For years, a clandestine network of information technology workers employed by U.S. companies has covertly channeled millions of dollars of their earnings to North Korea in support of its ballistic missile program, according to officials from the FBI and the Department of Justice. On Wednesday, the Department of Justice revealed that these IT workers, dispatched and contracted by North Korea to work remotely with firms in St. Louis and other parts of the United States, had been using fraudulent identities to secure these positions. The money they earned was subsequently funneled into North Korea’s weapons development efforts, as disclosed by FBI leaders during a press conference held in St. Louis.
As part of their ongoing investigation, federal authorities have seized $1.5 million in illicit funds and taken control of 17 domain names associated with the illicit operation.
Jay Greenberg, the special agent in charge of the FBI’s St. Louis office, cautioned that any company that engaged freelance IT workers in the past was highly likely to have unwittingly employed individuals involved in this scheme. Furthermore, an FBI spokeswoman disclosed that North Korean operatives had contracted with various companies across the United States, as well as in some other nations.
Rebecca Wu, the spokeswoman, said, “We can tell you that there are thousands of North Korea IT workers that are part of this.”
North Korean IT Freelancers’ Covert Scheme Revealed
According to FBI officials, the prevalence of this scheme emphasizes the need for companies to exercise extra caution when verifying the backgrounds of their new hires. This caution includes requiring job candidates to participate in video interviews at the very least.
In a press release, Greenberg stated, “At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities.”
John Hultquist, who heads threat intelligence at cybersecurity firm Mandiant, has revealed that North Korea’s practice of enlisting IT freelancers to support its weapons program has been ongoing for over a decade. However, the COVID-19 pandemic provided a significant boost to these efforts.
Hultquist explained, “I think the post-COVID world has created a lot more opportunity for them because freelancing and remote hiring are a far more natural part of the business than they were in the past.” Hultquist also noted that North Korea uses individuals in other fields to channel funds back into its weapons program. Nonetheless, the higher wages offered to tech workers make them a more lucrative resource.
Government authorities have recently revealed a scheme involving North Korean workers who were hired by companies, albeit unknowingly, to work remotely under false pretenses. The specific companies involved, the inception date of this practice, and the exact means by which investigators discovered it have not been disclosed. However, federal authorities have been aware of this covert operation for some time.
IT Workers of North Korea Exploiting Deceptive Employment Tactics and Cyber Espionage
In May 2022, the State Department, the Department of the Treasury, and the FBI jointly issued an advisory cautioning against North Koreans attempting to secure employment while impersonating non-North Korean nationals. This advisory highlighted North Korea’s increasing emphasis on education and training in IT-related fields in recent years.
According to court documents, the North Korean government dispatched a significant number of skilled IT professionals to reside in China and Russia primarily. Their objective was to deceive businesses in the United States and other countries into hiring them as freelance remote employees. These IT workers generated substantial annual wages, funneling the earnings to benefit North Korea’s weapons programs. Shockingly, some North Korean workers infiltrated the computer networks of the companies that employed them, pilfering sensitive information. Additionally, they maintained access to these networks for potential hacking and extortion activities.
The North Korean workers employed various techniques to create the illusion that they were working from within the United States. This included compensating Americans to use their home Wi-Fi connections for this purpose.
These revelations come at a time when tensions on the Korean Peninsula are notably high. North Korea has conducted more than 100 missile tests since the beginning of 2022, prompting the United States to expand its military exercises with its Asian allies in response.
In recent years, the U.S. Justice Department has actively sought to expose and disrupt various criminal schemes designed to support North Korea’s regime, including its nuclear weapons program. For example, in 2016, four Chinese nationals and a trading company were charged with using front companies to evade sanctions aimed at North Korea’s nuclear weapons and ballistic missile initiatives.
North Korean Hacking Operations and Geopolitical Implications
Two years ago, the Justice Department charged three North Korean computer programmers and members of the government’s military intelligence agency in connection with a range of global hacking incidents believed to have been carried out at the regime’s behest. This prosecution revealed the profit-driven motive behind North Korea’s criminal hacking, which is distinct from other adversarial nations like Russia, China, and Iran, primarily interested in espionage, intellectual property theft, or disrupting democratic processes.
In September, North Korean leader Kim Jong Un called for a significant increase in the production of nuclear weapons and for North Korea to play a more prominent role in a coalition of nations challenging the United States in what is referred to as a “new Cold War.”
Furthermore, in February, United Nations experts reported that North Korean hackers working on behalf of the government had stolen a record-breaking amount of virtual assets last year, estimated to be worth between $630 million and over $1 billion. These hackers employed increasingly sophisticated techniques to breach digital networks involved in cyberfinance and to steal valuable information related to North Korea’s nuclear and ballistic missile programs from governments, individuals, and companies.
