The US Department of Justice on Monday announced a nation-wide action against fake IT worker schemes funding the North Korean government.
Involving North Korean nationals fraudulently obtaining remote IT employment within US companies by using fake or stolen identities, these schemes are estimated to have netted more than $88 million over six years.
Hundreds of US companies are believed to have been duped into hiring North Korean IT workers, with Americans aiding these individuals to pose as US persons by running laptop farms in the country to disguise their location.
On Monday, the DOJ announced a coordinated action across 16 states that included searchers of 29 known and suspected laptop farms.
The action resulted in the seizure of 29 financial accounts laundering illicit proceeds from these schemes, the seizure of 21 websites, one arrest, and two indictments.
As part of one scheme, people in the US, China, UAE, and Taiwan assisted North Koreans in obtaining employment at more than 100 US firms, through front companies, fraudulent websites and the hosting of laptop farms, court documents show.
In addition to receiving regular salary payments, the North Korean IT workers gained access to and even stole sensitive information, including export-controlled US military technology and cryptocurrency.
In one scheme, North Korean IT workers got hired by an Atlanta, Georgia-based blockchain research and development firm and stole over $900,000 in virtual currency.
On Monday, the DOJ announced the arrest and indictment of US national Zhenxing ‘Danny’ Wang of New Jersey, for his involvement in a multi-year fraud scheme generating over $5 million in revenue through remote IT work obtained using more than 80 compromised identities. Over 100 US companies were affected, including many Fortune 500 companies.
The fraudulent IT workers also gained access to International Traffic in Arms Regulations (ITAR) data from a California-based defense contractor, and an overseas co-conspirator stole information marked as being controlled under the ITAR.
Chinese nationals Jing Bin Huang, Baoyu Zhou, Tong Yuze, Yongzhe Xu, Ziyou Yuan, and Zhenbang Zhou, and Taiwanese nationals Mengting Liu and Enchia Liu were also indicted alongside Wang for their roles in the scheme. Law enforcement also seized 17 web domains and 29 financial accounts holding tens of thousands of dollars.
Another indictment charges four North Korean nationals, namely Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il for their roles in a scheme to steal over $900,000 in cryptocurrency from two companies, the Atlanta-based blockchain firm, and a virtual token company in Serbia.
After obtaining employment, Kim Kwang Jin and Jong Pong Ju were assigned jobs that provided them with access to the employers’ virtual currency assets. In February and March 2022, they stole $175,000 and $740,000 from these companies, then used the virtual currency mixer Tornado Cash to launder the funds.
In mid-June, the FBI conducted 21 searchers at premises across 14 states in a crackdown on known and suspected laptop farms supporting North Korean remote IT worker schemes, and seized approximately 137 laptops.
On Monday, Microsoft said it suspended 3,000 known Microsoft consumer accounts created by North Korean IT workers, pointing out that these individuals rely on AI and witting facilitators to hide their identities and land jobs. Microsoft is tracking this activity as Jasper Sleet.
“There are very few major companies in the US that haven’t been touched by this scam at this point. It’s an epidemic,” John Hultquist, Chief Analyst, Google Threat Intelligence Group, said in an emailed statement.
“It’s great to see more pressure from law enforcement, especially against the facilitators who act as middlemen for the North Koreans. Without their help it will be much harder to pull this off. Still, it’s important for everyone to take a good look at their hiring practices. This activity is frequently discovered by cautious organizations,” Hultquist added.
Related: US Seeks Forfeiture of $7.74M in Cryptocurrency Tied to North Korean IT Workers
Related: SentinelOne Targeted by North Korean IT Workers, Ransomware Groups, Chinese Hackers
Related: North Korean Fake IT Workers Pose as Blockchain Developers on GitHub
Related: US Charges Five People Over North Korean IT Worker Scheme
