The Incredible Rise of North Korea’s Hacking Army
Shimomura was a member of the Yamaguchi-gumi, the largest yakuza crime family in Japan. When one of his superiors asked him if he wanted to make a pile of fast money, he naturally said yes.
It was May 14, 2016, and Shimomura was living in the city of Nagoya. Thirty-two years old and skinny, with expressive eyes, he took pride in his appearance, often wearing a suit and mirror-shined loafers. But he was a minor figure in the organization: a collector of debts, a performer of odd jobs.
The superior assured him that the scheme was low risk, and instructed him to attend a meeting that evening at a bar in Nagoya. (Shimomura, who has since left the Yamaguchi-gumi, asked to be referred to only by his surname.) When Shimomura showed up, he found three other gangsters, none of whom he knew. Like many yakuza, he is of Korean descent, and two of the others were also Korean-Japanese; for a while, they spoke in Korean. The superior finally arrived, and the five men moved into a private room. Each volunteer was given a plain white credit card. There was no chip on the card, no numbers, no name—just a magnetic strip.
The superior read instructions from a thin manual: early the next morning, a Sunday, they should go to any 7-Eleven and use their white card at the store’s A.T.M. They could not use a regular bank A.T.M., or one in another convenience store. The gangsters should each withdraw a hundred thousand yen at a time (about nine hundred dollars) but make no more than nineteen transactions per machine. If anybody made twenty withdrawals from a single A.T.M., his card would be blocked. Withdrawals could start at 5 a.m. and continue until 8 a.m. The volunteers were told to choose the Japanese language when prompted—an indication, Shimomura realized, that the cards were foreign. After making nineteen withdrawals, they should wait an hour before visiting another 7-Eleven. They could keep ten per cent of the cash. The rest would go to the bosses. Finally, each volunteer was told to memorize a pin.
On Sunday morning, Shimomura rose early, and dressed in jeans, sunglasses, a baseball cap, and an old T-shirt. He walked to a 7-Eleven, where he bought a rice ball and a Coke, to settle himself. He inserted the card into the A.T.M. When the screen asked him which language he preferred, he felt a tremor of nerves while selecting “Japanese.” He withdrew a hundred thousand yen, then another, and then another. There was nobody else in the store apart from the guy at the register, who didn’t seem interested in him.
After making the first withdrawal, Shimomura printed a receipt. He saw a foreign name on the paper—he couldn’t tell what nationality the name was, but he knew it wasn’t Japanese—then stuffed the receipt in his pocket. Around 8 a.m., having completed a total of thirty-eight withdrawals at several A.T.M.s in the area, he headed home, waddling because of his bulging pockets: 3.8 million yen is a lot of cash. Shimomura took his ten per cent—about thirty-five hundred dollars—and stashed it in a drawer in his apartment. At 3 p.m., he met his superior to deliver the remaining money. (Later, he discovered that one of the other gangsters had absconded with the money and the card.)
The superior told Shimomura that he would retain five per cent of what his volunteers brought in and send the rest of the cash to his bosses. When Shimomura handed over his money, he sensed that the superior had enlisted many others. He was right. As the newspapers soon reported, more than sixteen million dollars was withdrawn from roughly seventeen hundred 7-Eleven A.T.M.s across Japan that morning, using data stolen from South Africa’s Standard Bank. The newspapers surmised that 7-Elevens had been targeted because they were the only convenience stores in Japan whose cash terminals all accepted foreign cards. Soon after the raids, the withdrawal limit for many A.T.M.s in the country was reduced to fifty thousand yen.
Shimomura deduced that he had been at the bottom of the food chain in the scam. The real money-makers were much higher up. What he did not know, until an interview with this magazine last year, was the identity of the villains at the top of the chain. Shortly after the A.T.M. thefts, according to Japanese police, the ringleader of the 7-Eleven operation crossed from China into North Korea. Shimomura had unwittingly been collecting money for the Korean People’s Army, as part of a racket that became known as FASTCash.
