The US Government has offered a $5m reward for information that leads to the disruption of financial mechanisms of persons engaged in a fake IT worker scheme targeting US firms that support the Democratic People’s Republic of Korea (DPRK).
The conspirators, some of whom were ordered by their superiors to earn at least $10,000 per month, generated at least $88m throughout a six-year conspiracy from 2017 to 2023.
Those involved in the scheme supplemented their employment earnings by stealing sensitive company information, such as proprietary source code, and then threatening to leak such information unless the employer made an extortion payment.
The bounty announcement was made by the US Department of State’s Rewards for Justice (RFJ) program, with the US Department of Justice (DoJ) simultaneously issuing an indictment of 14 individuals involved in the scheme on December 12.
The firms involved have been identified as DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People’s Republic of China (PRC) and the Russian Federation (Russia) respectively.
These two organizations collectively employed at least 130 North Korean IT workers — referred to within these organizations as “IT Warriors.”
As part of their scheme, North Korean IT workers obtained salaried employment at numerous US-based companies and nonprofit organizations.
One of the main goals of the fraud scheme was to generate revenue for the DPRK by duping American companies into hiring its citizens for remote work.
“To prop up its brutal regime, the North Korean government directs IT workers to gain employment through fraud, steal sensitive information from US companies, and siphon money back to the DPRK,” said Deputy Attorney General Lisa Monaco. “This indictment of 14 North Korean nationals exposes their alleged sanctions evasion and should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime.”
North Korean IT Works a Persistent Threat
The DPRK has dispatched thousands of skilled IT workers around the world, with the aim of deceiving US and other businesses worldwide into hiring them as remote IT workers to generate revenue for the North Korean regime in violation of US and UN sanctions.
Earlier in 2024, cybersecurity firm KnowBe4 confirmed it has been duped by a fraudulent North Korean IT worker.
The firm noted that in the incident, malicious activity was identified and prevented before any illegal access was gained or any data was compromised on KnowBe4 systems.
The worker had used a valid but stolen US-based identity, coupled with an “AI enhanced” application to gain employment at the firm.
Michael Barnhart, Mandiant Principal Analyst at Google Cloud, noted, “In recent months, Mandiant has seen an increase in extortion attempts linked to North Korean IT workers, and for the first time, we’re seeing IT workers follow through on releasing sensitive data of organizations they’ve infiltrated to pressure victims into paying exorbitant ransoms. They're also demanding more cryptocurrency than they ever have before.”
He added, “We assess that the heightened media attention and ongoing government disruptions targeting their cyber operations this past year are forcing an escalation in their tactics.”
The DoJ charges are the most recent step in an ongoing, two-year Department effort to disrupt this specific group of conspirators, one of multiple such DPRK groups attempting to generate revenue for the North Korean government through such schemes.