The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.
The coordinated action saw searches of 21 known or suspected “laptop farms” across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.
“The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies,” the DoJ said.
The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People’s Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities.
Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.
North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through “legitimate” work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.
Last month, the DoJ said it had filed a civil forfeiture complaint in federal court that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme.
“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”
Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue.
Other individuals who participated in the scheme include six Chinese and two Taiwanese nationals –
- Jing Bin Huang (靖斌 黄)
- Baoyu Zhou (周宝玉)
- Tong Yuze (佟雨泽)
- Yongzhe Xu (徐勇哲 andيونجزهي أكسو)
- Ziyou Yuan (زيو)
- Zhenbang Zhou (周震邦)
- Mengting Liu (劉 孟婷), and
- Enchia Liu (刘恩)
According to the indictment, the defendants and other co-conspirators compromised the identities of more than 80 U.S. individuals to obtain remote jobs at more than 100 U.S. companies between 2021 and October 2024. The overseas IT workers are believed to have been assisted by U.S.-based facilitators, Kejia “Tony” Wang, Zhenxing “Danny” Wang, and at least four others, with Kejia Wang even traveling to China in 2023 to meet overseas co-conspirators and IT workers and discuss the scheme.
To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for “keyboard-video-mouse”) switches like PiKVM or TinyPilot.
“Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses,” the DoJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators.”
In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers.
Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta.
Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il.
After Kim Kwang Jin and Jong Pong Ju gained their employers’ trust and were assigned projects that granted them access to the firm’s virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company’s smart contracts.
The stolen proceeds were then laundered using a cryptocurrency mixer and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents.
“These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. “Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide.”
“The U.S. government’s actions […] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are.”
Microsoft Suspends 3,000 Email Accounts Tied to IT Workers
Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267.
The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy.
The tech giant called out the IT workers’ exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs.
“These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities,” the Microsoft Threat Intelligence team said.
Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards.
Furthermore, the witting accomplices are responsible for validating the IT workers’ bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards.
As a way to counter the threat, Microsoft said it has developed a custom machine-learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions.
“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” Redmond said. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”