In satellite images of East Asia at night, lights blare almost everywhere, except in one inky patch between the Yellow Sea and the Sea of Japan, and between the thirty-eighth and the forty-third parallels: North Korea. Only Pyongyang, the capital, emits a recognizably modern glow. The dark country is one of the last nominally Communist nations in the world—a Stalinist personality cult centered on Kim Jong Un, the peevish, ruthless scion of the dynasty that has ruled North Korea since 1948, after the peninsula was divided. The D.P.R.K. purports to be a socialist autarky founded on the principle of juche, or self-reliance. Its borders are closed and its people sequestered. Foreigners find it profoundly difficult to understand what is happening inside North Korea, but it is even harder for ordinary North Korean citizens to learn about the outside world. A tiny fraction of one per cent of North Koreans has access to the Internet.
Yet, paradoxically, the North Korean government has produced some of the world’s most proficient hackers. At first glance, the situation is perverse, even comical—like Jamaica winning an Olympic gold in bobsledding—but the cyber threat from North Korea is real and growing. Like many countries, including the United States, North Korea has equipped its military with offensive and intelligence-gathering cyber weapons. In 2016, for instance, military coders from Pyongyang stole more than two hundred gigabytes of South Korean Army data, which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”
North Korea, moreover, is the only nation in the world whose government is known to conduct nakedly criminal hacking for monetary gain. Units of its military-intelligence division, the Reconnaissance General Bureau, are trained specifically for this purpose. In 2013, Kim Jong Un described the men who worked in the “brave R.G.B.” as his “warriors . . . for the construction of a strong and prosperous nation.”
North Korea’s cybercrime program is hydra-headed, with tactics ranging from bank heists to the deployment of ransomware and the theft of cryptocurrency from online exchanges. It is difficult to quantify how successful Pyongyang’s hackers have been. Unlike terrorist groups, North Korea’s cybercriminals do not claim responsibility when they strike, and the government issues reflexive denials. As a result, even seasoned observers sometimes disagree when attributing individual attacks to North Korea. Nevertheless, in 2019, a United Nations panel of experts on sanctions against North Korea issued a report estimating that the country had raised two billion dollars through cybercrime. Since the report was written, there has been bountiful evidence to indicate that the pace and the ingenuity of North Korea’s online threat have accelerated.
According to the U.N., many of the funds stolen by North Korean hackers are spent on the Korean People’s Army’s weapons program, including its development of nuclear missiles. The cybercrime spree has also been a cheap and effective way of circumventing the harsh sanctions that have long been imposed on the country. In February, John C. Demers, the Assistant Attorney General for the National Security Division of the Justice Department, declared that North Korea, “using keyboards rather than guns,” had become a “criminal syndicate with a flag.”
The superior assured him that the scheme was low risk, and instructed him to attend a meeting that evening at a bar in Nagoya. (Shimomura, who has since left the Yamaguchi-gumi, asked to be referred to only by his surname.) When Shimomura showed up, he found three other gangsters, none of whom he knew. Like many yakuza, he is of Korean descent, and two of the others were also Korean-Japanese; for a while, they spoke in Korean. The superior finally arrived, and the five men moved into a private room. Each volunteer was given a plain white credit card. There was no chip on the card, no numbers, no name—just a magnetic strip.
The superior read instructions from a thin manual: early the next morning, a Sunday, they should go to any 7-Eleven and use their white card at the store’s A.T.M. They could not use a regular bank A.T.M., or one in another convenience store. The gangsters should each withdraw a hundred thousand yen at a time (about nine hundred dollars) but make no more than nineteen transactions per machine. If anybody made twenty withdrawals from a single A.T.M., his card would be blocked. Withdrawals could start at 5 a.m. and continue until 8 a.m. The volunteers were told to choose the Japanese language when prompted—an indication, Shimomura realized, that the cards were foreign. After making nineteen withdrawals, they should wait an hour before visiting another 7-Eleven. They could keep ten per cent of the cash. The rest would go to the bosses. Finally, each volunteer was told to memorize a pin.
On Sunday morning, Shimomura rose early, and dressed in jeans, sunglasses, a baseball cap, and an old T-shirt. He walked to a 7-Eleven, where he bought a rice ball and a Coke, to settle himself. He inserted the card into the A.T.M. When the screen asked him which language he preferred, he felt a tremor of nerves while selecting “Japanese.” He withdrew a hundred thousand yen, then another, and then another. There was nobody else in the store apart from the guy at the register, who didn’t seem interested in him.
