The US Department of Justice (DoJ) has charged 14 nationals of the Democratic People’s Republic of Korea (DPRK or North Korea) for their alleged involvement in an ongoing conspiracy to violate sanctions and commit fraud, money laundering and identity theft. by illegally seeking employment in American companies and non-profit organizations.
“The conspirators, who worked for the DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People’s Republic of China (PRC) and the Russian Federation (Russia), respectively, conspired to use false, stolen, and borrowed identities from the United States and others to conceal their North Korean identities and foreign locate and obtain employment as remote information technology (IT) workers, “DoJ said.
The IT worker’s scheme is said to have netted the North Korean regime at least $88 million over six years. In addition, remote workers steal information such as proprietary source code and threatened to leak data unless ransom has been paid. The illicit proceeds thus generated were then funneled through the US and Chinese financial systems back to Pyongyang.
The Justice Department said it is aware of one employer that suffered hundreds of thousands of dollars in damages after refusing to give in to extortion demands by a North Korean IT worker who leaked sensitive information online.
The identified individuals below –
- Jung Sung Hwa
- Ri Kyung Sik
- Kim Ryu song
- Rome Un Chol
- Kim Moo Rim
- Cho Chung Pom
- Hyun Chol’s song
- Song Un Chol
- Seok Kwang Hyuk
- Choi Jung Young
- Ko Chung Seok
- Kim Ye Won
- John Kyung Cheol and
- Jang Cheol Myung
The 14 conspirators are said to have worked in a variety of roles, from senior company executives to IT workers. The two sanctioned companies employed at least 130 North Korean IT workers, known as “IT Warriors,” who participated in “competitions for socialism” organized by the companies to raise money for the DPRK. The best performers are awarded with prizes and other prizes.
The development is the latest in a series of actions the US government has taken in recent years to combat IT worker fraud, a campaign tracked by the cybersecurity community under the moniker Wagemole.
The Justice Department said it has since seized 29 fake website domains (October 17, 2023 and May 12, 2024) is used by North Korean IT workers to imitate western IT companies to support their bona fide attempts to enter into telework contracts for US and other companies around the world. The agency said it also seized $2.26 million (including $1.5 million seized in October 2023) from bank accounts linked to the scheme.
Separately, the State Department announced a reward offer of up to $5 million for information on shell companies, identified individuals and their illegal activities.
“DPRK IT worker schemes include the use of pseudonymous email, social media, payment platforms, and job site accounts, as well as fake websites, proxies, virtual private networks, virtual private servers, and unwitting third parties in the United States. and elsewhere,” the Justice Department said. “The conspirators used a variety of methods to conceal their North Korean identity from their employers.”
One such method is to use laptop farms in usa paying people living in the country to obtain and set up company-issued laptops and allowing IT staff to connect remotely through the software installed on them. The idea is to create the impression that they are accessing work from the US, when in fact they are in China or Russia.
All 14 conspirators were charged with conspiracy to violate the International Emergency Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money laundering and conspiracy to commit identity theft. Eight of them were charged with aggravated identity theft. If convicted, each of them faces a maximum sentence of 27 years in prison.
Radiant Capital Crypto Heist related to Citrine Sleet
IT worker fraud is just one of many methods North Korea has adopted to generate illicit revenue and support its strategic goals. cryptocurrency theft and targeting with banking and blockchain companies.
Earlier this month, decentralized finance (DeFi) platform Radiant Capital attributed to associated with North Korea threat actor dubbing Citrine Slit yes Theft of $50 million worth of cryptocurrency this happened after its systems were hacked in October 2024.
Adversary, also known as Shining Fish, Hollim’s Labyrinth, Nickel Academy, and UNC4736, is a subcluster in the Lazarus group. He is also known for running a persistent social engineering campaign called Operation Dream Job, which aims to lure developers with lucrative job opportunities to get them to download malware.
It should be noted that these efforts also take different forms depending on the cluster of activities behind them, which may differ from coding tests (Contagious interview) to collaborate on a GitHub project (Jade Sleet).
The attack on Radiant Capital was no different, with a threat actor reaching out to a company developer on Telegram in September, posing as a trusted former contractor, purportedly asking for feedback on their work on a new smart contract career opportunity. auditing.
The message included a link to a ZIP archive containing a PDF file, which in turn delivered a macOS backdoor codenamed INLETDRIFT, which, in addition to displaying a decoy document to the victim, also established a hidden connection to a remote server (“atokyonews(. )com “).
“Attackers were able to compromise multiple developer devices,” Radiant Capital said. “The front-ends displayed benign transaction data, while the malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually undetectable during routine screening steps.”
