013, hundreds of members of the Worker’s Party were gathered in the Politburo. It’s a cavernous building dominated by a golden hammer, sickle, and brush: North Korea’s state symbol.
Supreme Leader Kim Jong-un entered and sat at his desk, which is on an elevated platform above the assembly. Everyone took their seats, and the meeting began.
Near the front row was Jang Song-thaek. He was the Vice Chairman of the National Defense Commission, unofficially the second-most powerful person in the country. He was also Kim Jong-un’s uncle by marriage.
But today, Jang wasn’t paying attention to the meeting. He folded his hands and looked down at his feet, waiting for it all to be over
Finally, at the back of the hall, the doors opened. The Supreme Leader’s older brother, Kim Jong-chul, entered, flanked by two military officers. They strode up to Jang.
Comrade Jang, please come with us.
The officers took Jang by the elbow and escorted him out of the room. Jang looked up at Kim Jong-un–his own nephew. The Supreme Leader’s face was expressionless.
This wasn’t Jang’s real arrest. That happened a few weeks earlier. This one was for the cameras. The next day, state media would broadcast his perp walk, along with an official statement branding Jang as a traitor:
“Despicable human scum Jang, who was worse than a dog, perpetrated thrice-cursed acts of treachery in betrayal of such profound trust and warmest paternal love shown by the party and the leader for him.
North Korea: not exactly known for its subtlety.
He was accused of conspiring to overthrow the government, of having illicit affairs, of dozens of other charges. Then he was taken to a detention center, where he was beaten and tortured.
Four days later he had his trial. It was behind closed doors. There were no lawyers, no presentations of evidence, no testimonies. Just Jang, entering a guilty plea.
As he expected, Jang was sentenced to death. He hoped it would be via firing squad. He hoped he would get a burial.
Two days after the trial, Jang was brought to the Gang Gun Military Academy. A vehicle brought him up to a stage, in front of hundreds of party officials. Bound in rope, he was dragged out of the vehicle. There, in front of him, was a four-barrel, 14.5 millimeter anti-aircraft gun.
Jang nearly fainted.
Ready, aim, fire!
SFX: anti-aircraft gun
When the firing was over, two more soldiers with flamethrowers walked up to what remained of Jang and pulled the triggers.
SFX: flamethrower.
Officially, the execution of the second-most powerful man in North Korea happened over a fishery that harvested clams and crabs. It had been under military control for decades, but Kim Jong-un transferred it to his cabinet. When the Supreme Leader’s men arrived to take control of the facility, men loyal to Vice Chairman Jang Song-thaek refused to give it up. A firefight broke out. Two were dead.
But really, Jang’s execution had been in the works for months, even years. Probably going back to before Kim Jong-un took power.
Kim Jong-un succeeded his father Kim Jong-il when he was 28 years old. The transition hadn’t been smooth.
When Kim Jong-il took power in 1994, he had been groomed to become Supreme Leader for more than a decade. Kim Jong-un, on the other hand, was never supposed to be the heir. That was his half-brother, Kim Jong-nam.
But in 2001, Kim Jong-nam, was caught trying to visit Tokyo Disneyland with his family, using a fake passport. An unforgivable sin in North Korea. He now lived in exile.
As a teen, Kim Jong-un was sent to a posh boarding school in Switzerland, where he lived under a false identity as the son of a diplomat. He was an average student and an introvert, but he loved track suits and basketball—especially the Michael Jordan-era Chicago Bulls.
So, if you ever wondered why Kim Jong-un hangs out with Dennis Rodman so much, this would be why.
After his older brother’s Disney disgrace, Kim Jong-un was abruptly pulled from school and brought back to the motherland. His father officially named him the heir in 2010, and just one year later he became Supreme Leader.
His father left behind a cabinet and military full of seasoned, influential political and military leaders. All of them potential threats.
In Jang Song-thaek’s case, he actually served as the head of state, albeit temporarily. When Kim Jong-il was hospitalized with a heart attack in 2011, Jang effectively ran the country until he recovered.