After making the first withdrawal, Shimomura printed a receipt. He saw a foreign name on the paper—he couldn’t tell what nationality the name was, but he knew it wasn’t Japanese—then stuffed the receipt in his pocket. Around 8 a.m., having completed a total of thirty-eight withdrawals at several A.T.M.s in the area, he headed home, waddling because of his bulging pockets: 3.8 million yen is a lot of cash. Shimomura took his ten per cent—about thirty-five hundred dollars—and stashed it in a drawer in his apartment. At 3 p.m., he met his superior to deliver the remaining money. (Later, he discovered that one of the other gangsters had absconded with the money and the card.)
The superior told Shimomura that he would retain five per cent of what his volunteers brought in and send the rest of the cash to his bosses. When Shimomura handed over his money, he sensed that the superior had enlisted many others. He was right. As the newspapers soon reported, more than sixteen million dollars was withdrawn from roughly seventeen hundred 7-Eleven A.T.M.s across Japan that morning, using data stolen from South Africa’s Standard Bank. The newspapers surmised that 7-Elevens had been targeted because they were the only convenience stores in Japan whose cash terminals all accepted foreign cards. Soon after the raids, the withdrawal limit for many A.T.M.s in the country was reduced to fifty thousand yen.
Shimomura deduced that he had been at the bottom of the food chain in the scam. The real money-makers were much higher up. What he did not know, until an interview with this magazine last year, was the identity of the villains at the top of the chain. Shortly after the A.T.M. thefts, according to Japanese police, the ringleader of the 7-Eleven operation crossed from China into North Korea. Shimomura had unwittingly been collecting money for the Korean People’s Army, as part of a racket that became known as FASTCash.
In satellite images of East Asia at night, lights blare almost everywhere, except in one inky patch between the Yellow Sea and the Sea of Japan, and between the thirty-eighth and the forty-third parallels: North Korea. Only Pyongyang, the capital, emits a recognizably modern glow. The dark country is one of the last nominally Communist nations in the world—a Stalinist personality cult centered on Kim Jong Un, the peevish, ruthless scion of the dynasty that has ruled North Korea since 1948, after the peninsula was divided. The D.P.R.K. purports to be a socialist autarky founded on the principle of juche, or self-reliance. Its borders are closed and its people sequestered. Foreigners find it profoundly difficult to understand what is happening inside North Korea, but it is even harder for ordinary North Korean citizens to learn about the outside world. A tiny fraction of one per cent of North Koreans has access to the Internet.
Yet, paradoxically, the North Korean government has produced some of the world’s most proficient hackers. At first glance, the situation is perverse, even comical—like Jamaica winning an Olympic gold in bobsledding—but the cyber threat from North Korea is real and growing. Like many countries, including the United States, North Korea has equipped its military with offensive and intelligence-gathering cyber weapons. In 2016, for instance, military coders from Pyongyang stole more than two hundred gigabytes of South Korean Army data, which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”
North Korea, moreover, is the only nation in the world whose government is known to conduct nakedly criminal hacking for monetary gain. Units of its military-intelligence division, the Reconnaissance General Bureau, are trained specifically for this purpose. In 2013, Kim Jong Un described the men who worked in the “brave R.G.B.” as his “warriors . . . for the construction of a strong and prosperous nation.”
North Korea’s cybercrime program is hydra-headed, with tactics ranging from bank heists to the deployment of ransomware and the theft of cryptocurrency from online exchanges. It is difficult to quantify how successful Pyongyang’s hackers have been. Unlike terrorist groups, North Korea’s cybercriminals do not claim responsibility when they strike, and the government issues reflexive denials. As a result, even seasoned observers sometimes disagree when attributing individual attacks to North Korea. Nevertheless, in 2019, a United Nations panel of experts on sanctions against North Korea issued a report estimating that the country had raised two billion dollars through cybercrime. Since the report was written, there has been bountiful evidence to indicate that the pace and the ingenuity of North Korea’s online threat have accelerated.
According to the U.N., many of the funds stolen by North Korean hackers are spent on the Korean People’s Army’s weapons program, including its development of nuclear missiles. The cybercrime spree has also been a cheap and effective way of circumventing the harsh sanctions that have long been imposed on the country. In February, John C. Demers, the Assistant Attorney General for the National Security Division of the Justice Department, declared that North Korea, “using keyboards rather than guns,” had become a “criminal syndicate with a flag.”
