Getty Images/iStockphoto
DOJ indicts 5 individuals in North Korea IT worker scam
An unsealed indictment revealed threat actors working for North Korea tricked at least 64 U.S. businesses into hiring fake IT workers for financial and propriety data gains.
The Department of Justice charged five individuals, including two American citizens, for allegedly engaging in an extensive remote IT worker scam on behalf of the Democratic People's Republic of Korea.
An indictment unsealed on Thursday alleged five defendants posed as remote IT freelance workers for scores of U.S. companies between April 2018 and August 2024 to earn money for the Democratic People's Republic of Korea (DPRK). The defendants include North Korean nationals Jin Sung-Il and Pak Jin-Song, Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. citizens Erick Ntekereze Prince and Emanuel Ashtor.
During the arrest of Prince and Ashtor in North Carolina, the FBI discovered a "laptop farm." The DOJ described the tactic as a way to trick companies and make it look like workers were operating on U.S.-based devices with remote access. The years-long scam appeared to be successful.
"According to the indictment, over the course of their scheme, from approximately April 2018 through August 2024, the defendants and their unindicted co-conspirators obtained work from at least sixty-four U.S. companies. Payments from ten of those companies generated at least $866,255 in revenue, most of which the defendants then laundered through a Chinese bank account," the DOJ wrote in the release.
The DOJ provided further details, including how the defendants allegedly conducted the scam. The indictment alleged that Pak and Jin used U.S passports that contained personally identifiable information stolen from a U.S. resident to avoid sanctions and obtain jobs for U.S. companies. The indictment added that Sung-Il, Prince and Reyes used Alonso's identity during parts of the scam to maintain fraudulent employment.
Prince and Ashtor allegedly deceived U.S. companies by having their employers send laptops to their residences. Once they received them, the defendants allegedly downloaded and installed remote access software to facilitate the fake IT worker's access. They also created U.S. bank accounts to receive salary payments.
While the indictment named five individuals, the DOJ said the DPRK "has dispatched thousands of skilled IT workers to live abroad" and burrow into businesses in the U.S. and other countries as freelance IT workers. To pull off these financially motivated scams, the DOJ said workers use pseudonymous email, social media, payment platform and online job site accounts. They are also accused of creating fake websites and using proxy computers.
In addition to the arrests of Prince and Ashtor, the DOJ said Alonso was arrested in the Netherlands on Jan. 10. Jin and Pak remain at large.
All five defendants are being charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. Jin and Pak were also charged with conspiracy to violate the International Emergency Economic Powers Act. If convicted, they face up to 20 years in prison.
Additional warnings
The FBI also published an alert on Thursday that warned that North Korean IT workers continue to pose a significant risk to U.S.-based businesses. In addition to data extortion, the FBI also observed North Korean IT workers hack into company networks to "exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities and conduct revenue-generating activity on behalf of the regime."
"North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code," the FBI wrote in the alert.
The FBI urged companies to bolster their remote-hiring processes by reviewing each applicant's communication accounts to look for reused phone numbers and email addresses, check resumes for typos and to complete as much of the onboarding and hiring processes in person if possible.
In a statement shared with Informa TechTarget and other media outlets, Michael Barnhart, Mandiant principal analyst at Google Cloud, said the increased pressure from law enforcement and media coverage is affecting the success of North Korea's IT worker scams. On the other hand, Barnhart said it's also forcing the threat actors to become noticeably more aggressive in their tactics.
"We are increasingly seeing North Korean IT workers infiltrating larger organizations to steal sensitive data and follow through on their extortion threats against these enterprises. It's also unsurprising to see them expanding their operations into Europe to replicate their success, as it's easier to entrap citizens who aren't familiar with their ploy," Barnhart said in the statement. " North Korean IT workers are also exploiting some companies that have begun using virtual desktop infrastructure (VDI) for their remote employees instead of sending them physical laptops. While this is more cost-effective to the company, it's easier for the threat actors to hide their malicious activity."
In July, Knowbe4 revealed it caught a North Korean threat actor posing as an IT worker on the security awareness training company's AI team. Knowbe4 CEO and president Stu Sjouwerman said an investigation uncovered a laptop farm and the use of stolen U.S.-based identities. Sjouwerman added that Knowbe4 bolstered security around its hiring process following the scam.
Roger Grimes, data-driven defense evangelist at KnowBe4, told Informa TechTarget that while the DOJ charges are a positive, he is concerned it won't be enough to curb activity around the large-scale scam.
"There is an entire industry built up around supporting North Korean fake IT workers, much of it involving U.S.-based citizens," Grimes said. "The question is how big of a supporting industry it is, and how many players are there? How many laptop farms do we have in the U.S. and other countries? Did the latest arrest put a dent into the industry, or was it unfelt? My best guess is that like drug mules, for everyone arrested, there's another two waiting to replace them. But it's good whenever we arrest malicious hacking criminals no matter what the numbers, and I applaud the latest announcement."
Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.