Many in the government were loyal to Jang Song-Thaek. Some thought Kim Jong-un’s
uncle should be running the country until his nephew would be “experienced” enough to take over.
On top of that, Jang Song-thaek had long argued that North Korea should be more open to the outside world.
So, Jang Song-thaek had to go.
Jang Song-thaek was one of 15 senior officials whom Kim Jong-un executed when he took power in 2011. Another 421 were purged from the government and sent to re-education centers, where they were forced to do long self-criticism sessions.
Purges like this are part of doing business in Stalinist dictatorships, and Kim Jong-un was learning quickly
But a purge only eliminates domestic enemies. Kim Jong-un, and North Korea, had plenty of foreign enemies, too.
When Kim Jong-un took over in 2011, the United States and other western-style democracies had been placing North Korea under economic sanctions since the 1950’s. It was labeled a sponsor of domestic terrorism in 1988. When North Korea successfully tested its first nuclear bomb in 2006, it made the country even more of a pariah. By 2011, it was known as “the hermit kingdom.”
With few allies and a struggling economy, Kim Jong-un didn’t have many great options to improve his country’s standing
Obviously, aggressive actions against his enemies weren’t an option. Open warfare would bring the entire world after him.
He needed an indirect approach, a way to strike at his enemies and still maintain deniability.
Fortunately, he had the perfect weapon: an army of cyberwarriors.
We’ve all seen the satellite maps of the Korean peninsula at night. The South is lit up by millions of points of light, while the North is almost entirely dark except for the capital of Pyongyang. In 2022, the North Korean internet is highly restricted and has few connections to the outside world. The vast majority of North Koreans still don’t own computers.
So, where did he get this army of cyberwarriors?
Let’s back up to the late 1990’s. Economic sanctions and mismanagement have led to widespread famine in North Korea. Millions have starved.
But Kim Jong-il has had a vision of the near future, one where cyberwarfare is the dominant form of combat. Despite the country’s economic woes, he starts investing heavily in a hacker training program.
You’re a 12-year-old boy from one of North Korea’s rural villages—and yes, in this hypothetical, you would be a boy
Your family doesn’t have a computer. The only ones you ever see are at school.
But you have a gift: you excel at mathematics. Your teachers start letting you spend time on the school computers.
You get placed in a specialized high school. There, you’re picked for the team competing in the International Math Olympiad
The annual competition is held in a different city each year. Places like Washington D.C., Tokyo, or Athens. Places you’ve never dreamed you’d get to visit. You’re one of a handful of North Koreans who are allowed to travel overseas.
You could flee the tournament and defect. But you also know that your family back home might suffer the consequences
Besides, if you do well, you could change your family’s fortunes forever. In North Korea’s rigid caste system, this is nearly impossible.
You don’t win the Fields Medal, but you place high. That gets you admission to the University of Automation in Pyongyang. It’s a military college. You’re no soldier, but you’re considered among the elite of the elite.
There, you spend years learning the ins and outs of computer hacking. Malware attacks, phishing, ransomware, coding. The kind of skills that an American teenager could learn from the computer in their bedroom, if so inclined.
By the time Kim Jong-un takes power in 2011, you’re one of an estimated 1,800 cyberwarriors in North Korea’s army—and the Supreme Leader is eager to put you to use.
First, Kim Jong-un turned his attention to his closest enemy, South Korea.
In March 2013, South Koreans who tried to use their bank cards found that ATMs across the country were down. Three of the country’s biggest banks had been hit by a malware attack that disabled computers from booting up. Two TV stations were hit with the same malware for good measure. Overall, the cyberattack cost $750 million.
Then, two months later, South Koreans who logged onto the website for Cheongwadae, the president’s official residence also called The Blue House, were greeted with a message: All hail the unified chairman Kim Jong-un!
