US authorities have cracked down on North Korean nationals who infiltrated remote-working roles at US companies to siphon funds into weapons programs.
The US Department of Justice (DOJ) announced Monday it had conducted co-ordinated law enforcement actions in 16 states, resulting in a slew of charges and the arrest of Zhenxing “Danny” Wang, an alleged US facilitator of the scheme.
Court documents show that between 2021 and 2024, Wang and other US facilitators allegedly helped North Korean IT workers secure jobs with some 100 US organisations, including “many Fortune 500 companies”.
The ‘workers’ allegedly used more than 80 stolen identities to gain employment and receive regular salary payments, ultimately generating more than $7.6 million ($US5 million) in revenue.
“These schemes target and steal from US companies,” said assistant attorney general John A Eisenberg of the DOJ’s National Security Division.
“[They] are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs.”
US companies suffered losses of at least $4.5 million (US$3 million) from legal fees and other damages, while the DOJ noted some fake workers stole “sensitive employer information” including “export-controlled US military technology”.
Authorities searched eight known or suspected US-based “laptop farms” – where facilitators set up specialised ‘keyboard, video, and mouse switches’ (KVMs) for remote workers to control multiple company-provided laptops at once – resulting in the seizure of over 70 laptops and devices.
The Federal Bureau of Investigation (FBI) meanwhile seized approximately 137 laptops through 21 raids under a separate investigation in June, while four North Koreans in a separate case were charged after they allegedly stole about $1.4 million ($US900,000) in virtual currency from a Georgia-based company.
US facilitators paid handsomely
Court documents alleged Wang and five other US facilitators collected at least $1 million ($US696,000) for providing services to fraudulent IT workers.
These services allegedly included, among other things, receiving and hosting laptops from victim companies at their residences, and setting up shell companies with corresponding websites and financial accounts to legitimise the operation.
The FBI and Defense Criminal Investigative Service seized 17 fraudulent websites, alongside 29 financial accounts which held tens of thousands of dollars and were used to launder revenue to North Korea.
Wang was accused of conspiracy to commit wire fraud, money laundering, and identity theft, while eight further defendants in China and Taiwan saw additional charges related to hacking and violation of sanctions.
“Let the actions announced today serve as a warning: if you host laptop farms for the benefit of North Korean actors, law enforcement will be waiting for you,” said FBI Cyber Divisions’ assistant director, Brett Leatherman.
Bogus websites lure employers
While the seized websites are no longer accessible, snapshots from the Internet Archive’s Wayback Machine show they were made to look like legitimate outsourcing companies.
The sites promised to deliver high-quality software development, 24/7 support and “dedicated teams” who could help “at any stage” of a project.
Websites were made to look like legitimate outsourcing companies. Photo: Wayback Machine
The websites also included fake testimonies claiming to be from legitimate US companies, such as office water supplier Bevi and fitness subscription service Classpass, and directed employers to a contact form where they could enquire about hiring from a purported team of 1,700 “experienced” software engineers.
The DOJ noted worker schemes also tend to involve the use of social media, alias emails, and online job site accounts.
Are Australian businesses at risk?
On Monday, Microsoft Threat Intelligence researchers observed North Korea’s revenue generation schemes have deployed “thousands of remote IT workers”, leading to the suspension of 3,000 known Microsoft consumer accounts across Outlook and Hotmail.
Microsoft researchers emphasised although the schemes have historically focused on US companies in technology, critical manufacturing, and transportation sectors, fake workers are “evolving” to broaden their scope and target industries globally.
An August 2024 advisory from Australia’s Department of Foreign Affairs and Trade warned that workers from the Democratic People's Republic of Korea (DPRK) had indeed attempted to obtain remote employment within Australian businesses.
Senior analyst for Google Threat Intelligence Group Taylor Long told Information Age while her team had not observed DPRK workers targeting Australia in recent months, the threat is expected to persist globally.
“Financial gain remains the primary motivations for IT worker operations,” said Long.
“Their ability to reuse tactics, particularly in English-speaking nations, makes this a persistent and adaptable threat.”
Hiding behind AI
Microsoft researchers also observed workers “experimenting” with voice-changing software and other AI tools such as Faceswap to impose their likeness onto stolen identity documents.
Funds were siphoned into the weapons program of the North Korean government. Photo: Shutterstock
Long added North Korean IT workers frequently leverage AI tools to “increase the success of their concealment tactics” when interviewing and applying to organisations.
“This includes the use of deepfake technology to alter their appearances during virtual interviews, and the creation of highly authentic-looking fake IDs to bypass verification processes,” said Long.
After onboarding and promptly firing a North Korean worker in 2024, security awareness company KnowBe4 found their attacker also used AI to impose themself on a stock photo during their initial application.
Javvad Malik, lead security awareness advocate at KnowBe4, told Information Age companies should require government-issued identification during video calls, use multiple touchpoints to confirm the identity of new workers, and implement a "bedding-in" period where new employees don't immediately receive access to all production systems.
“When possible, validate employees in person,” Malik said.
“Prohibit background blur or filters during interviews, and ask participants to move or perform specific actions to verify they're not using deepfake technology.”
