Feds seize 17 web domains used by North Korean tech workers in fraud scheme


The U.S. government seized website domains that North Korean tech workers were using for a scheme to defraud American and foreign businesses, evade sanctions and support Pyongyang’s weapons program, the Justice Department announced on Wednesday.

These seizures “protect U.S. companies from being infiltrated with North Korean computer code and help ensure that American businesses are not used to finance that regime’s weapons program,” the department said.

In October 2022 and January 2023, the U.S. also seized $1.5 million of the revenue that the same group of North Korean tech workers stole from their victims, the department said.

According to court documents, the tech specialists created 17 website domains that appeared to belong to legitimate U.S.-based tech companies. They used these websites to conceal their real identities and locations while applying for remote work in the U.S. and international firms.

In reality, this group of North Koreans, employed by China-based Yanbian Silverstar Network Technology and Russia-based Volasys Silver Star, already faced sanctions in 2018 from the Department of the Treasury for sending the money they earned from their fraudulent work in the U.S. back to North Korea using online payment services and Chinese bank accounts.

The FBI also issued an announcement on Wednesday warning American and international companies against hiring North Korean tech workers.

Their recruitment, even unintentional, carries numerous risks, according to the FBI, including the potential theft of intellectual property, data, and money, as well as damage to one’s reputation and possible legal consequences like sanctions.

U.S. authorities claim that the North Korean government sent thousands of highly skilled tech workers to live abroad, mainly in China and Russia, to trick U.S. and global businesses into hiring them. Federal agencies issued similar alerts in 2022 and related sanctions in May of this year.

Maintaining their cover

The North Korean freelance workers supposedly used fake email addresses and social media profiles, as well as deceptive websites and proxy servers based in the U.S. and other locations to appear as legitimate job candidates to their employers.

The Justice Department said that they managed to generate millions of dollars annually to finance Pyongyang’s weapons of mass destruction programs.

In some cases, these tech workers also hacked into their employers’ computer networks to steal information and keep access for future hacking and extortion schemes.

The popularity of remote work has increased the chances of accidentally hiring North Korean bad actors, according to the FBI. U.S. law enforcement recommends that businesses, including U.S.-based online freelance work and payment service platforms used by tech workers, stay vigilant and watch for specific “red flags” to detect these threats early.

Some of the red flags include reluctance to appear on camera for video meetings, concerns about drug tests or in-person meetings, signs of cheating on coding tests, inconsistent social media profiles, repeated requests for prepayment, threats to release source codes and language preferences that don’t align with claimed origins.

To avoid accidentally hiring North Korean tech workers, companies should take certain precautions, according to the FBI. For example: they should only accept background checks they can trust, verify the candidate’s financial information, maintain records of interactions, secure devices, ask for notarized proof of identity and use reliable online freelance platforms with strong identity verification.

“Employers need to be cautious about who they are hiring and who they are allowing to access their IT systems,” said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. “You may be helping to fund North Korea’s weapons program or allowing hackers to steal your data or extort you down the line.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Feds seize 17 web domains used by North Korean tech workers in fraud scheme

Next Post

Eastern European energy and defense firms targeted with MATA backdoor

Related Posts