The Wall Street Journal is reporting that hackers employed by the government of North Korea have been implicated in yet another international bank fraud scheme using hacked SWIFT software. This time, the victim is a bank in Taiwan, and the take was $60 million, all of it laundered through accounts in Cambodia, Sri Lanka, and the United States.
In a blog post Tuesday, cybersecurity researchers at U.K. defense company BAE Systems PLC also implicated Lazarus in the Taiwanese theft, saying that tools used in the attack on the Far Eastern International Bank include those used by Lazarus in the past.
“The attack this month on Taiwanese Far Eastern International Bank has some of the hallmarks of the Lazarus group,” BAE researchers wrote.
The suspected ties to Lazarus suggest the group’s continued focus on financial cybercrimes. In addition to the Bangladesh Bank theft, the BAE researchers said the group has been targeting bitcoin and is behind attacks on banks in Mexico and Poland.
Security researchers suspect the group has links to North Korea. U.S. authorities have said that one hack also linked to Lazarus—the 2014 Sony Pictures hack—originated in North Korea. The country has denied being behind the attack.
The BAE researchers said they found further evidence of the group’s North Korea links, saying they observed infrastructure in North Korea controlling the malware used in a previous Lazarus-linked attack. Representatives at North Korea’s Beijing embassy and Hong Kong consulate weren’t immediately available for comment. [WSJ, Dan Strumpf]
Sri Lankan authorities have arrested two suspects, one of whom was trying to withdraw $520,000 (which is more than my ATM ordinarily allows me to take out before a trip to Home Depot for plywood and router bits).
That report closely follows this New York Times story on the recent history of North Korea’s cyber crimes, including the Bangladesh Bank fraud, where the North Koreans got away with $81 million, the 2013 Dark Seoul cyberattacks, the 2014 Sony cyberattack and cyberterrorist attack against the U.S. homeland (about which the United States of America did approximately diddly squat), and (consequently) this year’s the WannaCry ransomware attacks.
Earlier this year, I wrote about reports that high officials in U.S. intelligence and law enforcement agencies had found evidence implicating North Korea in recent cyberattacks. Clearly, the FBI is investigating this course of criminal conduct, which is something I presume the FBI wouldn’t do without some prospect of a prosecution. We are speaking, after all, of conduct that is highly dangerous, ongoing, and undeterred. That gives the U.S. government a powerful incentive to charge those who conspired to commit these crimes.
Which brings us to this question: Is there any real doubt as to who the real person of interest is here? Of course, the feds would need at least some proof to get a grand jury to indict. The opacity of the royal court in Pyongyang presents some obvious challenges to this, but just over a decade ago, when prosecutors very nearly indicted His Porcine Majesty’s father for counterfeiting — before George W. Bush stopped them for political reasons — they concluded that those challenges were surmountable.
“The most difficult thing is connecting evidence of criminality to a state’s leader, because there is so much deniability built in. But there isn’t a whole lot of activity in North Korea that isn’t sanctioned by the leadership, and the evidence we had already built up was very good. These cases were very doable.” The criminal cases, says Asher, were based on information from undercover agents, informants, and a vast surveillance operation. [Vanity Fair, David Rose]
If you’ve read the links above or my posts on the Sony cyber attacks, it’s apparent that our signals intelligence is part of the case that implicates state-sponsored North Korean hackers. The Justice Department has cited the testimony of defectors in recent civil forfeiture cases against North Korean funds, and at least two defectors with inside knowledge of North Korean cyber operations have spoken publicly.
But even assuming there are no defectors who testify to His Porcine Majesty’s complicity, and that the government offers no signals intelligence implicating him (which it might not want to do to protect sources and methods) the feds could still do what the plaintiffs did in their lawsuits against North Korea for the state sponsorship of terrorism — they could call experts to testify about North Korea’s system of government, command systems, and the certainty that this conspiracy must have been approved at the very top.
Then, what would the feds most likely charge? Prosecutors’ opinions inevitably vary, but here are my best guesses. I’ve linked the relevant sections in the Criminal Code so that you can read the elements yourself.
- Count I: Conspiracy. This one is pretty much a given in most federal prosecutions now. Note that cases interpreting the federal conspiracy statute define “defraud the United States” broadly.
- Count II: Bank Fraud. Which should be self-explanatory.
- Count IV: Violations of the Computer Fraud & Abuse Act. This is the statute the feds use to charge computer hacking offenses.
- Count III: Money Laundering. In plain English, the transfer, use, or spending of crime-tainted funds with intent to carry out, facilitate, or profit from one of the predicate offenses listed in subsection (c) of the money laundering statute. This is an important count, because — let’s face it — it’s not like we’re ever going to arrest Kim Jong-un short of his overthrow. The only way to hold people beyond our personal jurisdiction accountable is to shame them and seize and forfeit their funds. The indictment shames; the forfeiture count takes the money away.
