U.S. Federal Authorities Confiscate $7.74 Million in Cryptocurrency Linked to North Korea’s Global Fraudulent IT Workforce Network

The U.S. Department of Justice (DoJ) has initiated a civil forfeiture proceeding in federal court aimed at over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and additional digital assets linked to a global IT worker scheme allegedly orchestrated by North Korea.

“For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and finance its weapons programs,” stated Sue J. Bai, the head of the Justice Department’s National Security Division.

The Justice Department indicated that the funds were initially restrained following an April 2023 indictment against Sim Hyon-Sop, a representative of the North Korean Foreign Trade Bank (FTB), believed to have collaborated with the IT workers.

These IT workers gained employment at U.S. cryptocurrency firms through the use of false identities and laundered their illicit earnings via Sim to support Pyongyang’s strategic goals, in violation of sanctions imposed by the U.S. Treasury’s Office of Foreign Assets Control (OFAC) and the United Nations.

The fraudulent scheme has evolved into a substantial operation since its inception in 2017, utilizing a combination of stolen and fabricated identities, with the assistance of artificial intelligence (AI) tools, to circumvent due diligence checks and secure freelance opportunities.

Tracked under aliases Wagmole and UNC5267, this activity is assessed to be associated with the Workers’ Party of Korea and is recognized as a calculated strategy to embed IT workers within legitimate companies, thus generating a steady revenue stream for North Korea.

In addition to impersonating identities and locations, the operation prominently features recruiting facilitators to oversee laptop farms globally, manage video interviews, and launder profits through various accounts.

One such facilitator, Christina Marie Chapman, pleaded guilty earlier this year for her role in the unlawful revenue generation scheme. Reports have illustrated how her involvement was initiated through a LinkedIn message in March 2020, drawing her into the elaborate scam.

Following the laundering of these funds, the North Korean IT workers reportedly redirected them back to the North Korean government, occasionally through Sim and Kim Sang Man, the CEO of “Chinyong” or “Jinyong IT Cooperation Company.”

Analysis of Sim’s cryptocurrency wallet by TRM Labs has revealed that it received over $24 million in cryptocurrency from August 2021 to March 2023.

Most of these funds were traced back to Kim’s accounts, which were created using forged Russian identity documentation and accessed from devices operating in Korean language settings from the UAE and Russia. Sim, a North Korean official, functioned from Dubai, maintaining a self-hosted wallet that received laundered funds from numerous sources.

Kim, based in Vladivostok, Russia, acted as a go-between for the IT workers and the FTB, utilizing two accounts to amass funds and redistribute the proceeds to Sim and other wallets linked to North Korea.

Cybersecurity firm DTEX has classified the IT worker threat as a state-sponsored crime syndicate primarily focused on evading sanctions and generating profit. The threat actors have gradually transitioned from using laptop farms to leveraging their own devices under companies’ Bring Your Own Device (BYOD) policies.

“Opportunity is their only tactic, and everything is perceived as a potential tool,” stated Michael Barnhart, a Principal i3 Insider Risk Investigator at DTEX Systems.

DTEX noted that these IT workers are categorized into two groups: Revenue IT workers (R-ITW) and malicious IT workers (M-ITW), each with distinct roles within North Korea’s cyber framework.

R-ITW personnel are typically less privileged and primarily motivated to generate income for the regime, while M-ITW actors extend beyond mere revenue generation, engaging in extortion, server sabotage, intellectual property theft, or executing malicious code.

Chinyong is one of several IT companies employing workers for both freelance IT tasks and cryptocurrency theft, utilizing insider access to blockchain projects and operating from China, Laos, and Russia.

Two individuals linked to Chinyong-associated IT worker efforts have been identified using the personas Naoki Murano and Jenson Collins to fund North Korea, with Murano previously connected to a $6 million heist at crypto firm DeltaPrime.

Ultimately, detecting DPRK-related laptop farms and remote worker schemes necessitates that defenders move beyond traditional compromise indicators and consider infrastructure, behavior, and access. These campaigns involve extensive deception, seamlessly blending with legitimate remote work practices.

Investigations into the expansive fraud scheme have revealed multiple accounts tied to counterfeit domains set up for various front companies to provide false references to the IT workers. Some of these accounts were compromised with information-stealing malware, allowing insight into their operational tactics.

The findings included a compromised host in Lahore, Pakistan, storing credentials linked to an email account used for registering domains associated with multiple front companies. Additional evidence captured by the malware included numerous translations between English and Korean concerning the provision of fabricated job references and shipments of electronic devices.

Research has also uncovered a “covert, multi-layered remote-control system” utilized by North Korean IT workers to maintain persistent access to company-issued laptops within a laptop farm while located in Asia.

This operation utilized a combination of low-level protocol signaling and legitimate collaboration tools, such as Zoom, to facilitate remote access and control. The attack chain exploited ARP packets to trigger actions and established a custom WebSocket-based command-and-control channel, alongside automating Zoom’s remote-control functions.

To enhance stealth and automation, specific configurations of the Zoom client were rigorously adjusted to eliminate user-facing indicators and disturbances.

Running concurrently with Wagemole, another campaign termed “Contagious Interview” primarily conducts malicious activities targeting developers to gain unauthorized company access instead of pursuing employment.

As for the future trajectory of the IT worker scheme, Barnhart indicated that the traditional financial sector could be a significant target, particularly with the increasing integration of blockchain and Web3 technologies into financial institutions.

As DPRK cyber capabilities evolve, vigilance will be essential in safeguarding against their entrenched activities in the evolving technological landscape.