North Korea’s fake IT worker scam hauled in at least $88 million over six years

December 13, 2024 TH Author

North Korea’s fake IT worker scams netted the hermit kingdom $88 million over six years, according to the US Department of Justice, which thinks it’s found the people who run them.

The scam sees North Korean (DPRK) techies mask their identities and locations to secure remote jobs. They then funnel their ill-gotten booty into Pyongyang’s coffers. Some also use their access privileges to steal info such as proprietary source code and then extort their employers with threats to expose corporate assets if not paid to keep quiet.

Even infosec businesses have fallen for the scam, which is sufficiently prevalent the FBI has offered guidance on how to avoid it.

A Thursday announcement from the feds and accompanying indictment [PDF] names two firms as the employers of North Korean scam workers – plus fourteen individuals who faked their way into jobs.

Interestingly, the named businesses apparently aren’t even in North Korea.

According to the DoJ, one of the players – Yanbian Silverstar – is in China, and the other – Volasys Silverstar – is in Russia.

Both are accused of using “false, stolen, and borrowed identities” to score remote jobs – an effort the DoJ believes yielded “at least $88 million throughout the approximately six-year conspiracy” though that sum doesn’t include extortion payments. The indictment details how the conspiracy targeted six US businesses, plus two non-profit organizations.

The indictment alleges the two firms employed at least 130 techies and that they were known internally as “IT warriors” and given a goal of earning $10,000 each every month.

It looks like they fell a little short. If the 130 workers were all employed for six years (72 months) on-target earnings would have generated $93.6 million. Those who did hit their targets could be rewarded with bonuses, prizes, or promotions.

The indictment describes a multi-layered management structure at the two Silverstars.

The Warriors apparently had stateside help, in the form of folks who bought them laptops and installed software that made it appear the North Korean workers were not in their home nation. The conspirators also allegedly created websites that appeared to be agencies that provided contract or freelance IT workers. Those fake businesses included Eden Programming Solutions, Purpleish Tech, Culture Box, Next Nets, Illusion Software, Baby Box Tech, Cubix Tech, and Helix.

Google’s infosec subsidiary Mandiant told The Register that in recent months it has seen “an increase in extortion attempts linked to North Korean IT workers. And for the first time, we’re seeing IT workers follow through on releasing sensitive data of organizations they’ve infiltrated to pressure victims into paying exorbitant ransoms.”

Those demands are for larger quantities of cryptocurrency than requested in previous extortion campaigns. Mandiant thinks this is a sign these schemes are becoming less effective, and the DPRK is therefore escalating its demands to get what it can, while it can.

The US State Department seems keen to accelerate their demise. On Thursday it offered a $5 million reward for information that leads to the disruption of financial mechanisms of persons engaged in the schemes, and others that support North Korea’s efforts to generate revenue, launder money, and “certain cyber activity that supports the DPRK’s proliferation of weapons of mass destruction.”

The FBI has published a wanted poster that names the fourteen accused – all of whom appear to be in the DPRK and therefore highly unlikely to be seen inside a US courtroom. Government authorities know that of course, but are still happy their investigations have identified some players and helped them understand how the schemes work.

However, the threat of fake IT workers remains real.

Special agent in charge Ashley T Johnson of the FBI St Louis Field Office cautioned against complacency: “While we have disrupted this group and identified its leadership, this is just the tip of the iceberg. The government of North Korea has trained and deployed thousands of IT workers to perpetrate this same scheme against US companies every day.” ®