Full Report
The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions. The five individuals are listed below - Audricus Phagnasay, 24 Jason Salazar, 30 Alexander Paul Travis, 34 Oleksandr Didenko, 28, and Erick
Analysis Summary
# Threat Actor: North Korea (via Proxies/Facilitators)
## Attribution & Identity
The primary beneficiary is the **North Korean regime (DPRK)**, leveraging individuals (naturalized U.S. citizens and foreign nationals) as facilitators to circumvent international sanctions and generate illicit revenue through IT worker fraud.
**Key Facilitators Pleading Guilty:**
* Audricus Phagnasay (24)
* Jason Salazar (30)
* Alexander Paul Travis (34)
* Oleksandr Didenko (28) (Ukrainian national)
* Erick Ntekereze Prince (30) (Allegedly operated Taggcar Inc.)
**Previously Indicted/Mentioned Associate:**
* Christina Marie Chapman (Operated a laptop farm; sentenced previously)
* Pedro Ernesto Alonso De Los Reyes (Pending extradition)
* Emanuel Ashtor (Awaiting trial)
* Jin Sung-Il (진성일)
* Pak Jin-Song (박진성)
## Activity Summary
This activity centers on a large-scale, coordinated scheme to deploy North Korean IT workers into U.S. companies under stolen or fraudulently acquired identities. This effort spanned from at least September 2019 through November 2022, generating over **$2.2 million** in revenue for the DPRK regime.
The activities involved:
1. **Identity Theft/Acquisition:** Stealing or borrowing U.S. citizen identities (Didenko allegedly managed 871 proxy identities).
2. **Job Placement:** Using these identities to secure remote IT jobs at U.S. firms via online freelance work platforms (based in California and Pennsylvania).
3. **Infrastructure Evasion:** Establishing "laptop farms" in the U.S. homes of facilitators to host company-issued equipment.
4. **Revenue Laundering:** Facilitating the transfer of employment income out of the U.S. using Money Service Transmitters.
## Tactics, Techniques & Procedures
The TTPs identified focus primarily on **Business Email Compromise (BEC) support and Identity Fraud** to bypass corporate vetting and compliance controls:
- **T1136.001: Identity Spoofing/Theft (Account Creation):** Stealing or borrowing U.S. citizen identities to create profiles and secure employment.
- **T1560.004: Interception of Physical Assets:** Hosting company-issued laptops at U.S.-based residences ("laptop farms").
- **T1560.002: Remote Access Software:** Installing remote desktop software on company laptops without authorization, allowing overseas workers to control the machines.
- **T1569.002: Appearance Verification/Physical Presence Simulation:** Facilitators (Salazar and Travis) appeared for drug testing on behalf of the overseas workers.
- **T1573.001: Network Evasion – Financial:** Using Money Service Transmitters to route employment income to overseas accounts, bypassing traditional U.S. bank scrutiny.
- **T1588.002: Infrastructure Acquisition (Website Hosting):** Didenko ran a website, `Upworksell[.]com` (now seized), dedicated to selling/renting stolen identities.
## Targeting
- **Sectors:** General employment sectors utilizing remote Information Technology (IT) workers, including firms relying on online freelance work platforms.
- **Geography (Targeted Victims):** United States companies (136 victim companies impacted). Freelance platforms were noted as being based in California and Pennsylvania.
- **Geography (Actor Location):** Facilitators were based in the U.S. (e.g., residences used for laptop farms). Overseas IT workers were located outside the U.S. (implied location: North Korea).
- **Victims:** Over 136 U.S. victim companies. Over 18 U.S. persons whose identities were compromised.
## Tools & Infrastructure
- **Malware Families Used:** Remote desktop software (specific vendor not named, but used for unauthorized access).
- **Infrastructure (C2, domains, IPs):**
- Website: **upworksell[.]com** (Used for identity sales; seized by DoJ).
- Physical infrastructure: "Laptop Farms" established in U.S. residences across multiple states.
- Corporate Entities: Taggcar Inc. (allegedly operated by Prince) used to supply "certified" IT workers.
## Implications
This operation highlights the sophistication with which the DPRK government adapts sanctions evasion strategies by weaponizing the U.S. financial and employment ecosystems. The success in placing actors in over 136 companies, using physical fraud (drug testing) and digital infrastructure (remote access, synthetic identities), demonstrates a persistent, high-yield revenue stream that relies heavily on corruptible U.S. facilitators. The revenue generated directly funds the regime.
## Mitigations
- **Enhanced Remote Access Monitoring:** Implement strict policies and monitoring for unauthorized remote desktop software installation on company-issued hardware, especially for roles where physical presence/local work is expected.
- **Vetting and Identity Verification:** Companies must implement robust identity verification protocols that go beyond standard background checks, particularly for remote IT workers (e.g., biometric confirmation for mandatory physical activities like drug testing).
- **Supply Chain Risk Management:** Rigorously vet outsourced IT personnel or freelance contractors to ensure compliance with international sanctions and employment eligibility laws.
- **Financial Transaction Monitoring:** Increased scrutiny on methods used to route seemingly legitimate salary payments internationally, particularly if linked to high-risk freelance platforms or complex money service transmitter chains.