The US Department of Justice (DoJ) on Thursday indicted two North Korean nationals, a Mexican national and two Mexican nationals for their alleged involvement in an ongoing information technology (IT) worker fraud scheme aimed at generating revenue for the People’s Democratic Party. The Republic of Korea (DPRK) is in violation of international sanctions.
The action focuses on Jin Sung Il, Park Jin Sung, Pedro Ernest Alonso De Los Reyes, Eric Ntekarese Prince and Emmanuel Ashtar. Alonso, who lives in Sweden, was arrested in the Netherlands on January 10, 2025 after a warrant was issued.
All five defendants were charged with conspiracy to damage a protected computer, conspiracy to commit wire and mail fraud, conspiracy to commit money laundering and conspiracy to transmit false identification documents. Jin and Park were also charged with conspiring to violate the International Emergency Economic Powers Act. If convicted, each of them faces a maximum sentence of 20 years in prison.
This development is the latest move by the US government to disrupt campaign continues which involves North Korean nationals using fake and stolen credentials to obtain remote IT jobs at US companies through laptop farms operating in the country.
Other efforts include August 2024 arrest Tennessee man for helping North Koreans get jobs at American firms indictment of 14 North Korean citizens last month for allegedly making $88 million over the course of a six-year conspiracy. Last week, the US Treasury Department sanctioned two North Korean nationals and four companies based in Laos and China for their work under the IT worker scheme.
“From approximately April 2018 through August 2024, the defendants and their unindicted co-conspirators were employed by at least sixty-four U.S. companies,” the Justice Department said. said. “Payments from ten of these companies generated at least $866,255 in revenue, most of which the defendants then laundered through a Chinese bank account.”
According to the charging document, Jin applied for a position at an unnamed US IT company in June 2021 using Alonso’s identity with his consent and one of Ntekarese’s addresses in New York, after which he was offered a salary of $120,000 a year.
From Ashtar’s residence in North Carolina, the department said, she ran a laptop farm that housed company-provided laptops to trick companies into thinking their new hires were in the country, when in fact they were logging in remotely. these systems are from China and Russia.
Both Ntekerese and Ashtor received laptops from US company employers into their homes and proceeded to download and install remote access software such as AnyDesk and TeamViewer without permission to facilitate remote access. They also conspired to launder payments for remote IT work through various accounts designed to promote the scheme and conceal its proceeds.
As part of the scheme, Ntekerese is said to have used his company, Taggcar Inc., to bill a US staffing company eight times for a total of about US$75,709 for IT work carried out by Jin, who posed as Alonso. A portion of the payment was then transferred to an online payment platform in Alonso’s name that was available to both Gino and Alonso.
The extensive efforts North Korea sees the employment of its citizens in companies around the world as an attempt to earn high-paying IT salaries that can be sent back to the country to fulfill regime priorities and gain access to sensitive documents for financial leverage.
The IT worker scamas the US Federal Bureau of Investigation (FBI) confirmed in a separate advisory, includes using pseudonymous e-mail, social media, and online job site accounts, as well as fraudulent websites, proxies, and knowingly and unwittingly third parties located in the United States and other countries.
“In recent months, in addition to data extortion, the FBI has observed North Korean IT personnel using illegal access to company networks to steal private and sensitive data, facilitate cybercriminal activity, and conduct profitable activities on behalf of the regime,” the agency said.
“Once detected in company networks, North Korean IT workers extorted victims, holding stolen private data and code hostage until the companies met ransom demands. In some cases, North Korean IT workers have publicly published their own codes of victims of companies.’
Other cases involve the theft of company code repositories from GitHub and attempts to harvest sensitive company credentials and session cookies to initiate work sessions from non-corporate devices.
It’s not just a US phenomenon, as a new report from threat intelligence firm Nisos shows that several Japanese firms have also been targeted by North Korean IT operatives. In particular, the case of one such IT employee, who since January 2023, was highlighted. held the positions of software developer and full developer in various firms.
The identities of IT workers have been digitally manipulated to give them the appearance of legitimacy, complete with accounts on GitHub and freelance employment websites such as LaborX, ProPursuit, Remote OK, Working Not Working and Remote Hub, not to mention about a personal website that contains manipulated stock images.
“The individual appears to be currently working under the name Weitao Wang at Japanese consulting firm Tenpct Inc., and appears to have previously worked under the name Osamu Odaka at Japanese software development and consulting firm LinkX Inc.,” the report said. companies. said in a report shared with The Hacker News.
