DOJ indicts North Korean conspirators for remote IT work scheme

The US Department of Justice this week announced that it had indicted two North Korean nationals and three other men, accusing them of participating in a conspiracy designed to trick US companies into funding the North Korean regime.

According to the indictment, which was filed in federal court in Miami, the scheme leveraged stolen identity documents and paid henchmen in the US to direct well-paid IT work and company computers to two North Korean men, Jin Sung-Il and Pak Jin-Song. The idea, the Justice Department said, was to funnel money back to the North Korean regime, which has limited opportunities to generate cash through legal means thanks to heavy international sanctions.

The conspiracy, according to the indictment, centers on North Korean nationals posing as foreign workers in other nations, or as US nationals, and gaining employment via online platforms that allow companies to advertise for contract IT workers. Using fake or altered identity documents, the North Koreans took on contracts for several US companies, which were not identified by name in the indictment. Those businesses then shipped company laptops to three US-based co-conspirators, Pedro Ernesto Alonso De Los Reyes, Erick Ntekereze Prince, and Emanuel Ashtor, who, the Justice Department said, installed remote access software on them so that they could be operated by Jin and Pak.

The US-based members of the group also used their own companies as fronts for the conspiracy, invoicing several of the victim firms and funneling payments to the North Koreans. The indictment stated that at least 64 US companies were victimized, and payments from ten of them generated at least $866,255 in revenue over the duration of the scheme, which ran for more than six years.

All five defendants are charged with conspiracy to damage a protected computer, mail and wire fraud, money laundering, and transferring false identification documents. The two North Koreans are additionally charged with violating the International Emergency Economic Powers Act. Each could face up to 20 years in prison.

Highlights risk from North Korea

“The indictments announced today should highlight to all American companies the risk posed by the North Korean government,” said Assistant Director of the FBI’s Cyber Division, Bryan Vorndran, in a statement.

While the indictments announced Thursday characterized this conspiracy as largely focused on diverting money to the heavily embargoed North Korean government, similar efforts by that country have been aimed at compromising corporate secrets and sensitive information. The “laptop farm” — where a US-based associate such as Prince and Ashtor hosted the provided company laptops in their own homes to conceal the North Korean involvement — has been a known technique for North Korean cyberwarfare since at least 2022, and has been used not just to collect a salary, but to steal data, explore sensitive parts of strategically significant infrastructure, and attempt to extort victimized firms.

The operations are growing in both numbers and sophistication, according to security firms who spoke to CSO in November. One recent case saw a bad actor use deepfake video technology and automated voice translation in a video interview, though this didn’t work particularly well and the interviewers were easily able to tell that something was wrong.

“Her eyes weren’t moving, the lips weren’t in sync, and the voice was mechanical,” Kirkwood told CSO. “It was like something from a 1970s Japanese Godzilla movie.”

Google-owned threat intelligence provider Mandiant told CSO that the number of North Korean IT workers looking to gain valuable freelance positions number in the thousands, and although not all are engaged in purely nefarious activity, the number of intrusion incidents linked to North Korean workers is high.