U.S. Moves to Collect $7.74 Million Tied to N. Korea IT Worker Scam – Source: securityboulevard.com

U.S. prosecutors want to take $7.74 million seized during an investigation into North Korean IT worker scams that have proliferated over the past several years, stealing millions of dollars in cryptocurrency that the country’s regime is using to help fund its massive weapons programs.

The U.S. Justice Department this month filed papers to forfeit the money seized through a 2023 indictment of Sim Hyon Sop, a representative of North Korea’s Foreign Trade Bank (FTB) who was accused of conspiring with the IT workers to launder the money they gained and funnel it back to the country.

The United States froze the more than $7.74 million tied to the scheme, the DOJ said.

“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs,” Sue Bai, head of the DOJ’s National Security Division, said in a statement. “Today’s multimillion-dollar forfeiture action reflects the Department’s strategic focus on disrupting these illicit revenue schemes.”

Long Time Coming

Bad actors linked to North Korea’s government for almost a decade have been taking advantage of the demand for IT help in the United States and elsewhere. They answer ads seeking IT workers, using forged or stolen identities – most recently helped by generative AI tools – and fake documents like passports to slip through interviews, background checks, and other due diligence efforts to secure remote freelance jobs.

They then will work the jobs, sending most of what they earn back to North Korea, and at times load malware onto their company-issued computers and other devices.

Some will relocate to countries like China to hide their North Korean identities, and sometimes people in the United States will help them by running so-called laptop farms to convince the companies that hire them that they’re working in the country, as well as load the malware onto the systems. Meanwhile the fake workers will be elsewhere in the world remotely accessing their computers in the United States.

The North Korean government also at times will set up front companies in China and elsewhere to supply equipment and help launder the money.

Money Laundering

In the case involving the $7.74 million, the suspects transferred their cryptocurrency via money laundering techniques, including setting up accounts using false identities, moving the money in a series of small amounts, turning the fund through other blockchains or converting them into other forms of virtual currency, buying non-fungible tokens, or commingling the money they received through fraud to hide their origins.

A recent case from earlier this year involved the arrest of two North Koreans, two U.S. citizens, and a Mexican national. They had been active since 2018 and had been able to two get the two North Korean citizens and other unnamed suspects hired by U.S. tech companies.

One scam last year was so convincing that it fooled KnowBe4, security awareness company whose phishing platform is used to train employees to spot and respond to social engineering attacks.

The case involving Sim includes him allegedly conspiring with three over-the-counter traders – including two living in China – to launder stolen crypto and then buy goods through front companies located in Hong Kong, with the purchases benefiting North Korea.

Sim also was indicted for conspiring with North Korean IT workers to launder their money.

FBI Warnings

Over the past several years, the FBI and other U.S. agencies have issued alerts outlining the IT worker scams and giving updated information. In the latest one in January, the agency said that it “has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”

“After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands,” the FBI wrote. “In some instances, North Korean IT workers have publicly released victim companies’ proprietary code.:

They also have copied company code repositories, like GitHub, to their own user profiles and personal cloud accounts, the FBI warned. In addition, it said that the North Korean IT workers sometimes try to harvest sensitive company credentials and session cookies so they can start work sessions from non-company devices and find other opportunities to compromise organizations.