U.S. Indicts 14 North Koreans in Fake IT Worker Scheme

The U.S. government on Thursday indicted 14 North Korean nationals for their roles in a six-year fake IT worker scheme. The individuals used fake or stolen American identities to obtain employment with U.S. companies as remote IT workers, violating sanctions and funneling money back to North Korea.

Key Details: 

• The indicted individuals worked for Yanbian Silverstar and Volasys Silverstar, which are North Korean-controlled, sanctioned companies located in the People’s Republic of China (PRC) and Russia

• The 14 North Koreans were ordered to earn at least $10,000 a month, and they generated at least $88 million - in violation of U.S. and UN sanctions - between 2017 to 2023

• The State Department on Thursday announced a corresponding reward of up to $5 million for further information on the identified individuals and companies

Why It Matters: The fraudulent North Korean IT worker scheme is one that both the U.S. government and security researchers have highlighted for the past two years. In several cases, U.S. employers unknowingly employed these fake workers for years, paying them hundreds of thousands of dollars in salary.

According to the indictment, in multiple instances the nationals also stole sensitive company information - including proprietary source code - and threatened to leak the data unless the employer made an extortion payment, a tactic that researchers at Secureworks have recently highlighted. 

The new indictment gives some insight into how this conspiracy played out, and shows how widespread the operation is. The two companies named by the Justice Department collectively employed over 130 North Korean IT workers, which were internally referred to as “IT warriors.” According to the indictment, the companies would organize “socialism competitions” for the employees, where workers would compete to generate money for the DPRK, with hefty bonuses and prizes as an incentive. 

The indictment also delved into how the North Koreans tricked employers into selecting them for jobs. In some cases, they paid Americans to appear in their place at interviews or at work meetings. In other cases, they stole U.S. identities. On their resumes, the North Koreans claimed they worked for similar roles in other U.S.-based companies - but those companies were fake, and they purchased and designed websites to make them appear legitimate. Some aspects of these websites should have aroused suspicion, according to the DoJ. For instance, the telephone numbers listed did not correspond to the purported business location area codes, and the website content included nonsensical phrases, like: “Nor, moreover, is there anyone who loves pain because it is pain, pursues it, wants to gain it, but.”

The Upshot: The DoJ said that the 14 North Koreans are charged with conspiracy to violate the International Emergency Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. Eight of the individuals are also charged with aggravated identity theft. If convicted, they could each face a maximum of 27 years in prison.