Feds Seize Bitcoin Ransoms Paid to North Korean Hackers

July 19, 2022Carl Prine
This undated picture released from North Korea's official Korean Central News Agency in 2020 shows North Korean leader Kim Jong Un (center) inspecting the rehabilitation site in the Komdok area of South Hamgyong Province. Korean Central News Agency photo via Getty Images.

This undated picture released from North Korea's official Korean Central News Agency in 2020 shows North Korean leader Kim Jong Un (center) inspecting the rehabilitation site in the Komdok area of South Hamgyong Province. Korean Central News Agency photo via Getty Images.

The FBI has seized $500,000 in cryptocurrency allegedly tied to a North Korean ransomware attack on US medical providers.

In a civil complaint unsealed Monday, July 18, in Wichita, prosecutors asked a federal judge to order the forfeiture of bitcoin paid by health care providers in Colorado and Kansas as ransom to North Korean hackers before it was laundered through a Hong Kong middleman.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco on Tuesday during an address at the International Conference on Cyber Security in New York.

“Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim,” she added.

Officials at the Permanent Mission of North Korea to the United Nations in New York and the North Korean embassy in Sweden, which handles concerns from US citizens, did not return Coffee or Die Magazine messages seeking comment. 


North Korea has long been tied by US authorites to cyberattacks on American businesses. Jeanette Manfra, chief cybersecurity official for the US Department of Homeland Security, speaks about North Korea's alleged use of the Wannacry virus. She was briefing White House officials on Dec. 19, 2017. Photo by Saul Loeb/AFP via Getty Images.

No hearing has been scheduled for the case, which targets two cryptocurrency accounts that were seized by the FBI Kansas City Division's Cyber Crimes Task Force on May 5.

If the judge orders the forfeiture, the money will be returned to the health care providers victimized by the hackers.

The seizures came a year and a day after employees at an unnamed Kansas medical provider reported to the FBI that they couldn’t access computer files. When they tried, they received an error message telling them the format had changed.

They also couldn’t pull up X-rays, diagnostic imaging, scanning data, the internet, and the sleep lab server. The medical provider’s information technology team determined that four servers had been encrypted by ransomware, a form of malware that blocks a computer system until the victim pays a ransom, usually through virtual currency.

North Korea

Protesters gather during an anti-U.S. rally in front of the Presidential Office building on May 21, 2022 in Seoul, South Korea, a top US ally. US President Joe Biden was visiting South Korea for his first summit with his South Korean counterpart Yoon Suk-yeol, and the two leaders are expected to discuss a range of issues, including North Korea's nuclear program and supply chain risks. Photo by Woohae Cho/Getty Images.

Both the FBI and the IT team pinpointed the malware as “maui.exe.” A ransom demand left on a server asked for the ransom to be paid as two bitcoins, a digital currency. Two bitcoins in mid-May of 2021 were worth about $100,000.

The Kansas firm paid the ransom, and the hackers provided the IT team with the decryption keys to restore the system and files.

The FBI began tracking the ransom payment from the Kansas medical provider to the currency exchange’s address and then to its user, according to the lawsuit. They also traced a shuffling of payments from one virtual currency account to another, which apparently is how they found the second stash.

The FBI continued to monitor the accounts. On April 1, 2022, the second coffer received an influx of about $120,000 in bitcoin from an unnamed Colorado health care provider.

Authorities concluded it also had been hacked with the same malware.

North Korea

This undated photo from North Korea's official Korean Central News Agency released on April 17, 2022, shows North Korean leader Kim Jong Un as he observes the test-fire of a new tactical guided-weapon in North Korea. Korean Central News Agency photo via AFP and Getty Images.

On July 6, 2022, the FBI, the US Cybersecurity and Infrastructure Security Agency, and the US Department of the Treasury announced that North Korean state-sponsored hackers were using maui.exe ransomware on health care organizations.

US officials said hospitals and medical providers will quickly pay the ransom because frozen computer servers put the lives of patients at risk.

“These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay [ransoms] in order to regain control of their computer and record systems,” said US Attorney Duston J. Slinkard in a prepared statement released Tuesday. “What these hackers don’t count on is the tenacity of the U.S. Justice Department in recovering and returning these funds to the rightful owners."

Read Next: Firefighters Battle Hoover Dam Blaze

Carl Prine
Carl Prine

Carl Prine is a former senior editor at Coffee or Die Magazine. He has worked at Navy Times, The San Diego Union-Tribune, and Pittsburgh Tribune-Review. He served in the Marine Corps and the Pennsylvania Army National Guard. His awards include the Joseph Galloway Award for Distinguished Reporting on the military, a first prize from Investigative Reporters & Editors, and the Combat Infantryman Badge.

More from Coffee or Die Magazine
‘On Tour In Hell’: Wounded Ukrainian Soldiers Evacuated

With bandaged heads and splinted limbs, the wounded soldiers are stretchered into the waiting medica...

March 27, 2023Associated Press
F-15 Strike Eagles
US Launches Airstrikes in Syria After Drone Kills US Worker

While it’s not the first time the U.S. and Iran have traded airstrikes in Syria, the attack and the ...

March 24, 2023Associated Press
The Gift jason dunham
‘The Gift’ Explores the Life and Legacy of Medal of Honor Recipient Jason Dunham

"The Gift" tells the story of the first Marine to receive the Medal of Honor after the Vietnam War. ...

March 24, 2023Mac Caltrider
uss milius
US Denies Chinese Claim It Drove Away American Destroyer

The U.S. Navy's 7th Fleet said that a statement from China's Southern Theatre Command that it had fo...

March 23, 2023Associated Press
The Speed Project: Vet Team To Run in Lawless, Invite-Only Ultramarathon

For the first time, a team of (mostly) US veterans and active-duty service members will run in The S...

March 23, 2023Jenna Biter
uranium-based ammo ammunition Ukraine UK depleted uranium
A Look At the Uranium-Based Ammo the UK Will Send to Ukraine

The British defense ministry on Monday confirmed it would provide Ukraine with armor-piercing rounds containing depleted uranium.

March 23, 2023Associated Press
Zaporizhzhia Ukraine Russia
Ukraine: Russia Hits Apartments and Dorm, Killing Civilians

“Russia is shelling the city with bestial savagery,” President Volodymyr Zelenskyy wrote in a Telegr...

March 22, 2023Associated Press
cold brew coffee soda float
The Bitter Barista's Cold Brew Coffee Soda Float

Today, we combine the best of both worlds with this indulgent recipe, smashing together our love of coffee and ice cream with a cold brew coffee soda float!

March 21, 2023Heather Lynn
  • About Us
  • Privacy Policy
  • Careers
Contact Us
  • Request a Correction
  • Write for Us
  • General Inquiries
© 2023 Coffee or Die Magazine. All Rights Reserved