- Count V: Criminal Forfeiture. This is how we take money away from people after they’re convicted (but hold that thought for a moment).
Assuming the feds do indict, would His Porcine Majesty, a sitting head of state, be immune from prosecution in a U.S. court? I want to thank one of my Twitter followers, Shin Chang-hoon, for pointing me to this interesting discussion of that potential obstacle in the broader, global context. In the U.S. federal courts, however, there is at least one precedent for the feds successfully indicting, prosecuting, and convicting a sitting, de facto head of state. That would be Manuel Antonio Noriega, the former dictator of Panama, whom we arrested after the 1989 U.S. invasion of that country. Noriega argued his indictment on drug charges must be dismissed because he was immune from prosecution. The U.S. Court of Appeals for the 11th Circuit rejected Noriega’s argument on the grounds that the U.S. had not recognized him as the lawful head of state, and because (and this is admittedly circular) by invading Panama, and by arresting and extraditing him, the U.S. showed that it did not intend to immunize him. You can read the court’s decision here.
Yes, the potential for such prosecutions to get out of hand is obvious, but it’s hard to believe that a federal court of appeals would immunize a head of state from prosecution for straight-up international bank fraud. The key distinction is whether the prosecuted conduct consists of the acts of a head of state or “for private or criminal acts.”
Having navigated past one problem, we encounter a more difficult one: the requirement to have a defendant present for the arraignment before a prosecution can go forward. (One of my least pleasant trials was a case where I defended a man who ran away after his arraignment and before trial. Much like Clint Eastwood did not do in 2012, only more effectively, I had to defend an empty chair. The chair got three years — a good result, given the charges and the evidence.)
So, does this bring us to an Emily Litella moment?
Not quite. Admittedly, my experience in federal civilian criminal litigation is limited, but as I read the Federal Rules of Criminal Procedure and the U.S. Attorneys’ Manual, you don’t need to have custody of a defendant to indict. The statute of limitations (typically, five years) stops running when the feds indict. Then, the indictment sits on a shelf until arraignment, which starts the ticking of the defendant’s speedy trial clock. But why do that? Again, past history is instructive.
The final stage, which David Asher says President Bush had been fully briefed about, would have been the unsealing of criminal indictments. “We could have gone after the foreign personal bank accounts of the leadership because we could prove they were kingpins,” Asher says. “We were going to indict the ultimate perpetrators of a global criminal network.” “The world wanted evidence that North Korea is a criminal state, not a lot of hoo-ha,” says Suzanne Hayden, a former senior prosecutor at the Department of Justice who ran its part of the Illicit Activities Initiative. “The criminal cases would have provided the evidence. It would have been in the indictments. As with any money-laundering investigation, we would have identified the players and traced them back, from Macao to those who were behind it in North Korea.” [Vanity Fair, David Rose]
A better reason might be to charge and prosecute the third-country nationals and businesses that provide the North Korean hackers with the havens and support they require.
The feds would also have the alternative of filing a civil forfeiture case under 18 U.S.C. 981, alleging all of the same counts in a civil, in rem suit against funds that belong to Kim Jong-un, on the theory that the funds are proceeds of that conduct, or are facilitating property (such as property co-mingled with the stolen funds to conceal their origin and ownership). The advantage of that strategy is that the feds would only have to prove the forfeitability of the property by a preponderance of the evidence, and the feds would win the suit by default unless Kim Jong-un enters an appearance in federal court and intervenes in the proceeding.
In 2005, President Bush decided not to go forward with the prosecution of Kim Jong-il because it was afraid that he’d walk out of six-party talks. But of course, North Korea did walk about of six-party talks in 2008, hasn’t returned since then, and is absolutely adamant in its refusal to negotiate either a freeze or denuclearization, that concern isn’t present.
Of all the dumb things smart people tend to write about North Korea, the dumbest of them all may be the idea that what North Korea needs most is for us to teach it how to do capitalism. Over the last week, I’ve read reports of how North Korea and its officials make money through drug trafficking, racetrack gambling, tourism, and ivory and rhino horn smuggling. It runs one of the world’s more sophisticated money laundering operations using front and shell companies in Hong Kong. The last thing Pyongyang needs us for is to teach it how to make money. To Pyongyang, capitalism is not a path to reform, but a path to the enslavement of all Koreans. What Pyongyang needs to learn is an object lesson in the rule of law — that at last, its crimes will have consequences, even if some of those consequences are symbolic. And for a system of government built on symbols and myths, symbolic consequences can be some of the most powerful ones.