The U.S. Department of Justice (DoJ) on Thursday indicted two North Korean nationals, a Mexican national, and two of its own citizens for their alleged involvement in the ongoing fraudulent information technology (IT) worker scheme that seeks to generate revenue for the Democratic People’s Republic of Korea (DPRK) in violation of international sanctions.
The action targets Jin Sung-Il (진성일), Pak Jin-Song (박진성), Pedro Ernesto Alonso De Los Reyes, Erick Ntekereze Prince, and Emanuel Ashtor. Alonso, who resides in Sweden, was arrested in the Netherlands on January 10, 2025, after a warrant was issued.
All five defendants have been charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. Jin and Pak have also been charged with conspiracy to violate the International Emergency Economic Powers Act. If convicted, each of them faces a maximum penalty of 20 years in prison.
The development is the latest step taken by the U.S. government to disrupt the ongoing campaign that involves North Korean nationals using forged and stolen identities to obtain remote IT work at U.S. companies through laptop farms operated within the country.
Other efforts include the August 2024 arrest of a Tennessee man for helping North Koreans land jobs in U.S. firms and the indictment of 14 DPRK nationals last month for purportedly generating $88 million over the course of a six-year conspiracy. Last week, the U.S. Treasury sanctioned two North Korean nationals and four companies based in Laos and China for their work on the IT worker scheme.
“From approximately April 2018 through August 2024, the defendants and their unindicted co-conspirators obtained work from at least sixty-four U.S. companies,” the DoJ said. “Payments from ten of those companies generated at least $866,255 in revenue, most of which the defendants then laundered through a Chinese bank account.”
According to the indictment document, Jin applied for a position at an unnamed U.S. IT company in June 2021 by using Alonso’s identity with his consent and one of Ntekereze’s New York addresses, subsequently securing the opportunity for a salary of $120,000 per year.
Ashtor’s North Carolina residence, per the Justice Department, operated a laptop farm that hosted the company-provided laptops with the goal of deceiving the firms into thinking that their new hires were located in the country when, in reality, they have been found to remotely log in to these systems from China and Russia.
Both Ntekereze and Ashtor received laptops from U.S. company employers at their homes and proceeded to download and install remote access software like AnyDesk and TeamViewer without authorization in order to facilitate the remote access. They also conspired to launder payments for the remote IT work through a variety of accounts designed to promote the scheme and conceal its proceeds, the DoJ added.
In furtherance of the scheme, Ntekereze is said to have used his company Taggcar Inc. to invoice a U.S. staffing company eight times, totaling about $75,709, for the IT work performed by Jin, who was masquerading as Alonso. A portion of the payment was then transferred to an online payment platform held in the name of Alonso that was accessible to both Jin and Alonso.
The wide-ranging effort by North Korea to have their citizens employed at companies across the world is seen as an attempt to earn high-paying IT salaries that can be funneled back to the country to serve the regime’s priorities and gain access to sensitive documents for financial leverage.
The IT worker scam, as reiterated by the U.S. Federal Bureau of Investigation (FBI) in a separate advisory, involves the use of pseudonymous email, social media, and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third-parties located in the U.S. and elsewhere.
“In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime,” the agency said.
“After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies’ proprietary code.”
Other instances entail the theft of company code repositories from GitHub and attempts to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices.
It’s not just a U.S. phenomenon, as a new report from threat intelligence firm Nisos reveals that several Japanese firms have also landed themselves in the crosshairs of DPRK IT workers. It specifically highlighted the case of one such IT worker who has held software engineering and full-stack developer roles with different firms since January 2023.
The IT worker personas have been fleshed out digitally to lend them a veneer of legitimacy, complete with accounts on GitHub and freelance employment websites like LaborX, ProPursuit, Remote OK, Working Not Working, and Remote Hub, not to mention creating personal websites containing manipulated stock images and hosting resumes with content borrowed from other personas.
“The individual appears to be currently employed under the name Weitao Wang at Japanese consulting company, Tenpct Inc., and appears to have been previously employed under the name Osamu Odaka at Japanese software development and consulting firm, LinkX Inc.,” the company said in a report shared with The Hacker News.
