Full Report
The men were ordered to earn more than $10,000 a month, with several obtaining multiple jobs at the same time, and they supplemented their earnings by stealing sensitive corporate information.
Analysis Summary
# Threat Actor: North Korean State-Sponsored IT Worker Scheme (Group of 14 Indicted)
## Attribution & Identity
This activity is attributed to North Korean nationals directed by the North Korean government to generate illicit revenue and potentially gain access to sensitive information. The specific group indicted consists of fourteen individuals. They operated through North Korea-controlled companies registered in China and Russia, specifically named **Yanbian Silverstar** and **Volasys Silverstar**, which employed at least 130 such workers ("IT warriors").
## Activity Summary
The primary activity detailed is a long-running, systemic fraud scheme spanning from April 2017 to March 2023. Fourteen indicted North Korean nationals used stolen or false identities of U.S. citizens to illegally obtain employment as IT workers at U.S. companies and non-profit organizations. The goal was to siphon salaries—totaling at least $88 million over six years—back to Pyongyang to support the DPRK regime, including entities involved in WMD programs and the Ministry of Defense. In addition to salary theft, some conspirators engaged in **extortion**, threatening to leak proprietary source code and sensitive corporate information unless offered one-time payments.
## Tactics, Techniques & Procedures
- **Identity Deception:** Used false, stolen, and borrowed identities of U.S. and other persons to conceal their true identities and locations.
- **Employment Fraud:** Secured remote IT positions, often holding multiple jobs simultaneously to maximize earnings (some reportedly aiming for over $10,000/month per worker).
- **Illicit Financial Activity:** Money laundering to funnel earned wages back to the DPRK.
- **Corporate Espionage/Theft:** Supplemented income by stealing sensitive corporate information.
- **Extortion:** Threatened to release proprietary information (e.g., source code) to extort further payments from victim companies.
- **Physical Impersonation (Hybrid TTP):** Paid U.S. citizens to attend job interviews or meetings in person using the stolen fake identities.
- **Infrastructure Masking:** Used fake ancillary materials like email addresses, social media profiles, and fictitious job references.
## Targeting
- **Sectors:** U.S. companies and non-profit organizations, particularly those employing large numbers of remote contract IT workers.
- **Geography:** The workers operated externally (China, Russia, possibly North Korea) while fraudulently posing as U.S.-based employees. The victims are U.S. employers.
- **Victims:** U.S. companies and non-profit organizations. At least one company sustained hundreds of thousands of dollars in damages after refusing an extortion demand and suffering a data leak.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but involved "technological tools" for deception.
- **Infrastructure (C2, domains, IPs):**
- Operating Companies: Yanbian Silverstar (China) and Volasys Silverstar (Russia).
- Seized Assets: Dozens of internet domains used to provide fake credentials were shut down.
- Financial Conduit: Funds were moved through bank accounts tied to the scheme ($320,000 and $444,800 seized in separate instances).
- Concealment: Used conspiring U.S. citizens running "laptop farms" as conduits to mask remote work originating overseas.
## Implications
This scheme represents a significant, state-directed economic and espionage threat, generating hundreds of millions of dollars annually for the North Korean regime, funding its weapons programs. The success of these "IT warriors"—thousands are believed to be deployed—highlights critical vulnerabilities in remote hiring and background verification processes across the U.S. corporate sector. The dual intent of financial gain and potential intelligence collection makes this a high-priority risk.
## Mitigations
- **Thorough Vetting:** Businesses must closely vet fully remote IT workers, examining inconsistencies such as non-matching addresses/phone numbers or poor English quality in reference materials.
- **Video Verification:** Insist that current and future remote IT workers appear on camera as often as possible to verify physical presence.
- **Awareness of Schemes:** Organizations seeking to hire high volumes of contract workers quickly must be particularly vigilant against this pattern of fraud.
- **Reporting:** U.S. citizens/companies victimized by identity theft in this context should report immediately (FBI is offering a $5 million reward for information on the 14 men).