DOJ indicts 14 North Koreans who fraudulently earned $88 million working for US firms

Fourteen North Korean nationals have been indicted for their role in a long-running scam where they stole the identities of U.S. citizens and illegally obtained employment at U.S. companies, earning tens of millions of dollars that they allegedly funneled back to Pyongyang. 

The indictment was handed down in a Missouri federal court on Wednesday, charging the group with crimes related to wire fraud, money laundering and identity theft for their actions between April 2017 to March 2023.  

Over the six years, the 14 men were able to earn at least $88 million through employment as IT workers at U.S. companies and nonprofit organizations. The men were ordered to earn more than $10,000 a month, with several obtaining multiple jobs at the same time, and they supplemented their earnings by stealing sensitive corporate information. 

The Justice Department did not respond to requests for comment about how the $88 million figure was compiled. If accurate, it would mean each worker earned about $1 million each year. 

The indictment comes after several actions by U.S. authorities and companies over the last two years to stop similar campaigns, which North Korea has used to not only earn money for the government but gain access to sensitive information. 

In addition to the salaries, several successfully extorted the companies that hired them, threatening to leak proprietary source code and other information in exchange for one-time payments. The Justice Department said at least one company “sustained hundreds of thousands of dollars in damages after it refused the extortion demand of a conspirator who then publicly released the employer’s proprietary information.”

The 14 men worked for North Korea-controlled companies registered in China and Russia named Yanbian Silverstar and Volasys Silverstar respectively. Through the companies, the men “conspired to use false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations.”

The two companies employed at least 130 North Korean IT workers — known locally as “IT warriors.”

“To prop up its brutal regime, the North Korean government directs IT workers to gain employment through fraud, steal sensitive information from U.S. companies, and siphon money back to the DPRK,” said Deputy Attorney General Lisa Monaco. 

“This indictment of 14 North Korean nationals exposes their alleged sanctions evasion and should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime.”

If convicted, the defendants each face a maximum penalty of 27 years in prison. It is unclear where the men are based, but Justice Department officials previously said other members of the IT worker scheme are based in North Korea, China and Russia — using conspiring U.S. citizens running laptop farms as conduits to make it look like they are in the United States. 

The State Department and FBI said they are offering a reward of $5 million for information on the 14 men. 

FBI Cyber Division Assistant Director Bryan Vorndran said U.S. companies and Americans who had their identities stolen were “victimized” by the scheme and U.S. Attorney Sayler Fleming added that the campaign was particularly harmful to “businesses seeking to employ large numbers of contract workers quickly.”

“North Korean IT workers continue to find ways to evade detection, so businesses need to closely vet employees to avoid having their sensitive data stolen and unwittingly funding North Korea’s government,” Fleming said. 

The Justice Department noted that this group of 14 North Koreans is “one of several” groups generating revenue for the North Korean government through IT worker schemes. As part of the indictments, the Justice Department was able to seize $320,000 and $444,800 from two bank accounts tied to the scheme. 

They previously seized $1.5 million and shut down dozens of internet domains used by the workers to provide fake credentials to potential employers. North Korean actors have been able to use an array of technological tools — from fake email addresses to fake social media accounts and fictitious job references — to facilitate the campaign. 

The Justice Department found that some even went so far as to pay U.S. citizens to attend job interviews or meetings in person using fake identities. But prosecutors noted that companies should have been more aware of obvious mistakes — including addresses and phone numbers that did not correspond to businesses as well as poor English on reference websites and resumes. 

Because of the high salaries of U.S. IT workers, North Korean groups have generated “hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited weapons of mass destruction programs,” the Justice Department said. 

Yanbian Silverstar and Volasys Silverstar allegedly held competitions among the workers, asking them to compete to see who could earn the most and offered bonuses to those who won. Some of the North Koreans were employed at U.S. companies for years, earning hundreds of thousands of dollars. 

FBI Special Agent in Charge Ashley Johnson noted that the 14 men indicted are “just the tip of the iceberg.” 

“The government of North Korea has trained and deployed thousands of IT workers to perpetrate this same scheme against U.S. companies every day,” she said. “Protect your business by thoroughly vetting fully remote IT workers. One of the ways to help minimize your risk is to insist current and future IT workers appear on camera as often as possible if they are fully remote.”