Unveiled by US authorities: North Korean IT workers' undercover strategies, along with their American accomplices
======================================================================================================
The North Korean government's clandestine IT worker scheme, which infiltrates U.S. companies and steals sensitive data, remains an active and evolving threat to U.S. national security and private sector industries.
In a recent development, Zhenxing Wang, one of the U.S.-based facilitators of the scheme, was arrested, while others remain at large. The scheme, which involves thousands of North Korean IT workers deployed internationally, has been focusing on the U.S. private sector, particularly technology, media, aerospace, automotive, luxury retail, entertainment, and cryptocurrency industries.
The modus operandi of the scheme involves the use of stolen American identities, fraudulent documents, and false personas to gain remote IT jobs in U.S. companies, including Fortune 500 firms. The primary purpose of this scheme is to generate illicit revenue for the North Korean regime, which uses the funds to support its nuclear weapons and ballistic missile programs, violating U.S. and UN sanctions.
Operationally, these IT workers have been known to introduce malware into corporate networks to exfiltrate proprietary and sensitive data, thereby creating major cybersecurity risks. The scheme’s scale is large enough that in a recent high-profile case, an American woman was sentenced to over eight years in prison for helping North Korea steal identities of Americans and assisting these workers in securing hundreds of remote IT jobs in the U.S. from 2020 to 2023.
U.S. federal agencies such as the Departments of Treasury, State, Justice, and the Federal Bureau of Investigation (FBI) have issued multiple advisories and sanctions against entities involved in this scheme. The FBI also continually updates guidance for U.S. businesses on how to detect and avoid hiring these North Korean IT workers and encourages reporting suspicious activities.
Recent developments include the FBI and the Defense Criminal Investigative Service seizing 17 more websites, along with 29 money-laundering accounts that held "tens of thousands of dollars in funds." In October 2024, authorities executed search warrants at eight locations in three states, resulting in the seizure of more than 70 laptops and other devices used to enable overseas remote access, and the FBI also seized four websites associated with shell companies.
The North Korean IT worker scheme "appears to be more pervasive than ever" and represents "both a threat to U.S. national security and [a cause of] significant losses to our private sector industries." U.S. businesses were warned on Monday to carefully screen their remote employees to avoid falling victim to similar ruses.
As part of the operation, North Korean IT workers accessed sensitive employer data and source code, including restricted data from a California-based defense contractor that develops artificial intelligence-powered equipment and technologies. The senior FBI official stated that there is still work to be done and they continue to grow and adapt with this threat as it continues to evolve and change.
The FBI's investigations into North Korean IT worker schemes are ongoing and account for only a portion of their investigations into this matter. Law enforcement officials have repeatedly issued alerts about Pyongyang's IT worker schemes, and the Department of Justice announced an investigation into North Korea's deployment of IT workers abroad for illicit activities.
The U.S. facilitators ran the operation from 2021 until October 2024, creating shell companies to legitimize their activities. The U.S. facilitators transferred "much" of the money from the victim companies to overseas co-conspirators and received at least $696,000 for their work. The DOJ declined to immediately provide information about the status of another named American defendant, Kejia Wang.
The FBI stated they will do everything in their power to defend the homeland and protect Americans from being victimized by the North Korean government. As the threat continues to evolve, it is crucial for U.S. businesses to remain vigilant and follow the FBI's guidance to protect themselves from falling victim to this scheme.
| Aspect | Details | |------------------------------|---------------------------------------------------------------------------------------------------------| | Scheme Scope | Thousands of North Korean IT workers deployed internationally, focusing on U.S. private sector | | Modus Operandi | Use stolen American identities, fraudulent documents, and false personas to gain remote IT jobs | | Target Industries | Technology, media, aerospace, automotive, luxury retail, entertainment, cryptocurrency | | Threat Posed | Malware introduction, data theft, espionage, economic sanction evasion | | U.S. Government Action | OFAC sanctions, DOJ prosecutions, FBI advisories and guidelines, inter-agency collaboration | | Impact | Hundreds of millions in illicit revenue to DPRK weapons programs; compromised sensitive corporate data | | Recent Developments | High-profile prosecution of an American accomplice; private sector tightening of security on hiring |
- The ongoing threat from the North Korean government's cybersecurity scheme, targeting the U.S. private sector, emphasizes the importance of maintaining robust cybersecurity measures, particularly in the technology, media, aerospace, automotive, luxury retail, entertainment, and cryptocurrency industries.
- The scheme's reliance on privacy violations, such as the use of stolen identities and fraudulent documents, highlights the need for increased vigilance in the general-news and crime-and-justice sectors to combat such illicit activities.
- As the North Korean IT worker scheme continues to evolve, exposing vulnerabilities in corporate networks and data privacy, it is crucial for U.S. businesses to prioritize privacy protections and follow advice from federal agencies like the FBI to mitigate risks and remain secure.
