On Monday, the US Department of Justice (DOJ) announced great actions aimed at the North Korea (IT) scheme (IT), which led to one person’s arrest and confiscation of 29 financial accounts, 21 fraudulent sites and nearly 200 computers.
The coordinated actions searched 21 known or suspected “laptops” between 10 and 17 and 17 2025 US states, which were used by North Korean IT workers for remote connection to the victim networks through laptops provided by the company.
“North Korean actors assisted individuals in the US, China, the United Arab Emirates and Taiwan, and successfully received work with more than 100 US companies,” – Doj – Note.
The North Korean Scheme of IT -Working has become one of the most important screws in the Democratic People’s Republic of North Korea (PRC), which has received income in such a way that it treats international sanctions. A fraud the operation described by the DTEX cybersecurity company Syndicate crimes funded by the stateIncludes North Korean actors who get work in US companies as remote IT workers using a mixture of stolen and fictional identity.
After they land for work, IT workers receive regular pay payments and access their own employers’ information, including exports that control US military technology and virtual currency. In one incident, IT workers have allegedly provided work in an unnamed research and development company in digital assets over $ 900,000.
IT -Korean IT WORKS PURCHASE PRESS PURCHING, because they not only bring illegal income from the Kingdom of Punel through “legitimate” work, but also equip their insider access to the product, theft and even Repeate your employers In exchange for the fact that it does not publicly reveal its data.
“These schemes are guided by and steal from US companies and are designed to eliminate sanctions and financing the illegal programs of the North Korean regime, including weapons programs,” said Prosecutor General John A. Eisenberg of the Department of the Department.
Last month, DOJ said she had filed a complaint against civilian confiscation in the US District Court of Columbia, aimed at cryptocurrency and other digital assets related to the global IT work scheme.
“North Korea still intends to finance its weapons programs by deceiving US companies and using US victims of theft,” said the assistant director Roman Rozhvsky from the FBI’s counterwhel’s intelligence department. “North Korean IT workers representing as US citizens have falsely get a job with the US business so that they can hand over hundreds of millions of authoritarian North Korean regime.”
The main of the actions announced on Monday includes the arrest of Danny’s national Zhexing Wang of New Jersey, who has been charged with a long-standing fraud scheme for conspiracy to get a remote IT work with US companies, ultimately bringing more than $ 5 million.
Other persons involved in this scheme include six Chinese and two Taiwan citizens –
- Jing Ben Juan
- Bao Zhou (Zhou Bao)
- Tong Yuz
- Yongzhe XU (徐勇哲 徐勇哲 and يونجزهي أكسو)
- Ziyou Yuan (زيو)
- Zhengbang Zhou (Zhou Zhengbang)
- Mengting LIU (LIU MENGTING), and
- Enchia liu (li))
According to the indictment, the defendants and other co-questionors compromised the identity of more than 80 us Individuals to obtain remote jobs at more 100 us Companies Between 2021 and OTEBER 2024. Workers are fulfilled to have been assisted by us-boysed facilitators, kejia “Tony” Wang, Zhenxing “Danny” Wang, and at Least Four Others, with Kejia Wang Even Traveling to China in 2023 IT workers and discuss this scheme.
Каб падмануць кампаній, думаючы, што аддаленыя работнікі знаходзяцца ў ЗША, Ван і інш прымалі і прымалі ноўтбукі, выдадзеныя кампаніяй у сваіх рэзідэнцыях, і дазволілі паўночнакарэйскаму суб’ектам пагрозы падключыцца да гэтых прылад, выкарыстоўваючы, выкарыстоўваючы, выкарыстоўваючы, выкарыстоўваючы, выкарыстоўваючы пры дапамозе Kvm (Short for “Keyboard-Video-Mouse”) such as Pikvm or TinyPilot.
“Kejia Wang and Zhenxing Wang also set up Shell companies with the relevant web -stytes and financial accounts, including LLC Hopana Tech, Tony Wkj LLC and Independent Lab LLC to do so as if foreign workers were linked to the legal business of the US.” “Kejia Wang and Zhenxing Wang created these and other financial accounts to get money from the victims of US companies, most of which were handed over to foreign employees.”