The second attack happened on the 63rd anniversary of the start of the Korean War. Kim Jong-un’s message was unmistakable: He didn’t have to attack South Korea physically. He could hit the country where it was most vulnerable, from anywhere. As long as he had an Internet connection.
In 2014, North Korea learned that The Interview, an American comedy starring Seth Rogen, would depict the assassination of Kim Jong-un.
This actually wasn’t unheard of. In 2004, Team America: World Police depicted the killing of Kim Jong-il.
But that was ten years into the elder Kim’s reign. Kim Jong-un had just taken power, and he couldn’t allow an enemy to mock him in front of the world.
In December 2014, Sony executives arrived at their offices to find their computers locked up with ransomware—and if you’d like to hear more about how Seth Rogen almost started World War 3 with North Korea, check out our bonus episode on the Sony Pictures hack which is available on Patreon or as a paid subscription on Apple Podcasts.
The Sony hack gave a major corporation a black eye. In response, Sony caved to the hackers’ demands and pulled The Interview from theaters. It was later released online, but for the North Korean hackers, it was a major victory
Given the timing of the Sony hacks, and the hackers’ demands, it wasn’t much of a mystery who was responsible. Still, the Sony hacks alerted the world to the fact that North Korea was much more capable of cyberwarfare than previously thought.
In response to Sony hacks, the American cybersecurity company Novetta launched a project called Operation Blockbuster in 2015. The goal was to identify the perpetrators and their origins.
By analyzing the malware used in the attack, Novetta did indeed conclude that it had North Korean origins. But then, after some further digging, Novetta discovered links between the Sony hacks and other cyberattacks going back as far as 2009.
The group just kept coming back. Novetta named them “the Lazarus Group,” after the Bible character whom Jesus brought back from the dead
Just three years into Kim Jong-un’s reign as Supreme Leader, the Lazarus Group was proving its usefulness on the battlefield. But soon, it would prove useful for an entirely different purpose.
Now, let’s check back in with our hypothetical hacker.
It’s 2014. You graduated from the University of Automation about a decade ago. From there, you were assigned to the Lazarus Group–or, as it’s known in North Korea, Bureau 121 of the Reconnaissance General Bureau.
You’re on an overseas assignment. Well, technically you didn’t cross any oceans. You’re stationed in Shenyang, China, about 225 miles southeast of Pyongyang.
You live in the Chilbosan Hotel. It’s a 16-story lodging with a spa, karaoke, a workout room, and high-speed Internet
But you rarely get to enjoy any of that—except for the Internet. You live in a room with five other hacker-soldiers. Your living room is crammed with computer equipment. Portraits of Kim Jong-un and Kim Jong-il hang on the wall.
In fact, the hotel is owned by the North Korean government. Online, the Chilbosan is nicknamed “the hacker hotel.” It’s rumored to be a staging ground for military hacks.
One night, you’re working at your terminal. You’ve been repeatedly targeting employees at a bank in Bangladesh with a phishing email. Like most phishing attacks, yours is an email that appears to be from a job applicant. The attached resume contains a code that gives you a backdoor into the network.
Assuming someone opens it. Which they haven’t
That’s…not great. You were part of the Dark Seoul attack, and the Sony hacks. But this is a different kind of operation entirely. If you don’t produce results, there could be serious consequences–for yourself, and for your family back home.
You rub your eyes, grab a bucket, and head out to fill it with ice. You and your fellow hackers like your Cokes ice cold. You’ve developed quite the taste for them. Back home you’d have to be content with North Korean brand soda. Here, your supervisor turns a blind eye—as long as you produce results.
As you’re filling up the ice, you bump into a Westerner. Not a common sight at the Chilbosan.
He’s looking you over. Does he know about the hotel’s reputation? Is he a lost tourist? Or something else? When you catch him looking, he averts his eyes.
You fill up your bucket and head back to the cramped, dude-smelling room. When you plop back down at your desk, your eyes go wide: someone at the bank in Bangladesh has opened your attachment
You’re in.
