Full Report
The U.S. Department of Justice (DoJ) has indicted 14 nationals belonging to the Democratic People's Republic of Korea (DPRK or North Korea) for their alleged involvement in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organizations. "The conspirators, who worked for
Analysis Summary
# Threat Actor: DPRK IT Workers (Wagemole) & Citrine Sleet (Lazarus Sub-Cluster)
## Attribution & Identity
The primary focus is on 14 indicted North Korean nationals involved in a multi-year sanctions evasion and fraud scheme. These individuals worked for DPRK-controlled entities: **Yanbian Silverstar** (PRC) and **Volasys Silverstar** (Russia).
The article also mentions **Citrine Sleet** (also known as Gleaming Pisces, Labyrinth Chollima, Nickel Academy, and UNC4736), described as a sub-cluster of the **Lazarus Group**, linked to the Radiant Capital heist.
**Known Aliases/Monikers:**
* Wagemole (for the IT worker scheme)
* Citrine Sleet
* Gleaming Pisces
* Labyrinth Chollima
* Nickel Academy
* UNC4736
## Activity Summary
The primary activities described fall into two categories:
1. **Sanctions Evasion and Wire Fraud (Wagemole):** 14 indicted DPRK nationals illegally sought remote employment in U.S. companies and non-profit organizations using false or stolen identities. This scheme generated approximately $88 million for the North Korean regime over six years. The workers also engaged in information theft (proprietary source code) and subsequent extortion attempts.
2. **Cryptocurrency Theft (Citrine Sleet):** This cluster was attributed to a \$50 million cryptocurrency heist against the DeFi platform Radiant Capital in October 2024, leveraging social engineering targeting developers.
## Tactics, Techniques & Procedures
**General DPRK IT Worker Scheme (Wagemole):**
* **Identity Spoofing:** Used false, stolen, or borrowed identities (U.S. and others) to conceal North Korean origin.
* **Geographic Deception:** Utilized proxy computers, VPNs/VPSs, pseudonymous online accounts (email, social media, job sites).
* **Laptop Farms:** Established arrangements in the U.S. where local residents received and set up company-issued laptops, allowing remote connection from DPRK-controlled locations to create the illusion of local work presence.
* **Illicit Finance:** Routed illicit proceeds through U.S. and Chinese financial systems back to Pyongyang.
* **Extortion:** Threatening to leak stolen proprietary data unless ransoms were paid.
* **Front Companies:** Operated under the guise of legitimate IT services firms, utilizing 29 seized phony website domains to mimic Western companies.
* **Internal Motivation:** Employed "socialism competitions" within the sanctioned companies (Yanbian Silverstar/Volasys Silverstar) to incentivize higher revenue generation.
**Citrine Sleet (Lazarus Sub-Cluster):**
* **Social Engineering:** Orchestrated "Operation Dream Job," enticing developers with lucrative job opportunities.
* **Malware Delivery:** Delivered macOS backdoor (`INLETDRIFT`) via a deceptive link (PDF within a ZIP archive) sent over Telegram, often posing as a trusted contact.
* **Targeted Compromise:** Compromised developer devices, allowing malicious transactions to be signed in the background while front-end interfaces displayed benign data.
* **Project Collaboration/Coding Tests:** Tactics included masquerading as opportunities to review code or contribute to GitHub projects (e.g., Contagious Interview, Jade Sleet).
## Targeting
**Sectors:**
* Information Technology (IT) Services (remote employment targeting)
* Financial Services/DeFi (Radiant Capital heist)
* U.S. Companies and Non-Profit Organizations (general victims of the IT worker scheme)
**Geography:**
* Employees located primarily in the **People's Republic of China (PRC)** and the **Russian Federation**.
* Targeted employers located in the **United States** and "other businesses worldwide."
**Victims:**
* Unspecified U.S. companies and non-profits who hired the fraudulent workers.
* **Radiant Capital** (victim of the \$50M crypto heist).
* At least one employer suffered hundreds of thousands of dollars in damages after refusing an extortion demand.
## Tools & Infrastructure
**Malware Families Used:**
* **INLETDRIFT:** macOS backdoor used by Citrine Sleet post-compromise.
* Implied use of other proprietary/custom malware related to access and data exfiltration for the Wagemole scheme.
**Infrastructure (Defanged):**
* Front companies: Yanbian Silverstar and Volasys Silverstar.
* Seized website domains used to mimic Western IT services firms (29 domains seized in total).
* C2 Example (Citrine Sleet): `atokyonews[.]com`
## Implications
These activities represent a systematic and extensive effort by the DPRK government to generate hundreds of millions of dollars in hard currency through cybercrime and sanctions evasion, blurring the lines between state-sponsored espionage/theft and basic financial fraud. The IT worker scheme highlights the successful weaponization of the global remote workforce ecosystem. The inclusion of Citrine Sleet suggests that these financially motivated groups are also actively engaged in high-value attacks like DeFi protocol exploitation.
## Mitigations
* Enhanced insider threat programs focused on scrutinizing remote developer hires, particularly those claiming non-U.S. residency or using unusual connection paths.
* Strict multi-factor authentication and robust monitoring of all remote access sessions.
* Security teams should scrutinize unexpected contact from "trusted" external parties offering job opportunities, especially via messaging platforms like Telegram, which can lead to sophisticated supply chain or developer compromise.
* Implement strict egress filtering and network monitoring to detect communications to known or suspicious C2 infrastructure.
* Review enterprise procurement processes to identify and vet third-party IT service providers against known sanctions lists.