The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on six individuals and two entities for their involvement in a North Korean information technology (IT) worker scheme. The scheme aimed to defraud U.S. businesses and generate illicit revenue to fund North Korea’s weapons of mass destruction programs.
Secretary of the Treasury Scott Bessent stated that the North Korean regime targets American companies through deceptive schemes carried out by its overseas IT operatives. These operatives weaponize sensitive data and extort businesses for substantial payments.
The fraudulent scheme, known as Coral Sleet/Jasper Sleet, PurpleDelta, and Wagemole, involves the use of bogus documentation, stolen identities, and fabricated personas by IT workers to obscure their true origins and secure jobs at legitimate companies. A significant portion of their salaries is then sent back to North Korea to support the nation’s missile programs in violation of international sanctions.
Additionally, the scheme includes the deployment of malware to steal proprietary information and engage in extortion by demanding ransoms in exchange for not leaking stolen data.
The individuals and entities targeted by the OFAC sanctions include:
- Amnokgang Technology Development Company – An IT company managing overseas IT workers and engaging in illicit procurement activities
- Nguyen Quang Viet – CEO of Quangvietdnbg International Services Company Limited facilitating currency conversion services for North Koreans
- Do Phi Khanh – Alleged associate of a sanctioned individual involved in money laundering
- Hoang Van Nguyen – Assisting in opening bank accounts and cryptocurrency transactions
- Yun Song Guk – Leading a group of IT workers conducting freelance work from Laos
The use of Astrill VPN by the IT workers to operate from China and bypass restrictions was highlighted by LevelBlue. This allows them to appear as legitimate domestic employees while conducting their operations.
Security researcher Tue Luu mentioned that threat actors commonly operate from China due to reliable Internet infrastructure and the ability to use VPN services to conceal their true location.
Furthermore, the IT workers employ artificial intelligence tools to fabricate identities, engage in social engineering, and maintain operational persistence at a low cost. This highlights how AI-powered services enhance threat actors’ capabilities.
The article also discusses the tactics and techniques employed by the IT worker operatives, including the use of timesheets, IP Messenger for internal communication, and Google Translate for various tasks.
The IT worker scheme’s operational structure involves recruiters, facilitators, IT workers, and collaborators, each playing a distinct role in the fraudulent activities.
Overall, North Korea’s IT worker operations are deeply integrated within the country’s revenue-generation and sanctions-evasion machinery, making it a crucial component in the DPRK’s activities.