But this is just the first step in a larger plan. More than a year later, you and your comrades will bring this bank—and Bangladesh itself—to its knees.
Act Two
February 5th, 2016 was a Friday, and in Bangladesh, that meant it was the weekend. In Bangladesh, the weekend is Friday-Saturday, not Saturday-Sunday.
So, Zubair Bin Huda wasn’t particularly jazzed on Friday morning when he arrived at his office at Bangladesh Bank. It’s a 12-story office building in Dhakar, and home to the country’s national financial institution.
He was the bank’s duty manager, which meant overseeing the day-to-day operations. As he began his workday, one of his employees knocked on his door.
Zubair? The 10th floor printer isn’t working.
Strange. This was the printer that printed out records of many of the bank’s transactions. Still, printers go down all the time. Zubair and his colleagues tried to restart it. It didn’t work, and they went home.
Zubair returned to the office the next day. The printer still wasn’t working. But now, a key piece of banking software was also on the fritz. It was displaying an error message: A file is missing or changed.
Two glitches in a row? That made Zubair nervous. He got the go-ahead from upstairs to try another method of rebooting the printer. This time, the printer came back on and immediately started spewing printouts. There were several frantic messages from the New York Federal Reserve.
Bangladesh Bank has a foreign currency account with the New York Fed that it uses for international settlements. It held close to a billion dollars.
And now, according to the Fed, Bangladesh Bank had ordered that the entire account be emptied
Only, Bangladesh Bank had done no such thing.
Now, the bank was on high alert.
Bangladesh is one of the poorest countries in the world. $1 billion represents .45% of the country’s GDP. In the United States, .45% of the GDP is about $104 billion. In other words, $1 billion can make or break an economy like Bangladesh’s.
The Fed wanted to know if Bangladesh bank really wanted to go through with the money transfers. Since the printer had been offline, nobody at the bank had noticed. And since the Fed hadn’t received a response, the transfers had started going through.
The bank’s governor, Atiur Rahman, tried to call the New York Fed, but by then it was early Saturday morning in New York City. He couldn’t get through.
The situation was happening so fast. Rahman had no idea how much of the almost $1 billion was already gone, or where it had gone to.
He also had no idea how this had happened.
Rahman hoped it was just a mistake in the system. Bank errors do happen
But what if it was theft? He hoped it wasn’t an inside job–that way, the bank’s security would still be secure.
Rahman had no idea who was really behind it: the Lazarus Group.
But why was the Lazarus Group robbing a bank?
The North Korean regime’s ties to crime go back decades, even back to the beginning of the country.
In 1953, as part of the settlement to end the Korean War, the United States split the Korean Peninsula along the 38th parallel. The boundary roughly divides the peninsula in half. Fair, right?
Problem was, the North was only home to 30% of Korea’s population. It’s mountainous, colder, and has far less farmland. While South Korea prospered in the 1950’s and 60’s, North Korea’s Communist economy lagged way behind.
One way to make up the difference? State-sponsored crime.
The Kims have benefited from crime for as long as they’ve been in power. For decades, the country has made and sold drugs, smuggled weapons, sold counterfeit goods, engaged in human trafficking, and more.
In the late 1990’s and early 2000’s, Kim Jong-il was running a sophisticated US currency counterfeiting operation. North Korean diplomats were caught distributing fake $100 bills called “Superdollars.” They were so convincing that the U.S. mint had to add new hologram technology to make bills harder to fake.
Like his father before him, Kim Jong-un enjoys the finer things in life. His army of cyber warriors is useful for asymmetrical warfare, like hacking South Korea or Sony. But it also keeps him in cognac and Rolls Royces
At Bangladesh Bank, Atiur Rahman and his staff were trying desperately to get to the bottom of the mysterious money transfers. Rahman hoped they could do this discreetly, so he didn’t inform the country’s Finance Minister of the problem.
Rahman called in a cybersecurity expert he’d worked with previously. When the expert arrived and dug through Bangladesh Bank’s computers, he discovered that the system had been breached almost 17 months earlier. Someone had phished their way in.
