The U.S. government has announced the seizure of 17 website domains used by North Korean information technology (IT) workers as part of an illicit scheme to defraud businesses across the world, evade sanctions, and fund the country's ballistic missile program.
The Department of Justice (DoJ) said the U.S. confiscated approximately $1.5 million of the revenue that these IT workers collected from unwitting victims using the deceptive scheme in October 2022 and January 2023. It also called out North Korea for flooding the "global marketplace with ill-intentioned information technology workers."
Court documents allege that the dispatched workers primarily live in China and Russia with an aim to deceive companies in the U.S. and elsewhere into hiring them under fake identities, and ultimately generating "millions of dollars a year" in illicit revenues.
The development comes amid continued warnings from the U.S. about North Korea's reliance on its army of highly-skilled IT workers who hide behind front companies, aliases, and third-party nationalities to obtain jobs in the technology and virtual currency sectors and funnel back a significant chunk of their wages to the sanctions-hit nation.
Per Google-owned Mandiant, the IT workers are assessed to be part of the Workers' Party of Korea's (WPK) Munitions Industry Department.
"They are reportedly deployed both domestically and abroad to generate revenue and finance the country's weapons of mass destruction and ballistic missile programs," the threat intelligence company said earlier this month.
"These workers acquire freelance contracts from clients around the world and sometimes pretend to be based in the U.S. or other countries to secure employment. Although they mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions carried out by North Korea."
The seized 17 website domains, according to DoJ, masqueraded as the online face of legitimate, U.S.-based IT services companies in an attempt to conceal the true identities and location of the North Korean actors when applying online to do remote work for various firms.
But in reality, these workers are said to be working for the China-based Yanbian Silverstar Network Technology Co. Ltd. and the Russia-based Volasys Silver Star, both of which were previously sanctioned in 2018 by the Department of the Treasury.
The names of the seized domains are as follows -
- silverstarchina[.]com
- edenprogram[.]com
- xinlusoft[.]com
- foxvsun[.]com
- foxysunstudio[.]com
- foxysunstudios[.]com
- cloudbluefox[.]com
- cloudfoxhub[.]com
- mycloudfox[.]com
- thefoxcloud[.]com
- thefoxesgroup[.]com
- babyboxtech[.]com
- cloudfox[.]cloud
- danielliu[.]info
- jinyang[.]asia
- jinyang[.]services
- ktsolution[.]tech
The U.S. Federal Bureau of Investigation (FBI), in an advisory of its own, issued additional guidance on the new tradecraft used by the IT workers, including indications of cheating during coding tests and threats to release proprietary source codes if additional payments are not made.
"Employers need to be cautious about who they are hiring and who they are allowing to access their IT systems," said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. "You may be helping to fund North Korea's weapons program or allowing hackers to steal your data or extort you down the line."
