N Koreans steal US identities, get jobs in IT

Daily News Article   —   Posted on December 18, 2024

(by Jim Salter, AP/ABC News) – [The US Justice Department on Thursday announced indictments against 14 North Korean nationals for their involvement in a multi-year scheme to pose as remote IT workers to violate sanctions and commit wire fraud, money laundering, and identity theft.]

Fourteen North Korean nationals have been indicted in a scheme using IT workers with false identities to contract with U.S. companies — workers who then funneled their wages to North Korea for development of ballistic missiles and other weapons, the head of the FBI office in St. Louis said Thursday.

The scheme involving thousands of IT workers generated more than $88 million for the North Korean government, Ashley T. Johnson, special agent in charge of the St. Louis FBI office, said at a news conference. In addition to their wages, the workers stole sensitive information from companies or threatened to leak information in exchange for extortion payments, Johnson said.

Victims included defrauded companies and people whose identities were stolen from across the U.S., including Missouri, Johnson said. The indictments were filed Dec. 11 in U.S. District Court in St. Louis. All 14 people face wire fraud, money laundering, identity theft and other charges.

Most of those accused are believed to be in North Korea. Johnson acknowledged that bringing them to justice will be difficult. To help, the U.S. Department of State is offering a $5 million reward for information leading to any of the suspects.

Federal authorities said the scheme worked like this:

North Korea dispatched thousands of IT workers to get hired and work remotely or as freelancers for U.S. companies. The IT workers involved in the scheme sometimes used stolen identities. In other instances, they paid Americans to use their home Wi-Fi connections, or to pose in on-camera job interviews as the IT workers. Johnson said the FBI is going after those “domestic enablers,” too.

“This is just the tip of the iceberg,” Johnson said. “If your company has hired fully remote IT workers, more likely than not, you have hired or at least interviewed a North Korean national working on behalf of the North Korean government,” Johnson said.

The Justice Department in recent years has sought to expose and disrupt a broad variety of criminal schemes aimed at bolstering the North Korean regime, including its nuclear weapons program.

In 2021, the Justice Department charged three North Korean computer programmers and members of the government’s military intelligence agency in a broad range of global hacks that officials say were carried out at the behest of the regime. Law enforcement officials said at the time that the prosecution highlighted the profit-driven motive behind North Korea’s criminal hacking, a contrast from other adversarial nations like Russia, China and Iran that are generally more interested in espionage, intellectual property theft or even disrupting democracy.

In May 2022, the State Department, Department of the Treasury, and the FBI issued an advisory warning of attempts by North Koreans “to obtain employment while posing as non-North Korean nationals.” The advisory noted that in recent years, the regime of Kim Jong Un “has placed increased focus on education and training” in IT-related subjects.

In October 2023, the FBI in St. Louis announced the seizure of $1.5 million and 17 domain names as part of the investigation. The indictments announced Tuesday were the first stemming from the investigation.

Johnson urged companies to thoroughly vet IT workers hired to work remotely. “One of the ways to help minimize your risk is to insist current and future IT workers appear on camera as often as possible if they are fully remote,” she said.

Officials didn’t name the companies that unknowingly hired North Korean workers.

By Associated Press. Published at ABC News on Dec. 13, 2024. Reprinted here for educational purposes only. May not be reproduced on other websites without permission.

 

Background

Excerpted from a Sept. 5 WSJ report: North Korean Spies Are Infiltrating U.S. Companies Through IT Jobs:  

Companies are unknowingly hiring North Koreans for hundreds of low-level jobs, giving Pyongyang access to cash and IP (Intellectual property)

When cybersecurity company KnowBe4 was filling a remote IT job in July, it hired a highly skilled applicant who gave his name as Kyle and spoke accented English. He asked the company to ship his company laptop to an address in Washington state.

Kyle was actually in North Korea.

Cash-starved Pyongyang has long deployed cyberspies to steal intellectual property. But now it is forcing companies and government agencies to grapple with a new insider threat: Instead of merely hacking into networks, North Korean operatives are secretly joining the payroll as remote workers.

Capitalizing on a post-Covid boom in remote work and advances in generative artificial intelligence, North Koreans have been hired for hundreds — and potentially thousands — of low-level information-technology jobs and other roles in recent years, using stolen identities of [Americans and others], U.S. officials and security researchers say.

The scheme is netting hundreds of millions of dollars annually for Kim Jong Un’s reclusive regime, according to the U.S. Justice Department, allowing it to evade strict international sanctions and continue to fund its nuclear-weapons and ballistic-missile program.

To fool employers, North Korea often relies on laptop farms run by middlemen in the U.S. who install remote desktop software that allows North Koreans to log in to internal company servers from overseas while creating the impression they are in the U.S.

Federal prosecutors alleged last month that Pyongyang paid a Tennessee man a monthly fee for receiving and booting up work laptops at his Nashville home that North Koreans posing as IT workers used to defraud multiple U.S. media companies, a Portland-based technology company and a British financial institution.

Matthew Knoot, 38 years old, was allegedly promised $500 per laptop — plus 20% of net profits — by his North Korean handler who went by the name Yang Di, according to the indictment. He earned substantially less — only about $15,100 over a 13-month period. Knoot entered a plea of not guilty and is scheduled to go on trial in October. His lawyer didn’t respond to a request for comment.

In May, federal prosecutors unsealed an indictment alleging an Arizona woman and a man in Ukraine were part of a network of laptop-farms that resulted in over 300 U.S. companies unknowingly hiring people with ties to North Korea, prosecutors said.

Applicants assumed the identities of at least 60 U.S. citizens—some at different companies simultaneously, sending $6.8 million of revenue overseas to Pyongyang, prosecutors said.