US shuts down a string of North Korean IT worker scams – Source: go.theregister.com

The US Department of Justice has announced a major disruption of multiple North Korean fake IT worker scams.

The feds say that they uncovered [PDF] the North Korean IT staff working at over 100 US companies using fictitious or stolen identities and not only drawing salaries, but also stealing secret data for delivery to Pyongyang’s servers. They were also on the lookout for virtual currency. In one case, a fake worker is accused of stealing around $740,000 in digicash from their US employer.

Government sources familiar with the matter say that deepfakes were not used to disguise identities in this case, although they are becoming more common in other cases.

The North Korean government has long engaged in online crime to fund its economy in the face of international sanctions over its nuclear ambitions. But back in 2022, the FBI warned of a switch in tactics by the Norks, who began hiring out their own developers as remote workers – a tactic made easier by the effects of the COVID-19 lockdown on remote working patterns.

The feds may have been slightly late. According to court documents [PDF] unsealed on Monday, one such operation was running as early as January 2021, and the feds say they’ve arrested one suspect in that case – Zhenxing “Danny” Wang. He is accused of setting up a fake software development business in New Jersey named Independent Lab, and using it to send around $5 million back to the sanctioned state, leaving US employers an estimated $3 million in legal fees and costs to clean up their networks.

The same indictment also accuses his collaborator Kejia “Tony” Wang of setting up two fake software development businesses, Hopana Tech and Tony WKJ, also in New Jersey. Both suspects are accused of receiving laptops meant for fake staff and running them remotely so that US employers wouldn’t catch on that the work they were paying for came from the North Koreans.

The operation proved personally lucrative for its US operators, with the Feds estimating the six stateside suspects named in the indictment benefited to the tune of at least $696,000. But while the stateside operatives were busy building laptop farms, it appears the North Korean side of the operation was suffering some problems – notably staff getting fired.

In one case, a coder pretending to be a US citizen Christopher M was employed by an unnamed company in February 2024 as a software engineer, but by April 3, he was let go. Another phony citizen, Wandee C, lasted less than six months after getting hired in 2022.

The US has charged the Wangs and eight other co-conspirators with wire fraud, money laundering, damaging a protected computer, identity theft, and violating the International Emergency Economic Powers Act – as one of the team downloaded sensitive material from his employer.

• Uncle Sam moves to seize $7.7M laundered by North Korean IT worker ring
• The one interview question that will protect you from North Korean fake workers
• FBI officially fingers North Korea for $1.5B Bybit crypto-burglary
• North Korea’s fake tech workers now targeting European employers

Georgia on my mind

The second case announced on Monday showed a more blatant form of deception, with the theft of over $900,000 of virtual currency from two companies.

Four North Koreans – named Kim Kwang Jin, Kang Tae Bok, Jong Pong Ju, and Chang Nam Il – are accused of flying from North Korea to the United Arab Emirates and setting up shop there as remote developers for hire using stolen identities.

Kim and Jong found jobs as programmers. In December 2020, Kim started work at an Atlanta blockchain research and development business and Jong joined a Serbian virtual token company in May 2021. Given the companies’ area of business, it seems likely that they were targeted specifically for a digital cash heist.

The Koreans appeared to do well in their jobs and Chang was hired by the Serbian company on the recommendation of Jong. After a time they were given access to both companies’ virtual wallets while working on development projects.

In February 2022, Jong struck first, sending $175,000 in stolen funds to a wallet he controlled. In March, Kim saw a similar opportunity and swiped around $740,000 from the Atlanta-based biz.

The funds were then laundered using the Tornado Cash application, which was formally sanctioned by the US as a money laundering tool in 2022.

Chang and Kang had set up fake identities, this time stolen from Malaysian victims, and opened accounts that could receive and process the purloined funds. All four have been indicted and remain at large, and are most likely back in North Korea.

This indictment highlights the unique threat North Korea poses to companies that hire remote IT workers

“The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,” said US Attorney Theodore Hertzberg for the Northern District of Georgia.

“This indictment highlights the unique threat North Korea poses to companies that hire remote IT workers and underscores our resolve to prosecute any actor, in the United States or abroad, who steals from Georgia businesses.”

Digital farms razed

Laptop farms are crucial to scams like these because they allow the miscreants to work from North Korea without alerting an employer that a staffer is lying about their location. When a worker gets a job, the company will send them a laptop and monitor it, but the farmer can keep the hardware in the US IP range while surreptitiously connecting it to the North Korean coders.

In the operations announced today, law enforcement examined 29 “known and suspected” laptop farms across America between June 10 and 17. In all, they seized 137 laptops in investigations being carried out in Texas, Missouri, and Colorado.

The US is currently offering bounties of up to $5 million for “information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support WMD [weapons of mass destruction] proliferation.” ®