The U.S. Department of Justice (DoJ) has indicted 14 nationals belonging to the Democratic People’s Republic of Korea (DPRK or North Korea) for their alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations.
“The conspirators, who worked for DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People’s Republic of China (PRC) and the Russian Federation (Russia), respectively, conspired to use false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote information technology (IT) workers,” the DoJ said.
The IT worker scheme generated at least $88 million for the North Korean regime over a span of six years, it’s been alleged. In addition, the remote workers engaged in information theft, such as proprietary source code, and threatened to leak the data unless a ransom was paid. The illicit proceeds obtained in this manner were then routed through U.S. and Chinese financial systems back to Pyongyang.
The DoJ said it’s aware of one employer that sustained hundreds of thousands of dollars in damages after it refused to yield to the extortion demand of a North Korean IT worker, who then ended up leaking the confidential information online.
The identified individuals are below –
The 14 conspirators are said to have worked in various capacities ranging from senior company leaders to IT workers. The two sanctioned companies have employed at least 130 North Korean IT workers, referred to as IT Warriors, who participated in “socialism competitions” organized by the firms to generate money for DPRK. The top performers were awarded bonuses and other prizes.
The development is the latest in a series of actions the U.S. government has taken in recent years to address the fraudulent IT worker scheme, a campaign tracked by the cybersecurity community under the moniker Wagemole.
The DoJ said it has since seized 29 phony website domains (17 in October 2023 and 12 in May 2024) used by DPRK IT workers to mimic Western IT services firms to support the bona fides of their attempts to land remote work contracts for U.S. and other businesses worldwide. The agency said it has also cumulatively seized $2.26 million (including $1.5 million seized in October 2023) from bank accounts tied to the scheme.
Separately, the Department of State has announced a reward offer of up to $5 million for information on the front companies, the individuals identified, and their illicit activities.
“DPRK IT worker schemes involve the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, virtual private networks, virtual private servers, and unwitting third-parties located in the United States and elsewhere,” the DoJ said. “The conspirators used many techniques to conceal their North Korean identities from employers.”
One such method is the use of laptop farms in the U.S. by paying people residing in the country to receive and set up company-issued laptops and allow the IT workers to remotely connect through software installed on them. The idea is to give the impression that they are accessing work from within the U.S. when, in reality, they are located in China or Russia.
All the 14 conspirators have been charged with conspiracy to violate the International Emergency Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. Eight of them have been charged with aggravated identity theft. If convicted, each of them faces a maximum penalty of 27 years in prison.
The IT worker scam is just one of the many methods that North Korea has embraced to generate illicit revenue and support its strategic objectives, the others being cryptocurrency theft and targeting of banking and blockchain companies.
Earlier this month, decentralized finance (DeFi) platform Radiant Capital attributed a North Korea-linked threat actor dubbed Citrine Sleet to the $50 million cryptocurrency heist that took place following a breach of its systems in October 2024.
The adversary, also called Gleaming Pisces, Labyrinth Chollima, Nickel Academy, and UNC4736, is a sub-cluster within the Lazarus Group. It’s also known for orchestrating a persistent social engineering campaign dubbed Operation Dream Job that aims to entice developers with lucrative job opportunities to dupe them into downloading malware.
It’s worth noting that these efforts also take different forms depending on the activity cluster behind them, which can vary from coding tests (Contagious Interview) to collaborating on a GitHub project (Jade Sleet).
The attack targeting Radiant Capital was no different in that a developer of the company was approached by the threat actor in September on Telegram by posing as a trusted former contractor, ostensibly soliciting feedback about their work as part of a new career opportunity related to smart contract auditing.
The message included a link to a ZIP archive containing a PDF file that, in turn, delivered a macOS backdoor codenamed INLETDRIFT that, besides displaying a decoy document to the victim, also established stealthy communications with a remote server (“atokyonews[.]com”).
“The attackers were able to compromise multiple developer devices,” Radiant Capital said. “The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”