It’s no secret that North Korea’s hackers have rampaged around the global internet for years, stealing hundreds of millions of dollars, extorting companies, and even carrying out vendettas against perceived enemies of the Kim Jong-Un regime. Until today, US authorities had only tied a single hacker to that sprawling online scourge, indicting a man named Park Jin Hyok in 2013. Now the US Department of Justice has charged two more North Korean men with participating in that years-long spree—and added far more detail about how they allegedly pulled it off. 

Prosecutors today unsealed an indictment against Park Jin Hyok, Jon Chang Hyok, and Kim Il, all alleged to be part of the broadly defined North Korean hacker group known as Lazarus, Hidden Cobra, or APT38. The charges describe more than six years of North Korea’s chaotic hacking across the globe. On top of a slew of intrusions into banks and cryptocurrency firms, the indictment alleges that the three men were involved in the deployment of the WannaCry ransomware worm, estimated to have caused at least $4 billion in global damages. The indictment also ties the three men to cyberattacks on Sony Pictures, UK TV production firm Mammoth Pictures, and AMC Theaters, all aimed at stopping the release of media that would embarrass or offend the Kim regime.

Perhaps most remarkably, the indictment details how the men created not only a collection of fake, malicious cryptocurrency applications designed to steal victims’ funds, but also planned to create their own crypto-token called Marine Chain. The scheme would let users purchase stakes in seafaring cargo ships, but was in fact aimed at raising money for the North Korean government while evading international sanctions. 

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” acting US attorney Tracy L. Wilkison for the Central District of California said in a press conference announcing the charges. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

While the indictment doesn’t state a total amount of funds successfully obtained by the hackers, prosecutors say they attempted to steal a total of more than $1.3 billion. In terms of actual criminal gains, the indictment points to $121 million in total cryptocurrency thefts, as well as a long-running series of bank break-ins in which the hackers manipulated SWIFT transactions and carried out ATM cashouts to steal many millions more, including $110 million from Mexican financial firm Bancomext and $101 million from the Bangladesh Central Bank. The WannaCry ransomware they’re charged with creating also produced hundreds of thousands of dollars more in ransom payments—while also indiscriminately paralyzing hundreds of thousands of computers around the world across hospitals, government agencies, and companies in one of the most damaging cyberattacks in history.

The three hackers are also charged with participating in the notorious cyberattack on Sony Pictures, in which North Korean hackers posed as hacktivists and attempted to coerce Sony to cancel its release of the Kim Jong-Un assassination comedy The Interview. But the indictment also points to less publicized attacks targeting the film and TV industry, including sending spearphishing emails to AMC Theaters as part of their campaign to prevent the screening of The Interview. They also allegedly hacked into the network of the UK TV production firm Mammoth Screen, which was at the time producing a drama about a British nuclear scientist’s kidnapping by North Koreans.

Most surprising, perhaps, is the extent of the hackers’ alleged schemes as cryptocurrency scammers and even would-be entrepreneurs. The indictment outlines how the North Koreans—specifically Kim Il—made plans to launch a cryptocurrency token scheme called Marine Chain, which would sell a blockchain-based stake in marine vessels including cargo ships. According to the British think tank the Royal United Services Institute, Marine Chain was identified by the United Nations as a North Korean sanctions-evasion scheme in 2018; it’s not clear if it ever got off the ground.