Colin Thierry
Published on: July 27, 2022

The US Department of Justice (DOJ) announced last week the seizure of $500,000 worth of Bitcoin tokens last week from members of a North Korean Maui ransomware operation.

The confiscated crypto assets were either paid as ransom to the threat actors or used to launder extorted funds, according to the FBI.

“The Justice Department today announced a complaint filed in the District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments,” said the DOJ in its announcement. “In May 2022, the FBI filed a sealed seizure warrant for the funds worth approximately half a million dollars. The seized funds include ransoms paid by health care providers in Kansas and Colorado.”

Maui is a North Korean-backed ransomware operation that focuses on hospitals and Healthcare and Public Health (HPH) organizations. In May 2021, the ransomware group compromised the network of a Kansas-based hospital and pressured its managers into paying approximately $100,000 worth of Bitcoin as ransom. The medical center was the gang’s first reported attack.

The hospital then reported the incident to the FBI after paying for the decryptor, who traced the payment to money launderers in China. In April, the FBI noticed another payment of around $120,000 worth of Bitcoin into a crypto account linked to the Kansas ransomware attack. Authorities confirmed that another medical provider based in Colorado made the payment after it was also hit by the Maui ransomware.

In May of this year, the FBI seized two crypto accounts used by Maui ransomware members to receive payments from the Colorado and Kansas healthcare facilities. The District of Kansas returned the extorted assets to their owners after forfeiting the threat actors’ funds.

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”