The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic People’s Republic of Korea (DPRK) by dispatching IT workers around the world to obtain employment and draw a steady source of income for the regime in violation of international sanctions.
“These IT workers obfuscate their identities and locations to fraudulently obtain freelance employment contracts from clients around the world for IT projects, such as software and mobile application development,” the Treasury Department said.
“The DPRK government withholds up to 90% of the wages earned by these overseas workers, thereby generating annual revenues of hundreds of millions of dollars for the Kim regime’s weapons programs to include weapons of mass destruction (WMD) and ballistic missile programs.”
The action represents the latest salvo in the U.S. government’s ongoing efforts to crack down on the various financially motivated streams that aim to further Pyongyang’s strategic objectives. The individuals and companies that have been sanctioned by OFAC are listed below –
- Department 53 of The Ministry of the People’s Armed Forces, which is said to generate revenue using front companies related to IT and software development
- Korea Osong Shipping Co, a Department 53 front company that maintained DPRK IT workers in Laos since at least 2022
- Chonsurim Trading Corporation, a Department 53 front company that has maintained another group of DPRK IT workers in Laos
- Liaoning China Trade Industry Co., Ltd, a China-based company that has shipped Department 53 equipment, viz. notebook and desktop computers, graphics cards, HDMI cables, and network equipment, to facilitate IT worker activity abroad
- Jong In Chol, the president of Chonsurim’s DPRK IT worker delegation in Laos
- Son Kyong Sik, a China-based chief representative of Korea Osong Shipping Co
Both the front companies are alleged to have used false identities and aliases to communicate with clients and undertake software development work for companies across the world.
The fraudulent IT worker scheme attracted mainstream attention in 2023, although it’s believed that such operations have been ongoing since at least 2018, when the Treasury sanctioned two companies Yanbian Silverstar and Volasys Silver Star for the “exportation of workers from North Korea, including exportation to generate revenue for the Government of North Korea or the Workers’ Party of Korea.”
The activity cluster is tracked by the cybersecurity community under the monikers Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole.
Recent analyses have found that North Korean IT workers have been increasingly infiltrating cryptocurrency and Web3 companies and “compromising their networks, operations, and integrity.” The insider threat operation has also identified people in the U.S. who are willing to support their schemes by running laptop farms in exchange for a monthly fee.
Heightened public disclosures about these campaigns have further led to a surge in extortion attempts by stealing intellectual property from the companies they work for and demanding “more cryptocurrency than they ever have before” for not releasing it publicly or giving it away to rivals, Google-owned Mandiant told The Record.
That having said, the IT worker operation is just one of the many methods North Korea employs to illegally generate revenue. DPRK state-sponsored hacking groups have a long history of targeting developers with job-themed lures to deliver various kinds of malware that are capable of facilitating data and cryptocurrency theft.
“The DPRK continues to rely on its thousands of overseas IT workers to generate revenue for the regime, to finance its illegal weapons programs, and to enable its support of Russia’s war in Ukraine,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith.
“The United States remains resolved to disrupt these networks, wherever they operate, that facilitate the regime’s destabilizing activities.”