From there, the hacker had uploaded code that would disable the 10th story printer and the bank’s internal software. This way, Bangladesh Bank would be deaf and blind.
When the time arrived, the hacker impersonated a bank employee and used the SWIFT system to request the transfers. “SWIFT” stands for “The Society for Worldwide Interbank Financial Telecommunications.” It’s a way for banks to communicate, an esoteric system that the average person has never heard of.
Then there was the timing of the hack. The money transfer requests had been made on Friday evening, Bangladesh time—the start of the weekend. This gave the hackers a valuable two-day head start before authorities learned of the theft.
Rahman figured this probably wasn’t the work of some random hacker. Whoever did this was a pro.
So by now it was clear: this was no error. It was a bank heist. And now, Aitur Rahman had to get the money back before it disappeared.
When Rahman finally got the New York Fed on the phone, he learned the scope of the situation.
Altogether, the hackers sent 35 transfer requests to the New York Fed, adding up to $951 million dollars.
One of the transfers went to a bank in Sri Lanka, Pan Asia Bank. It totaled about $20 million. Bangladesh Bank quickly reached out to Pan Asia Bank.
After the money arrived in Sri Lanka, the hackers tried to transfer the money from Pan Asia Bank to a nonprofit called “The Shalika Foundation”—later found out to be a front company. But in a stroke of luck, the transfer had been made out to “The Shalika Fundation.”
A simple typo. Pan Asia Bank immediately returned the money.
But most of the money was sent to a bank in the Philippines, RCBC. Specifically, to one branch of RCBC, located on Jupiter Street in Manila.
In another stroke of luck—for the bank—“Jupiter” also happened to be the name of an Iranian cargo ship that was under government sanctions. When the New York Fed saw the word “Jupiter,” it automatically red flagged the requests.
But five of the requests had already gone through. Altogether totaling $81 million.
It was less than 1/10th of the hackers’ goal. But that still made it one of the biggest bank heists in history.
The money was spread across four accounts at RCBC. On February 8, three days after the money was originally stolen, Bangladesh Bank sent a request to RCBC to issue a “stop payment” order and freeze the accounts. But February 8 was the Lunar New Year, a national holiday in the Philippines. By the time the stop payment order arrived, the money had already been transferred to another account at RCBC
This was important. According to bank regulations, funds could only be frozen in the original account they were received. Because they were already moved, they would be much harder to stop.
The stop payment request had another ramification. In the Philippines, freezing funds requires a court order. Which meant Rahman couldn’t keep it quiet any longer. The career banker with a specialty in alleviating poverty was forced to inform the Ministry of Finance.
To put it mildly, they weren’t happy. Ultimately, Rahman would be forced to resign.
Now, the entire Bangladeshi government was involved. Bangladesh sent several officials to the Philippines to get their money back.
But there was little Bangladesh could do. The case was now under the Philippines’ jurisdiction. The Philippines Senate launched its own inquiry. But by the time the Anti-Money Laundering Council convened its first session, it was two weeks after the original theft.
Meanwhile, the money continued to move.
From RCBC, the money was transferred once again, this time to a Manila-based money changing firm called Philrem. There, it was converted to cash
$81 million dollars is equivalent to 4.5 billion Philippine pesos. That much cash weighs more than a ton. Philrem employees told the senate that two Chinese men with assistants had shown up with a truck to haul it all away.
One of those Chinese men was later identified as Weikang Xu—probably not his real name. According to testimony provided to the Philippines senate, Xu received $30 million in cash, then departed for China. He’s never been heard from since.
The other $51 million was still in the Philippines. But where
But Tony Lau was barely aware of any of that.
Lau was a VIP host at Solaire Resort & Casino, which sits on Manila Bay.
Lau hosted gambling junkets, or private rooms where high rollers could gamble in privacy.
The Lunar New Year celebration had just taken place, which is one of the busiest times of the year for Lau. So, he was looking forward to a break.
