The US Justice Department today announced progress in its battle against Democratic People’s Republic of North Korea (DPRK) workers who have been fraudulently obtaining remote IT jobs with US organizations.
Those schemes, the DOJ said, are part of efforts by the North Korean regime, which faces financial sanctions, to generate revenue, as well as being part of its cyberespionage activities.
In a release, the DOJ said the current investigation, which is ongoing, has so far searched 29 known or suspected laptop farms, where employer-supplied laptops were installed for remote use by the illegal workers, across 16 states, seized 29 financial accounts and 21 websites belonging to shell companies created to dupe employers into believing that the workers they were hiring were associated with US businesses, and seized about 200 computers.
The FBI and Defense Criminal Investigative Service (DCIS) also seized 17 web domains used to advance the scheme and seized 29 financial accounts used to launder the funds obtained.
Court documents alleged the workers used fake or stolen identities to obtain employment as remote workers with companies worldwide, including in the US, to earn money that is believed to be directed to the North Korean weapons programs in violation of US and United Nations sanctions. Some have also accessed and stolen confidential information from their employers.
It’s not a new tactic; the US Treasury Department issued an advisory about it in 2022.
Indictments
Furthermore, the two indictments issued by the US District Court of Massachusetts said, “In order to circumvent controls that targeted US and global companies have designed and implemented to prevent the hiring of illicit IT workers and to otherwise prevent unauthorized access and damage to the companies’ computer networks, the overseas IT workers obtained assistance from persons residing in the United States.”
The US facilitators, the indictments said, “received and hosted multiple laptop computers and other hardware issued by US victim companies at their residences in the US,” and set up remote access on them, unbeknownst to the employers, so the illicit workers could do their jobs. They also set up US bank accounts and established ways to transfer the funds to the workers and their overseas co-conspirators.
Arrested was US national Zhenxing “Danny” Wang of New Jersey, who was indicted on five counts: conspiracy to commit wire and mail fraud, money laundering conspiracy, conspiracy to commit identity theft, and conspiracy to violate the International Emergency Economic Powers Act. The indictment also named six Chinese and two Taiwanese nationals for their roles in the scheme, which it said generated more than $5 million in revenue.
The second indictment was a three-count accusation against New Jersey resident Kejia “Tony” Wang for conspiracy to commit wire and mail fraud, money laundering conspiracy, and conspiracy to commit identity theft.
The DOJ release noted that Kejia Wang, Zhenxing Wang, and four other US facilitators had received at least $696,000 in total from the IT workers.
The release also cited a third five-count money laundering and wire fraud indictment from the Northern District of Georgia that charged four North Korean nationals with the theft and subsequent laundering of virtual currency from two companies, one in Georgia and one in Serbia.
Any organization is at risk
During a media briefing, senior DOJ and FBI officials noted that at least one of the organizations that had unknowingly contracted the illicit workers was a government contractor, but, they said, anyone in the US posting jobs for remote workers is at risk.
“The threat posed by DPRK operatives is both real and immediate. Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce and systematically target US companies,” said US Attorney Leah B. Foley for the District of Massachusetts. “We will continue to work relentlessly to protect US businesses and ensure they are not inadvertently fueling the DPRK’s unlawful and dangerous ambitions.”
The US State Department is offering rewards of up to $5 million for information leading to the “disruption of financial mechanisms of persons engaged in certain activities that support North Korea.”