Research from Secureworks Counter Threat Unit (CTU) has revealed links between the North Korean fake IT workers scheme and fraudulent crowdfunding activity.
The group associated with the crowdfunding scam has been identified by Secureworks as Nickel Tapestry, a threat actor that comprises multiple clusters of activity operated on behalf of North Korean interests.
The scam garnered around $20,000 and showcases an earlier example of North Korean threat actors experimenting with various money-making schemes that predate the use of fraudulent IT workers.
Rafe Pilling, Director of Threat Intelligence, Secureworks CTU, commented, “Over the past 12 months we’ve seen the North Korean IT worker scheme evolve, leveraging deepfakes and AI. To counter state-sponsored groups like Nickle Tapestry, it’s crucial to understand not only how their tradecraft is changing, but also where it began.”
Through a patchworks of domain names, front companies and email addresses, the CTU was able to link Nickle Tapestry to an IndieGoGo crowdfunding campaign page, which advertised a Kratos portable wireless memory device.
However, buyer comments indicated that the campaign was a scam and that the campaign backers never received a product or refund from the seller.
“This 2016 campaign was a low-effort, small monetary-return endeavor compared to the more elaborate North Korean IT worker schemes active as of this publication,” Secureworks CTU said in a blog post.
The network infrastructure overlap between the crowdfunding and IT worker campaigns indicates an association between the IndieGoGo scam operators and the Nickle Tapestry threat group, the cybersecurity firm said.
Linking Nickle Tapestry to the Crowdfunding Scam
The CTU’s investigations uncovered that two information technology companies found by the US to have violated sanctions in 2018 were linked to the 2016 crowdfunding scam.
The two firms are China-based Yanbian Silverstar Network Technology Co., and Russia-based Volasys Silver Star.
In 2023, the FBI accessed multiple accounts used by Yanbian Silverstar freelancers between 2018 to 2019 from IP address 36 . 97 . 143 . 26 .
This IP address resolves to a dedicated server geolocated in Jilin, China, where Yanbian Silverstar is believed to be based.
The FBI’s affidavit provides evidence that North Korean IT workers were living in China and working at Yanbian Silverstar.
The CEO of Yanbian Silverstar and Volasys Silver Star, a North Korean national named Jong Song Hwa, was also designated by the FBI.
In 2024, a domain associated with the two front companies (silverstarchina . com) was seized and revealed the registrant email address (jinmaolin0628 @ hotmail . com).
This email address was previously hidden behind WHOIS privacy protection. The Chang Bai Shan Dong Lu registrant street address matches the reported location of Yanbian Silverstar offices.
This same registrant email and street address were also listed in the registration data of several other domain names.
CTU researchers discovered that one of those domain names (kratosmemory . com) was linked to a 2016 IndieGoGo crowdfunding campaign which advertised the Kratos portable wireless memory device.
Around mid-2016, WHOIS registrant information for kratosmemory . com was updated to reflect a different persona named Dan Moulding.
This persona name matches the IndieGoGo user profile for the Kratos scam.
CTU researchers have not observed this persona in registrant data for other domains.