The U.S. Department of Justice has announced a significant disruption to multiple scams orchestrated by North Korean operatives impersonating IT workers in the United States. Authorities revealed that over 100 U.S. companies had fallen victim to these schemes, where North Korean personnel utilized fictitious or stolen identities not only to draw salaries but also to steal sensitive data intended for delivery to Pyongyang’s servers. In one notable instance, a fake employee managed to embezzle approximately $740,000 in digital currency from their employer.
Despite the emergence of deepfake technology, which has been leveraged in other instances of impersonation, government officials confirmed it was not a factor in this operation. The North Korean government’s longstanding involvement in cybercrime aims to bolster its economy amid ongoing international sanctions related to its nuclear weapons program. This shift towards hiring out developers as remote workers was reportedly accelerated by the COVID-19 pandemic, as noted in a prior FBI warning from 2022.
Court documents unsealed this week indicate that these fraudulent operations date back to at least January 2021. One arrested suspect, Zhenxing ‘Danny’ Wang, allegedly established a fake software development venture named Independent Lab in New Jersey, using it to funnel approximately $5 million back to North Korea. Authorities estimate that U.S. employers have collectively incurred around $3 million in legal fees and cleanup costs. Wang’s accomplice, Kejia ‘Tony’ Wang, is accused of running two additional bogus firms and managing laptops for non-existent employees to maintain the ruse.
This indictment also highlighted the arrests of several domestic co-conspirators who gained at least $696,000 from the scheme. However, it appears that the North Korean operators faced their share of difficulties, with reports of staff being terminated from their inflated positions. The brief employment duration of several so-called ‘citizen’ coders underscores the inherent fragility of such operations.
In a further extension of these scams, four North Koreans, including Kim Kwang Jin and Chang Nam Il, traveled from their homeland to the United Arab Emirates, where they assumed fake identities to secure development positions. Allegedly, they siphoned over $900,000 in cryptocurrency from two companies. The stolen funds were subsequently laundered using the Tornado Cash application, which was sanctioned by U.S. officials last year.
U.S. Attorney Theodore Hertzberg of the Northern District of Georgia emphasized the seriousness of the threat these activities pose to businesses engaging remote IT workers and reiterated the government’s commitment to prosecuting any actors involved in such thefts.