Full Report
The U.S. government wants to confiscate millions of dollars in funds tied to illegal employment of North Korean IT workers at American companies.
Analysis Summary
# Threat Actor: North Korean State-Sponsored Entities operating Illicit IT Worker Schemes (Focus on Financial Facilitators)
## Attribution & Identity
The activities described are attributed to North Korea, specifically involving officials from the North Korean Foreign Trade Bank and individuals associated with the North Korean Ministry of Defense.
**Key Individuals Identified:**
* **Sim Hyon Sop:** North Korean Foreign Trade Bank representative, allegedly operating as a central clearinghouse for laundered funds, operating out of Dubai (UAE).
* **Kim Sang Man:** North Korean official running an IT company (known as Chinyong) out of North Korea’s Ministry of Defense, operating out of Vladivostok, Russia.
## Activity Summary
This actor focuses on generating illicit revenue for the North Korean regime, often to finance weapons programs, by exploiting global remote IT contracting and cryptocurrency ecosystems. The main scheme involves North Korean IT workers obtaining employment at U.S. companies using the stolen identities of American citizens. These workers generate revenue, which is then laundered through complex cryptocurrency transactions and routed back to North Korea via centralized facilitators like Sim Hyon Sop and Kim Sang Man. A recent focus of DOJ action, including civil forfeiture complaints and indictments, targets these financial facilitators.
## Tactics, Techniques & Procedures
- **Identity Fraud/Theft:** North Korean workers use stolen identities of American citizens to gain employment as developers, coders, or IT support staff.
- **Obfuscation/Anonymity (Crypto):** Setting up cryptocurrency accounts using forged identity documents (e.g., Russian identity documents).
- **Funds Laundering:** Moving funds in a series of small transactions, converting cryptocurrency types, purchasing NFTs, and using U.S.-based accounts seemingly to legitimize activity ("commingling").
- **Geographic Dispersion:** Exploiting global infrastructure, with workers reportedly hired in Russia and Laos, and facilitators operating from the UAE and Russia.
- **Infrastructure Use:** Utilizing Korean-language devices accessed from the UAE and Russia.
## Targeting
- Sectors: U.S. Companies (employing remote IT workers), Blockchain development companies.
- Geography: United States (primary victim/source of employment), UAE (financial operations hub), Russia (operational base for Kim Sang Man), Laos (worker base).
- Victims: U.S. businesses defrauded via employment scams; the U.S. government (as victims of sanctions evasion).
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but the campaigns involve the use of employment scams and software development roles. Recent consistent behavior suggests potential overlap with general North Korean tooling, though distinct malware isn't detailed here.
- **Infrastructure (C2, domains, IPs - defang URLs):**
* **Locations:** Dubai (Sim Hyon Sop), Vladivostok, Russia (Kim Sang Man).
* **Financial Instruments:** USDC and USDT (stablecoins) payments to workers; complex cryptocurrency laundering involving over-the-counter (OTC) traders sanctioned by OFAC.
## Implications
These sophisticated illicit revenue generation schemes are a direct mechanism funding North Korea's prohibited weapons programs, violating international sanctions. The continued use of the IT worker model combined with advanced cryptocurrency laundering techniques (NFTs, OTC desks) demonstrates a highly resilient and evolving financial threat that directly targets and exploits democratic economies and the global financial framework.
## Mitigations
- Enhanced vetting protocols for remote IT contractors, especially those operating internationally, to verify identity and employment documentation integrity.
- Increased scrutiny of cryptocurrency transactions originating from regions known to harbor North Korean financial facilitators (e.g., UAE, Russia).
- Compliance teams should monitor for small, repetitive transactions used to layer cryptocurrency funds.
- Awareness campaigns for U.S. businesses regarding the known use of stolen identities in North Korean employment scams.