US charges 14 members of North Korean IT worker scam that bagged $88 million in six years

The group is accused of infiltrating US organizations posing as remote workers

featured-image

More than a dozen North Korean nationals suspected of operating a long-running posing as fake IT staff have been indicted in the US, after generating serious income for the DPRK. A in St. Louis, Missouri formally charged 14 individuals with “long-running conspiracies to violate US sanctions and to commit wire fraud, money laundering, and identity theft”.

The group is accused of working for two -controlled businesses called Yanbian Silverstar and Volasys Silverstar located in China and Russia, which used fake, stolen, or ‘borrowed’citizen identities from the US and elsewhere to get work as remote IT workers for US firms. According to the (DoJ), some of the 14 were ordered by their superiors to earn a minimum of $10,000 per month in their positions. In some cases, the individuals were said to have supplemented their employment earnings by such as proprietary source code from their employers, and then extorting them to prevent it being leaked.



The DoJ said the campaign had generated in excess of $88 million throughout the approximately six-years it had been in operation, with the proceeds being sent back to DPRK-controlled accounts based in . “To prop up its brutal regime, the directs IT workers to gain employment through fraud, steal sensitive information from U.S.

companies, and siphon money back to the DPRK,” said Deputy Attorney General Lisa Monaco. “This indictment of 14 North Korean nationals exposes their alleged sanctions evasion and should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime.” Front companies employed 130 North Korean ‘IT Warriors’ Summarizing the activity carried out by the group named in the indictment, the DoJ cited a May 2022 advisory from the State Department and that asserted the operation encompassed thousands of ‘highly skilled’ IT workers embedded in organizations around the world.

“The DPRK has dispatched thousands of highly-skilled information technology workers around the world, earning revenue that contributes to the DPRK’s weapons programs, in violation of US and sanctions,” the indictment reads. The two companies named in the indictment were said to employ at least 130 DPRK-linked IT workers who refer to themselves as ‘IT Warriors’. In August, security awareness firm KnowBe4 one such ‘IT Warrior’, who was able to infiltrate the firm posing as a remote software engineer based in the US.

Stu Sjouwerman, CEO at detailed the case in a blog post, stating the firm only discovered they had a malicious insider after their detected the individual had started loading malware as soon as they had received their Mac workstation. Fortunately in this case KnowBe4 caught the culprit before they could steal any data or compromise any systems, but Sjouwerman warned the incident could have had potentially devastating consequences. The indictment added that the accused had enlisted individuals from the US to purchase or receive from the target organizations and install remote access programs on them so it would appear they were logging in from the US.

In August the DoJ charged Matthew Isaac Knoot of for a fake IT worker campaign in Nashville. The arrest was one of the first made under the initiative launched in March 2024 where announced they were “prioritizing the identification and shuttering of US-based ‘laptop farms’..