IT workers dispatched and contracted by North Korea to work remotely with US companies have been using false identities to get jobs and the money they earned was funneled to the North Korean weapons program, the US Department of Justice announced Oct. 18. Federal authorities seized $1.5 million and 17 domain names as part of an ongoing investigation.

The US seized 17 website domains used by Democratic People’s Republic of Korea IT workers in a scheme to defraud US and foreign businesses, evade sanctions and fund the development of the DPRK government’s weapons program, according to the department. These seizures follow the previously sealed October 2022 and January 2023 court-authorized seizures of approximately $1.5 million of the revenue that the same group of IT workers collected from unwitting victims of the scheme as well as the development of public-private information-sharing partnerships that denied the IT workers access to their preferred online freelance work and payment service providers.

Certain DPRK IT workers designed the website domains seized to appear as domains of legitimate, US-based IT services companies, thereby helping the IT workers hide their true identities and location when applying online to do remote work for US and other businesses worldwide. In reality, this specific group of DPRK IT workers — who work for the PRC-based Yanbian Silverstar Network Technology Co. Ltd. and the Russia-based Volasys Silver Star — had previously been sanctioned in 2018 by the Department of the Treasury. These IT workers funneled income from their fraudulent IT work back to the DPRK through online payment services and Chinese bank accounts.

In some instances, the IT workers also infiltrated the computer networks of unwitting employers to steal information and maintain access for future hacking and extortion schemes. The US government last week issued an updated advisory about the scheme.

“The Democratic People’s Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program. The seizing of these fraudulent domains helps protect companies from unknowingly hiring these bad actors and potentially damaging their business,” Special Agent in Charge Jay Greenberg of the FBI St. Louis Division said in the press statement. “This scheme is so prevalent that companies must be vigilant to verify whom they’re hiring. At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities. Without due diligence, companies risk losing money or being compromised by insider threats they unknowingly invited inside their systems.”

“The seizures announced today protect US companies from being infiltrated with North Korean computer code and help ensure that American businesses are not used to finance that regime’s weapons program,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said in a press statement. “The Department of Justice is committed to working with private sector partners to protect US business from this kind of fraud, to enhance our collective cybersecurity and to disrupt the funds fueling North Korean missiles.”