The US is looking to finally capture the $7.74 million it froze over two years ago after indicting alleged money launderers it claims are behind North Korean IT worker schemes.
The Department of Justice (DoJ) filed a civil forfeiture complaint on Thursday with the intent of seizing the cash it restrained following the indictments against three individuals who it alleges helped launder money for the North Korean government.
Sim Hyon Sop of North Korea, Wu HuiHui of China, Cheng Hung Man, a Hong Kong British national, and an individual known only as Chen, were indicted in April 2023 for allegedly helping North Korea and its crafty IT specialists extract cash from the US economy via tech jobs, all while evading US sanctions.
The spate of North Korean IT workers infiltrating US companies is well documented, and thousands of workers are thought to have secured roles at Fortune 500 companies and even cybersecurity companies.
Workers secure employment with various US tech companies while being stationed overseas, in countries like Russia and China, the complaint states.
They often pass interviews and background checks using either fake or fraudulently acquired identification documents of genuine US citizens, and retain their roles by having multiple people share the workload to produce the best work. It’s a tactic to make that individual seem like a more attractive hire for an employer, despite the suspicious nature of the setup.
Various other techniques are used to hide their locations and prevent their real identities from being discovered, the complaint states.
US citizens have also been roped into the schemes. In February, one Arizona woman pleaded guilty to running a so-called laptop farm between 2020 and 2023. This bank of laptops, located in the US and connected to a US IP address, was controlled remotely by overseas IT workers, allowing them to appear as though they were, in fact, working from the US.
This single scheme alone is thought to have helped generate more than $17 million for the hermit kingdom.
North Korean Supreme Leader Kim Jong Un’s primary objective for implanting these workers in the US, the government says, is to illegally extract money from the US economy to fund North Korea’s weapons program.
According to the DoJ in December, these schemes have netted around $88 million for North Korea over the previous six years, although the Treasury claimed in January that the revenues reach hundreds of millions of dollars annually.
“The FBI’s investigation has revealed a massive campaign by North Korean IT workers to defraud US businesses by obtaining employment using the stolen identities of American citizens, all so the North Korean government can evade US sanctions and generate revenue for its authoritarian regime,” said Roman Rozhavsky, assistant director at the FBI Counterintelligence Division.
“Today’s action shows the FBI will do everything in our power to protect Americans from being victimized by the North Korean government, and we ask all US companies that employ remote workers to remain vigilant to this new and sophisticated threat.”
According to the DoJ, the IT workers would try to secure jobs that would agree to pay them in stablecoins such as USDC and USDT – less volatile cryptocurrencies tied to the value of fiat currencies like the US dollar.
These tokens would then be laundered using multiple accounts with fictitious identities, in small amounts, by transferring them to other blockchains, and commingling them to hide their origin.
Once laundered, the tokens would then be sent back to North Korea by the likes of Sim Hyon Sop and North Korean national Kim Sang Man, who is the CEO at an IT company known as Chinyong, which is linked to North Korea’s Ministry of Defense.
Chinyong employs North Koreans, based overseas in countries like Russia and Laos, who go on to secure work in the US, while sending around 90 percent of the funds they generate back to the government.
However, the schemes are becoming increasingly difficult to operate in the US as law enforcement has become adept at spotting the patterns after years of investigating them.
Google said recently that its threat intelligence team has seen signs of the schemes broadening out to Europe, with evidence of sophisticated facilitators residing in the UK.
North Korea also reads the advice the FBI dishes out to organizations in their public awareness campaigns, and tweaks their tactics in response.
However, some employers have found their own ways of weeding out Kim’s troops during the interview process.
One CrowdStrike veep said during a panel at RSA in April that asking a derogatory question about Kim Jong Un, like “how fat is your supreme leader?” will often lead to candidates just terminating the call, fearing the consequences of going along with the ruse. ®