US seizes sites that funnel money from North Korean IT workers for illicit activities

The age-old problem of insider threats was brought to light on Wednesday when the United States seized 17 website domains that were allegedly used by North Korean information technology workers in a scheme to defraud U.S. and foreign businesses and ultimately fund the Democratic People’s Republic of Korea (DPRK) government’s weapons programs.

This week’s seizures follow the previously sealed October 2022 and January 2023 court-authorized seizures of about $1.5 million of the revenue that the same group of IT workers collected from unwitting victims as a result of their scheme.

As alleged in court documents by the U.S. Justice Department, the DPRK dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers, to generate revenue for its weapons of mass destruction (WMD) programs. The court documents allege that through this scheme, which involves the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites and proxy computers located in the United States and elsewhere, the fraudulent IT workers generated millions of dollars a year for DPRK-linked agencies.

According to the Justice Department, certain DPRK IT workers designed the 17 website domains the U.S. seized this week to appear as domains of legitimate, U.S.-based IT services companies, thereby helping the IT workers hide their true identities and location when applying online to do remote work for U.S. and other businesses worldwide.

In reality, the Justice Department said this specific group of North Koreans, who work for the People’s Republic of China-based Yanbian Silverstar Network Technology Co. Ltd. and the Russia-based Volasys Silver Star, had previously been sanctioned in 2018 by the Department of the Treasury. These IT workers are alleged to have funneled income from their fraudulent IT work back to North Korea through the use of online payment services and Chinese bank accounts. 

Click for more special coverage

“The Democratic People’s Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program,” said Special Agent in Charge Jay Greenberg of the FBI’s St. Louis Division. “The seizing of these fraudulent domains helps protect companies from unknowingly hiring these bad actors and potentially damaging their business.

Greenberg said the scheme is so prevalent that companies must be vigilant to verify whom they hire. At a minimum, Greenberg said the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities.

“Without due diligence, companies risk losing money or being compromised by insider threats they unknowingly invited inside their systems,” said Greenberg.

Weakest security links: People

The United States still takes a very individualistic approach to securing nation-state secrets, explained Brad Hong, customer success lead at Horizon3.ai. Hong said when protecting critical national infrastructure, “call-to-action” often gets pushed out to companies and citizens, instead of a uniform stance of nation versus nation.

“Much like a company’s security program, the U.S. government’s weakest links are still human actors,” said Hong. “In this specific scheme, North Korea employed an extremely clever strategy sitting at the crossroads between espionage and fraud. By utilizing unwitting proxies, individuals are compensated for the use of their Wi-Fi connections. At the ground level, what better deal to an American than to have your Wi-Fi subsidized?”

While cyber threats are ever-evolving, the human element remains a constant, added Jadee Hanson, CIO and CISO at Code42, and an industry expert on insider threats. Hanson said insider risk has become one of the biggest security challenges posed by this unpredictable element, a threat that can jeopardize any organization.

“While these risks might not initially appear to be top priority, they can quietly proliferate, causing downstream consequences,” said Hanson. “Though insider risk is not new, it has become more prevalent over the past few years with the inception of remote-first distributed workforces, increased use of collaboration tools, and high-risk digital behaviors. In today’s geopolitical climate, security teams need to be aware that newer, more sophisticated attacks are increasingly coming from inside their organizations, creating a growing need to increase visibility into employee hiring practices, data movements, and visibility of remote work to protect organizations from data loss."