The U.S. Department of Justice (DOJ) said it had filed a civil forfeiture complaint in federal court. It aims to be more than $7.74 million in cryptocurrencies, inappropriate tokens (NFTS) and other digital assets, which are said to be linked to a global IT worker scheme organized by North Korea.
“For years, North Korea has used a global remote IT contract and cryptocurrency ecosystem to avoid US sanctions and bankroll its arms programs,” said Su J. Bai, Director of National Security at the Department of Justice.
The Justice Department said the funds were originally detained in connection with the April 2023 indictment against Sim Hyon-Sop, the representative of the North Korean Foreign Trade Bank (FTB), which is believed to have conspired with IT workers.
IT workers used fake identities to acquire employment at US cryptocurrency companies, washing unfair profits through SIMs, and washing further Pyongyang’s strategic goals in violation of sanctions imposed by the US Department of Treasury’s Office of Foreign Assets Control (ofac) and integrated countries.
The fraudulent scheme has evolved into a massive operation since its origins in 2017. Illegal hiring operations leverage a combination of stolen fictional identities and bypass due diligence checks and secure relativity jobs with the help of artificial intelligence (AI) tools like Openai ChatGPT.
Tracked under NOMIKERS WAGMOLE and UNC5267, the activity is rated as partnering with the South Korean Workers’ Party and is seen as a systematicly designed strategy to embed IT workers in legitimate companies and extract stable revenue streams for North Korea.
In addition to misrepresenting identity and location, central aspects of operations include recruiting facilitators to run laptop farms around the world, enabling video interview phases, and washing revenues through various accounts.
One such laptop farm facilitator was Christina Marie Chapman. In a report released last month, the Wall Street Journal revealed in March 2020 a LinkedIn message revealed how Drew Chapman, a former waitress and massage therapist with over 100,000 followers on Tiktok, is Drew Chapman in a complicated scam. She is scheduled to be sentenced July 16th.
“After washing these funds, it is said that North Korean IT workers were sometimes sent back to the North Korean government via Sim and Kim Sang-man,” the DOJ said. “Kim is a North Korean citizen who is the CEO of chinyong and is also known as the “Jinyong it Copy Company.” ”
Analyses of SIM’s cryptocurrency wallets by TRM Labs revealed that they received more than $24 million in cryptocurrency between August 2021 and March 2023.
 |
| North Korea’s organizational evaluation |
“Most of these funds were opened using forged Russian identity documents and returned to Kim’s accounts accessed from Korean-language devices operated from the UAE and Russia,” TRM Labs said. “Sim, a North Korean official, maintained a self-hosted wallet that ran in Dubai and received funds washed from dozens of sources.”
Kim acted as an intermediary between IT workers and FTB from his base in Vladivostok, Russia, using two accounts to raise funds from them and redistribute the proceeds into SIM and other wallets connected to North Korea.
Cybersecurity company DTEX characterizes the threat of IT workers as a state-sponsored crime syndicate primarily to avoid sanctions and generate benefits, with threat actors gradually shifting from laptop farms to use their own machines as part of the company to bring about their own device (BYOD) policies.
“Challenge is really their only tactic and everything is treated as a tool of some sort,” Michael Burnhart, DTEX Principal I3 insider risk investigator at DTEX Systems, told Hacker News.
“If we focus on laptop farms that are very good to put that word, of course, this opportunistic nation wants to draw to a place where the pass is much easier if it affects operations. Until laptop farms are no longer effective, it’s still an option, but BYOD abuse was something DTEx saw in the survey and not on the farm.”
DTEX further noted that these IT workers could be either revenue IT workers (R-ITW) or malicious IT workers (M-ITW).
While R-ITW officials are said to be less privileged and motivated to make money primarily for the administration, M-ITW actors outweigh their revenue by forcing victims’ clients, thwarting cryptocurrency servers, stealing valuable intellectual property, and executing malicious code in the environment.
According to the insider risk management company, Chinyong is one of many IT companies that have deployed workers in a combination of freelance IT work and cryptocurrency theft by leveraging insider access to blockchain projects. It operates in China, Laos and Russia.
Two individuals associated with the Chin-Yong-related IT workers’ efforts have not been masked because Murano, who was linked to a $6 million robbery at crypto company Delta Prime in September 2024, previously used Murano and Jenson Collins in North Korea.
“Ultimately, with detection of DPRK-linked laptop farms and remote worker schemes, defenders must go beyond traditional metrics of compromise and begin asking a variety of questions about infrastructure, behavior and access,” said security researcher Matt Ryan. “These campaigns aren’t just about malware and phishing. They are about large-scale deceptions and often run in a way that seamlessly blends with legitimate remote work.”
Further investigation into vast multi-million dollar fraud has revealed several accounts related to fake domains set up for the various front companies used to provide fake references to IT workers. These accounts are infected with information-stolen malware, and are attracting attention from FlashPoint, allowing you to flag several aspects of your secretary.
The company said it has identified a compromised host in Lahore, Pakistan. This included Babybox Information, Helix US, and saved e-mail accounts used as contacts when registering domains related to Cubix Tech US.
In addition, browser history captured by Steeler Malware in another example captured Google Translation URLs related to numerous translations between English and Korean, including those related to forged job references and shipping.
That’s not all. Recent research exposed the “hidden multi-layer remote control system” used by North Korean IT workers to establish sustained access to laptops issued by the company at laptop farms, while still physically located in Asia.
“This operation leverages a combination of low-level protocol signaling and legitimate collaboration tools to maintain remote access and allow for data visibility and control using zoom.
“To further enhance stealth and automation, we needed to configure a specific Zoom client. We meticulously adjusted the settings to prevent user-facing metrics and audiovisual impairments.
Complementing Wagemole is another campaign called the Infectious Interviews (aka DeceptiveDevelopment, Famous Chollima, Gwisin Gang, Teneasious Pungsan, UNC5342, and Void Dokkaebi).
“The Gwysin gang is frankly targeting people who already have jobs instead of taking the lengthy process of applying for jobs,” Burnhardt said. “They look high and unique in that they have the use of malware that reflects this concept. IT workers are an inclusive term, with many styles, breeds and skill levels between them.”
As for how IT worker schemes will evolve over the next few years, Barnhart points to the traditional financial sector as its target.
“I think that blockchain and Web3 technology are implemented in traditional financial institutions, so all DPRK cyber assets in that space aim to run to these companies as they have been happening in the past few years,” Barnhart pointed out. “The more you integrate with these technologies, the more entrenched DPRK is, and so you have to be more careful.”