A week after the money was stolen from Bangladesh Bank, six men speaking Chinese walked into Tony Lau’s junket.
They didn’t look like high rollers. They wore ordinary clothes and didn’t have flashy cars. But to Lau’s surprise, they were indeed loaded. The men converted stacks of cash into piles of casino chips and got to work.
And for them, it was work.
The Chinese guys weren’t like typical gamblers. They gambled during business hours, they only played baccarat, and they didn’t seem to care whether they won or lost.
In baccarat, the dealer deals two cards each to themselves and to the player. Whoever’s cards add up the closest to nine wins. Players can place bets on who they think will be the winner.
There’s almost no skill involved. In fact, the Chinese gamblers were coordinating their bets. They would all place opposing bets, so that way no matter who actually won a hand, altogether they would break even.
To Tony Lau, it was definitely odd. But as far as the casino was concerned, the money was perfectly legitimate.
Meanwhile, investigators continued looking for answers.
Special Agents for the Philippines National Bureau of Investigation looked into the original four bank accounts that had received the money from the New York Fed. The accounts had been set up by a man named Kim Wong, a Chinese national who organized gambling junkets for Manila’s casinos.
Wong claimed he was just a middleman. Two other Chinese nationals had approached him about setting up a high-stakes gambling operation for some VIP clients. He didn’t ask questions. When he later realized he had helped transfer stolen money, he willingly returned his portion—about $16 million.
The remainder had gone to Solaire Resort and Casino.
By now, it was a few weeks after the money had been stolen. The Bangladesh Bank heist had become an international news story.
Tony Lau was beginning to wonder if the Chinese gamblers at his junket might be involved, using his junket to launder the money
The gamblers had continued showing up, day after day, not really winning but not really losing. But then, one day they asked Lau for food and cigarettes to be comped to their hotel rooms
Strange. Lau knew they had piles and piles of cash. He told his supervisors, who by now were beginning to suspect that the Chinese gamblers weren’t ordinary VIPs.
The casino sent security guards up to the Chinese men’s hotel rooms. Sure enough, the cash was gone. There was only about $2 million left in casino chips. The casino confiscated them, as well as the Chinese men’s passports. But with no legal authority, they were forced to let the men go.
By the time investigators arrived at the Solaire, the men, and their money, were long gone.
Act Three
Let’s return once again to our hypothetical hacker…you.
It’s September 2017. You’re watching the news on North Korean state TV. The anchor is a woman in hot pink, sitting in front of a map of the world.
The United Nations have once again levied sanctions against our glorious nation, she says. Our Supreme Leader does not want war. But if we must, we will sink Japan, and reduce the mainland United States to ash and darkness!
The screen cuts to a missile, a Hwasong-12. Over 60 feet tall, all black with white trim. There’s a green countdown clock on the screen. When it reaches zero, plumes of fire spurt out of the missile’s tail.
SFX: missile launching
You smile as you watch the missile ascend to the clouds. You’ve played a role in this missile launch, even if most of your countrymen don’t know it.
The money you made from the Bangladesh Bank heist has directly funded today’s missile launch. Your motherland has rewarded you accordingly. The cramped hacker dorms of the Chilbosan Hotel are long behind you. Since then, your government has given you a spacious apartment in Pyongyang. Your relatives have moved from the countryside to live with you. You’re lucky enough to watch the launch on your own TV
But TV time is over. You head down to the garage and get into your car—another luxury, since you and practically everyone you know rides bikes. You drive through the mostly empty streets of Pyeongyang to your office at the Lazarus Group, where you and your fellow cyberwarriors continue to bankroll the country with your crimes.
The Supreme Leader’s faith in his army of cyberwarriors has paid off.
Since Kim Jong-un took power in 2011, he did indeed consolidate his grip on the Supreme Leadership, by executing and purging the country’s top officials and replacing them with loyalists.
He continued the nuclear weapons and missile testing program his father started—all funded by criminal hacking.
