FBI warns that North Korean IT workers employed by companies under false identities are stealing confidential information and blackmailing their employers

On Thursday, January 23, 2025, the U.S. Department of Justice announced that it would indict five individuals, North Korean nationals Jin Song-il and Park Jin-sung, Mexican national Pedro Ernesto Alonso de los Reyes, and U.S. nationals Eric Ntekelese Prince and Emmanuel Ashtor, on fraud charges. The three, an American and a Mexican national, are alleged to be service providers for a '

https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote

DoJ Busts Up Another Multinational DPRK IT Worker Scam
https://www.darkreading.com/threat-intelligence/doj-multinational-dprk-it-worker-scam

US indicts five over lucrative six-year DPRK IT worker fraud • The Register
https://www.theregister.com/2025/01/24/north_korean_devs_and_their/

According to Devin DeBacker, superintendent of the National Security Division of the Department of Justice, the Department of Justice is working hard to crack down on cybercriminals who are trying to defraud American companies to evade sanctions and raise funds for the North Korean regime's priority 'weapons program.' As part of this effort, the Department of Justice is stepping up its crackdown not only on North Korean cybercriminals, but also on intermediaries who provide material support to North Korean cybercriminals. In addition, the Department of Justice is working hard not only to prevent damage, but also to detect and prevent future cybercrime.

'Our investigation uncovered a long-running scheme to unwittingly fund the North Korean regime and evade sanctions by employing North Korean IT workers as remote employees,' said Brian Von Doran, assistant director of the FBI's Cyber Division.

According to the indictment, over a six-year period from around April 2018 to around August 2024, the five indicted and unindicted co-conspirators obtained work from at least 64 U.S. companies and arranged work for North Korean IT workers. Of these, at least 10 companies paid $866,255 (approximately 135 million yen), and it has also been revealed that the five indicted engaged in money laundering using Chinese bank accounts.

The FBI has arrested Ntekereze and Ashtor, two of the five indicted, and is also investigating Ashtor's home in North Carolina. Ashtor operated a laptop farm that hosted laptops provided by companies and tricked companies into thinking they had hired workers based in the United States. Alonso was arrested in the Netherlands on January 10, 2025, based on a US arrest warrant. The three men used stolen personal information of Americans to hire several North Korean workers, including Song-il and Jin-song, to US companies under cover of their identities.

The five have been charged with conspiracy, wire fraud, mail fraud, money laundering, and transferring false identification documents. Song-il and Jin-sung have also been charged with violating the International Emergency Economic Powers Act and face up to 20 years in prison if convicted.

In order to evade sanctions imposed by the United States and other countries, North Korea has deceived companies into hiring its highly skilled IT workers, whom it has sent to China and Russia. These North Korean IT workers are said to be generating significant revenue, earning up to $300,000 a year individually, on behalf of the North Korean Ministry of Defense and other designated entities directly involved in North Korea's weapons of mass destruction programs.

Investigation reveals that North Korean IT worker 'UNC5267' has infiltrated multiple 'Fortune 100' companies - GIGAZINE

In response to the Department of Justice announcement, the FBI warned that North Korean IT workers working under false identities are stealing confidential corporate data and engaging in blackmail and other crimes.

Internet Crime Complaint Center (IC3) | North Korean IT Workers Conducting Data Extortion
https://www.ic3.gov/PSA/2025/PSA250123

It has long been known that North Korea is using false identities of its citizens to work as remote workers for American companies, and the FBI warned about this situation as of October 2023.

FBI warns that thousands of North Koreans are falsely identities and working as remote workers in other countries, sending wages to North Korea for missile program - GIGAZINE

While initially believed to be activities aimed at funding the North Korean government, the latest cases have also revealed that North Korean IT workers are stealing confidential data from and blackmailing companies that employ them. The FBI also warned, 'In addition to data extortion, in recent months, the FBI has observed North Korean IT workers using illegal access to corporate networks to steal proprietary and confidential data, facilitate cybercriminal activities, and generate revenue on behalf of the regime.'

The FBI lists three specific examples of extortion and theft of confidential data:

When North Korean IT workers are found on corporate networks, they will hold proprietary data or code hostage until the company meets their ransom demands. In some cases, North Korean IT workers have made the proprietary code of victims public.
North Korean IT workers are copying corporate code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this practice represents a significant risk of corporate code theft.
North Korean IT personnel may collect sensitive corporate credentials and session cookies and initiate work sessions from non-corporate devices, potentially opening up further opportunities for compromise.

The FBI has listed four tips for protecting your business from these attacks:

- Practice the principle of least privilege on your network, disabling local administrator accounts and limiting privileges for installing remote desktop applications.
Monitor and investigate unusual network traffic, such as remote connections to devices or the installation of prohibited remote desktop protocols or software. North Korean IT workers have been frequently observed logging into a single account multiple times in a short period of time from different IP addresses associated with different countries.
Monitor network logs and browser session activity to identify data exfiltration via easily accessible means such as shared drives, cloud accounts, or private code repositories.
- Monitor endpoints for the use of software that allows multiple simultaneous audio and video calls.