Full Report
The Justice Department has filed a civil forfeiture complaint alleging North Korean IT workers amassed $7m+
Analysis Summary
# Threat Actor: North Korean Government-Sponsored IT Workers (Sanctions Evasion Effort)
## Attribution & Identity
This activity is attributed to North Korean IT workers acting on behalf of the DPRK government, specifically involving staff from the North Korean Foreign Trade Bank (FTB).
**Known Aliases and Associated Groups:**
* **Sim Hyon Sop:** Staffer at the North Korean Foreign Trade Bank (FTB), allegedly conspired with the IT workers.
* **Kim Sang Man:** CEO of the "Jinyong IT Cooperation Company," acted as an intermediary between the IT workers.
## Activity Summary
The US Department of Justice (DoJ) filed a civil forfeiture complaint concerning North Korean IT workers who illegally gained employment with US companies to generate revenue for the DPRK regime, violating international sanctions. These workers amassed approximately $7.7 million. The funds were seized in 2023 in a case connected to Sim Hyon Sop. The core activity involves sophisticated financial laundering of the fraudulently obtained salaries.
## Tactics, Techniques & Procedures
- Illegally bypassing security and due diligence checks using fraudulent identity documents.
- Employing techniques to hide their true location and identity.
- Being paid salaries, often in stablecoins (USDC and USDT).
- **Laundering Techniques:**
- Setting up accounts using fake identities.
- Moving funds in a series of small amounts (structuring/smurfing).
- Transferring funds to other blockchains ("chain hopping").
- Converting digital currencies ("token swapping").
- Purchasing Non-Fungible Tokens (NFTs) as a form of value storage.
- Using US-based accounts to legitimize activity.
- Commingling fraud proceeds to obscure origins.
## Targeting
- **Sectors:** US Companies (implied, as salaries were paid through US systems).
- **Geography:** The workers were located outside the US but employed by US entities; funds were laundered globally via cryptocurrency networks.
- **Victims:** US companies that unknowingly hired these individuals, and by extension, the US Treasury due to sanctions evasion.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly mentioned, but technical evasion methods required sophisticated tooling for identity falsification.
- **Infrastructure (C2, Domains, IPs):**
- **Payment Methods:** Stablecoins such as USDC and USDT.
- **Laundering Techniques:** Use of various blockchains, token swapping exchanges, and potentially NFT marketplaces.
## Implications
This activity highlights the DPRK's persistent strategy of deploying overseas IT workers to circumvent international sanctions and generate illicit revenue. The sophistication in using modern financial instruments like stablecoins and NFTs demonstrates an evolving capability to obfuscate financial flows, posing a significant challenge to enforcement agencies attempting to trace and seize assets derived from these schemes.
## Mitigations
- Enhanced vetting and due diligence for remote/contract workers, focusing on verifying identity documents against national databases.
- Review payment mechanisms for irregular salary sourcing, particularly those involving large volumes of stablecoins or frequent, untraceable cryptocurrency movements.
- Implementation of enhanced monitoring for rapid conversion or 'chain hopping' of cryptocurrency received as payment, especially when related to newly onboarded overseas contractors.