Today’s launch is particularly significant. The missile traveled almost 2,300 miles, making it the longest North Korean missile test to date.
The North Korean government didn’t bother announcing whether the launch was a test or an actual act of war. When the missile passed over the Japanese city of Hokkaido, panicked local officials urged everyone to find shelter in case the launch was the real thing.
The missile launch also happened one day after the United Nations issued a batch of new sanctions against North Korea. The launch could only be viewed as a provocation.
In response, U.S. President Donald Trump appeared before the UN General Assembly, called Kim Jong-un “little rocket man,” and threatened to “totally destroy” North Korea. The countries appeared to be on a collision course.
Then, Kim Jong-un saw an opportunity. Kim and Trump were scheduled to meet in person the following June, in Singapore. In another sign of his maturation as a leader, Kim Jong-un began writing letters to Trump, referring to him as “his excellency” and praising his leadership and decision-making. Trump, always open to flattery, wrote back in similar language. Between the reality TV star turned commander and chief and the murderous despot, a bromance blossomed.
But while Trump and Kim were getting along like gangbusters, the same couldn’t be said for the United States and North Korea overall.
The Dark Seoul attack in 2013 and the Sony hacks in 2014 alerted the world to North Korea’s cybersecurity capabilities.
Then, the Banglaesh Bank heist happened. Suddenly, this state-sponsored hacking group was also engaging in criminal activities, stealing tens of millions of dollars.
The FBI had already been investigating the Sony hacks when the Bangladesh Bank heist went down, so the Bangladesh Bank heist only added urgency to the task at hand.
The FBI couldn’t just vaguely accuse North Korea of state sponsored hacking and cybercrime. It needed the names of specific individuals responsible.
The FBI discovered that many of the email accounts used in the Sony hack and the Bangladesh Bank heist were all set up by an individual named Kim Hyon-woo. Unsurprisingly, this turned out to be a fake name.
But Kim Hyon-woo was connected to another email account, surigaemind@hotmail.com. Some more digging connected this account to a man named Park Jin-hyok.
Park claimed to be a programmer working for the Chinese game company Chosun Expo. However, an eyewitness told investigators that Chosun Expo was a front company run by a North Korean military attache. In reality, they conducted cyberwarfare.
After digging into Chosun Expo’s files, the FBI discovered Park Jin-hyok’s original resume, including a photo.
For the first time, the FBI had identified a member of the Lazarus Group.
In September 2018, more than 18 months after the Bangladesh Bank heist, while Kim Jong-un and Donald Trump were preparing to meet in Singapore, the FBI officially charged Park with one count of conspiracy to commit computer fraud and abuse, and one count of conspiracy to commit wire fraud.
Naturally, North Korea denied that Park Jin-hyok existed, and accused the US of making the whole thing up. And unless Kim Jong-un decided to extradite Park to the US, there was no way he would ever face punishment.
At best, the US could hope to arrest him while he was traveling internationally. Since he was from North Korea, the possibility seemed slim.
Overall, it was less than a slap on the wrist.
Meanwhile, the Lazarus Group continued to evolve its techniques.
In many ways, the Bangladesh Bank heist was a pilot program that proved the effectiveness of North Korea’s investment in cyber crime.
It required a sophisticated knowledge of both hacking, banking software, and the international financial system. The hackers planned it to take advantage of weekends, time zone differences, and national holidays giving themselves a valuable head start.
Then, once the money had been transferred, the hackers used an elaborate network of intermediaries to launder the money. They were mostly Chinese nationals with ties to the Filipino gambling industry.
Altogether, it netted North Korea about $63 million.
But it was by no means a perfect heist. It had taken more than a year of planning. The process of laundering the money was elaborate, time consuming, and costly. Then there was the army of intermediaries, all of whom got their cut.
Going forward, the Lazarus Group would simplify.
Next, the Lazarus Group experimented with ransomware. In 2017, the Wannacry ransomware attack hit 230,000 computers worldwide, but only earned the hackers a few thousand dollars in bitcoin.
