The U.S. has accused 14 North Korean nationals of defrauding American companies, violating sanctions, and extorting employers through an elaborate six-year IT fraud scheme that funneled illicit funds to North Korea’s missile programs.
The indictment, unsealed Thursday, alleges that the conspirators used fake identities to secure remote IT jobs, steal sensitive company data, and extort firms, funneling millions to the North Korean regime.
The accused individuals worked for DPRK-controlled companies Yanbian Silverstar in China and Volasys Silverstar in Russia. Both companies employed at least 130 North Korean IT workers, internally referred to as “IT Warriors.” According to the allegations, these workers collectively generated $88 million in illicit revenue for the North Korean government.
Some workers were required to earn a minimum of $10,000 per month, with their employers transferring proceeds through U.S. and Chinese financial systems to accounts benefiting North Korea.
In some cases, the conspirators allegedly stole proprietary information, such as source code, from U.S.-based firms and threatened to leak it unless extortion payments were made. One victim reportedly incurred hundreds of thousands of dollars in damages after refusing to meet a payment demand, resulting in the public release of sensitive information.
The conspirators used a variety of deceptive techniques to secure employment and evade detection, according to the charges. These included using stolen or borrowed identities of U.S. citizens and other nationals, as well as paying individuals to impersonate them in interviews and meetings. They also created fraudulent websites to enhance their fake credentials, some of which contained glaring errors, such as nonsensical phrases or incorrect contact information.
To conceal their North Korean origins, the conspirators used “laptop farms” to create the illusion that they were physically located in the United States. They arranged for U.S.-based individuals to receive and configure employer-provided laptops, which the IT workers then accessed remotely from abroad.
The allegations highlight Pyongyang’s longstanding efforts to steal data, intelligence, money, and other resources to support its nuclear missile programs. North Korea has reportedly deployed covert operatives worldwide, posing as legitimate technology workers to infiltrate companies and carry out long-term schemes aimed at funding its weapons research.
Earlier this year, Google disclosed that several U.S. companies had contacted them after discovering they had unknowingly hired North Koreans who used fake identities to obtain remote IT positions.
According to South Korea’s Institute for National Security Strategy, North Korea has stolen about $1.34 billion in cryptocurrency over the past seven years. More broadly, the country acquired roughly $6.29 billion through illicit activities from 2017 to 2023, the institute added.
“The fourteen conspirators … victimized companies across the United States, as well as many Americans whose identities they stole, to generate revenue for the North Korean regime,” said Bryan Vorndran, assistant director of the FBI’s Cyber Division. “The FBI will continue to work with our partners to expose and mitigate these fraudulent IT schemes and provide unwavering support to victims of North Korean cyber actors.”
Related article: New malware allows North Korea to deploy fake recruitment schemes, research says
Programming interviews for software development roles are a common practice in the tech industry. However, it is rare for these interviews to involve code designed to secretly steal sensitive data from job candidates’ computers.
“He wanted me to open up a full stack application and explain the code. I did, but I ran it in a [virtual machine] (because you should NEVER run random code that you do not understand from a suspicious party), and he was not happy,” said Richard Chang, a software engineer, posting on LinkedIn, sharing his experience with what turned out to be a fake recruiter. READ MORE
