The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals and four entities for their alleged involvement in illegal revenue-generating schemes for the Democratic People’s Republic of Korea (DPRK) by sending IT workers around the world for employment and clearance is a constant source of income for the regime in violation of international sanctions.
“These IT workers hide their identities and locations to fraudulently obtain freelance work contracts from clients around the world for IT projects such as software and mobile application development,” the Treasury Department said. said.
“The DPRK government withholds up to 90% of the wages earned by these foreign workers, thereby generating hundreds of millions of dollars in annual revenue for the Kim regime’s weapons programs, including its weapons of mass destruction (WMD) and ballistic missile programs.”
The action represents the latest salvo in an ongoing effort by the US government to shut down various financially motivated flows aimed at achieving Pyongyang’s strategic goals. The individuals and companies that have been sanctioned by OFAC are listed below –
- Department 53 of the Ministry of People’s Armed Forces, which is said to be profiting from shell companies related to IT and software development
- Korea Osong Shipping Co, a Department 53 front company that has housed DPRK IT personnel in Laos since at least 2022
- Chonsurim Trading Corporation, a Department 53 front company that housed another group of DPRK IT operatives in Laos
- Liaoning China Trade Industry Co., Ltd, a Chinese company that supplied equipment to Department 53, i.e. laptops and desktops, graphics cards, HDMI cables and network equipment to facilitate the activities of IT staff abroad
- John In-cheol, President of the DPRK Chonsurim IT Workers Delegation in Laos
- Song Kyung-sik, China Chief Representative of Korea Osong Shipping Co
Both shell companies are believed to have used false identities and pseudonyms to communicate with customers and develop software for companies around the world.
IT worker fraud scheme attracts The focus is on 2023, although such operations are believed to have continued since at least 2018, when the Treasury Department sanctioned two companies, Yanbian Silverstar and Volasys Silver Star, for “exporting workers from North Korea, including exports to generate revenue for the government North Korea or the Workers’ Party of Korea’.
The cluster of activity is tracked by the cybersecurity community under the aliases Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole.
The latest analyzes have found that North Korean IT workers were increasingly penetrating cryptocurrencies and Web3 companies and “disrupt their networks, operations and integrity.” The insider threat operation also identified people in the US willing to support their schemes starting laptop farms in exchange for a monthly fee.
Increased disclosures about these companies further fueled the surge extortion attempts by stealing intellectual property from the companies they work for and demanding “more cryptocurrency than ever before” for not releasing it publicly or giving it away to competitors, Google-owned Mandiant told Record.
However, the operation of IT workers is only one of many methods that North Korea uses to generate illicit profits. State-sponsored North Korean hacking groups have a long history targeting developers with work-themed lures to deliver various types of malware capable of facilitating data and cryptocurrency theft.
“DPRK continues to rely on thousands of foreign IT workers to generate revenue for the regime, fund its illegal weapons programs and support Russia’s war in Ukraine,” said the acting undersecretary of the Treasury for Terrorism and Finance. Intelligence by Bradley T. Smith.
“The United States remains determined to disrupt these networks, wherever they operate, that contribute to the regime’s destabilizing activities.”
