Skip to content
CBCyber Breaches
Search

Attacker profile

Park Jin Hyok

North Korean RGB officer indicted by the U.S. DOJ in September 2018 as a Lazarus Group operator. Attributed to Sony Pictures (2014), WannaCry (2017), and the Bangladesh Bank SWIFT heist (2016).

Park Jin Hyok (Korean: 박진혁) is a North Korean national indicted by the U.S. Department of Justice on 6 September 2018 as an operator of Lazarus Group, the cyber arm of the DPRK's Reconnaissance General Bureau (RGB). He is the first North Korean cyber operator ever individually charged by the United States.

Identification

The DOJ filing in the Central District of California named Park as a programmer who worked at Chosun Expo Joint Venture, a North Korea-affiliated front company in Dalian, China that the FBI assessed as a cover for RGB cyber operations. The indictment laid out an extraordinarily detailed forensic case linking Park to three separate flagship Lazarus operations:

  • Sony Pictures Entertainment (November 2014) — the wiper attack tied to the release of "The Interview", which destroyed half of Sony's corporate IT estate and leaked terabytes of internal data.
  • Bangladesh Bank SWIFT heist (February 2016) — $81 million stolen via fraudulent SWIFT messages routed through the New York Fed; an additional $850 million was attempted but blocked by a typo flag.
  • WannaCry ransomware worm (May 2017) — global ransomware outbreak that hit roughly 200,000 systems in 150 countries, paralysing the U.K.'s NHS and multiple manufacturing operations, and damaging an estimated $4-8 billion in business globally.

The forensic case linked the attacks via shared malware code, certificate reuse, command-and-control infrastructure overlap, and a small handful of operator-side OPSEC failures (test accounts that pivoted between attacks; reused email addresses).

Sanctions and reach

OFAC designated Park and the Chosun Expo front company on the same day. Three additional Lazarus operators — Kim Il, Jon Chang Hyok, and others — were named in a follow-up indictment in February 2021, expanding the case to cover the broader Lazarus crypto-theft program.

Park is presumed in North Korea, beyond extradition reach. The indictment's value is informational and legal — it crystallises the public attribution and supports OFAC's continued sanctioning of any infrastructure tied to him.

Why it matters

Park's indictment was the first named-individual attribution of a state cyber operation to a DPRK officer. It set the precedent for the detailed-attribution-via-indictment model the DOJ has since reused against PLA (Equifax, OPM, Marriott), GRU (Sandworm), and MSS officers. The same forensic infrastructure that ties Park to Sony/SWIFT/WannaCry now also ties later Lazarus operators to the Ronin Bridge ($625M), Atomic Wallet ($100M), and WazirX ($230M) crypto thefts catalogued elsewhere.

Related incidents

WiperResolved

Sony Pictures Entertainment hack

A North Korean wiper attack tied to the release of 'The Interview' destroyed roughly half of Sony Pictures' IT estate and leaked terabytes of internal documents, emails, and unreleased films.

Victim
Sony Pictures Entertainment
Loss
$100.0M
Records
1.0M