In return for providing these services, Van and its co-founders were estimated at least $ 696,000 from IT workers.
Separately, the Northern District Georgia stopped five-scale wire fraud and money laundering, accusing four North Korean citizens, Kim Kwang Jin (김관진), Congo The Side (강태복), Chen Pong Ji (정봉주), and Chang to us (창남일), with theft of more than $ 900,000.
Documents of the Court thank that the accused traveled to the United Arab Emirates under North Korean documents in October 2019 and worked together on the team. If, from December 2020 to May 2021, Kim Kwang Gin and Chen Pong Jj were hired as Blockchain and Serbian Virtual Developers. Then, acting on the recommendation of John Pong J., the Serbian company hired Chang to us.
After Kim Kwung Jin and Chen Pong Ju got their employers’ confidence and were assigned projects that provided them with access to the firm’s virtual currency assets, the threat subjects continued to steal assets in February and March 2022, changing the source code related to the two reasonable contracts of the company.
The stolen revenues were then stolen using the cryptocurrency mixer service, known as Tornado Cash, and eventually transferred to the virtual currency exchange accounts controlled by the Chang and Chang. These accounts, according to Doj, were opened using fraudulent Malaysian identification documents.
“These arrests are a powerful reminder that the threats provided by the IT workers of the PRC go beyond income,” Barnhart, director of I3 insider risk, said in a Hacker News Michael. “Once inside, they can carry out harmful activities within the trusted networks, creating serious risks for national security and companies around the world.”
“The actions of the US government (…) absolutely the highest and critical step in violation of this threat. DPRK actors are increasingly using front companies and trust third parties to slip past traditional hiring guarantees, including observed specimens in sensitive sectors, such as the government and protection of the industrial base. the threat like we are suitable. “
Microsoft Sushes 3000 Email Accounts
Microsoft, which monitors the threat of IT workers, nicknamed Jasper Snow Snow (previously Storm-0287) since 2020, has said it has rejected 3,000 famous Outlook/Hotmail accounts created by the actors threatening its broader efforts to violate North Korea. The activity cluster is also monitored as a nickel tapestry, Wagemole and UNC5267.
The scheme of workers’ fraud begins with the creation of the identity in such a way that they correspond to the geolocation of their target organizations, after which they digitally go through the social media profiles and the portfolios on platforms focused on developers like GitHub to give the Persons to the Legimism.
Technical giant called for tools to operate IT -workers of artificial intelligence (AI) Improve images and change voices To enhance the authority of their work profiles and will appear more true for employers. It was also found that IT workers created fake profiles on LinkedIn to communicate with recruits and apply for work.
“These highly skilled workers are most often located in North Korea, China and Russia, as well as use tools such as virtual private networks (VPN) and remote monitoring and management tools (RMM) along with difficult parters to hide their places and identities,” “Microsoft identity – Note.
Another characteristic tactic covered by Jasper Sweet revolves around the location of advertising ads that work under the guise of remote jobs to help IT work offers to provide work, go through the face check and work remotely. As the relationship with the facilitators grow, they can also resolve the bank account for IT workers, or buy mobile phone numbers or sim cards.
In addition, difficult accomplices are responsible for checking the false identity of IT work during the employment check process using Internet service providers. The submitted documents include fake or stolen drivers licenses, social insurance cards, passports and permanent identification cards.
As a way to withstand the threat, Microsoft said she had developed a custom -based training solution that works on her own threat intelligence, which can turn suspicious accounts that show behavior corresponding to the famous DPRK for the following actions.
“Since then, the scheme of the remote working scheme of North Korea has developed, establishing itself as a well-developed operation that allowed the North Korean remote workers to penetrate into technological roles in various fields,” Redmond said. “In some cases, the victim organizations even report that distant IT workers were one of the most talented employees.”