They also experimented with credit card cashing, stealing credit card numbers from banks, cloning them onto blank cards, and withdrawing as much as possible—like the operation our friend Shimomura the yakuza was involved in earlier.
But these heists were only preparation for the next phase of the Lazarus Group’s operations.
On December 6, 2017, users of NiceHash.com logged onto their accounts and made an upsetting discovery.
NiceHash was a major cryptocurrency firm based in Slovenia. That morning, when one Bitcoin was worth $11,000, NiceHash’s users logged on to find that their Bitcoin wallets had been emptied.
The ensuing forensic investigation discovered that NiceHash had fallen victim to a phishing hack, the same kind used in the Bangladesh Bank heist. From there, the Lazarus Group was able to transfer $75 million.
More attacks on cryptocurrency firms followed. In April 2022, the Lazarus Group stole $625 million worth of the cryptocurrency Etherium from the popular play-to-earn game Axie Infinity. Two months later, they ripped off $100 million from the blockchain startup Harmony.
In just 11 years, the Lazarus Group had transformed from an army of cyberwarriors into a multi-million dollar criminal operation. They operated in plain sight, daring the world to stop them.
Act Four
Ri Jong-yol closed the door to his hotel room. The silver medal weighed heavily in his pocket.
He won it yesterday in the International Math Olympiad. It was his third silver medal overall, and he wasn’t even 18 yet.
But if he was nervous during yesterday’s competition, today he was terrified.
He quickly walked down the hall to the elevator, hoping he wouldn’t bump into anyone else from the North Korean national team. If anyone found out what he was doing, he could be sent to a death camp
He rode the elevator down to the lobby and exited the hotel. Outside, he hailed a taxi and rode to Hong Kong International Airport. There, he walked up to the counter for South Korean airlines.
Can you help me find the South Korean embassy? He said. I want to defect.
The airline employee gave him an address, and he took another taxi to the embassy. He spent the next 70 days there, living in a cramped room and waiting for South Korea to negotiate his safe passage to the country.
Ri Jong-yol defected from North Korea in 2016. As he later told an American journalist, he made the decision when he learned that the North Korean government was going to recruit him for its hacking program.
To Ri, this was unthinkable. As a military hacker, he’d be completely cut off from the rest of society. He’d never be able to tell his friends or family what he did for a living. Worst of all, there was no refusing the government.
So, the day after winning his third silver medal, he defected. Today, he lives in South Korea and studies at university.
But plenty of young math whizzes in North Korea don’t—or can’t—make the same choice Ri Jong-yol did. Becoming a hacker for the North Korean government remains one way to advance in a country that determines status based on your relationship to the Kim regime.
Since Kim Jong-un took power in 2011, he’s overseen the Lazarus Group’s evolution from a political weapon to a tool of crime. Today, the Lazarus Group has brought in more than $1.3 billion dollars from its criminal activities. Kim Jong-un has used this money not just to enrich himself and his cronies, but also to continue funding his country’s nuclear program.
The Hwasong-12 tested in 2017 was capable of hitting Guam. But in March 2022, North Korea tested the Hwasong-17, which is capable of hitting California.
Still, an actual nuclear attack on any country would be suicidal for North Korea. It’s far more likely that North Korea would use the Lazarus Group to strike another country–because it already has.
The Lazarus Group has demonstrated repeatedly that it’s a world-class government-sponsored hacking operation. It’s proven to be a major money maker for the North Korean regime, but it’s also a formidable weapon in North Korea’s military arsenal.
Thanks to the Lazarus Group, Kim Jong-un doesn’t need nuclear weapons to unleash mayhem in the United States or other countries. All he needs is a few hackers, some computers, and an Internet connection.
I’m Keith Korneluk and you’re listening to Modem Mischief.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon. For as little as $5 a month you’ll receive an ad-free version of the show plus monthly bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka He Sleeps with a Horse Head Just for Fun. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!