The U.S. government has taken action against North Korean information technology (IT) workers involved in an elaborate scheme to defraud businesses globally, evade sanctions, and support the country’s ballistic missile program. The Department of Justice (DoJ) disclosed that around $1.5 million in revenue collected by these IT workers from unsuspecting victims had been confiscated during operations in October 2022 and January 2023. This crackdown underscores the significant threat posed by North Korean IT scammers and their illicit activities.

The Deceptive Scheme

According to court documents, these North Korean IT workers primarily reside in China and Russia. They use fake identities to deceive U.S. and other international companies into hiring them, generating substantial illicit revenues amounting to millions of dollars annually. They operate behind front companies, aliases, and third-party nationalities to obtain jobs in the technology and virtual currency sectors, funneling a significant portion of their earnings back to North Korea.

The Seized Domains

The 17 website domains seized by the U.S. government were part of the deceptive scheme. These domains masqueraded as the online presence of legitimate U.S.-based IT service providers, making it challenging to uncover the true identities and locations of the North Korean actors when applying for remote work with various firms. The domains included:

• silverstarchina[.]com
• edenprogram[.]com
• xinlusoft[.]com
• foxvsun[.]com
• foxysunstudio[.]com
• foxysunstudios[.]com
• cloudbluefox[.]com
• cloudfoxhub[.]com
• mycloudfox[.]com
• thefoxcloud[.]com
• thefoxesgroup[.]com
• babyboxtech[.]com
• cloudfox[.]cloud
• danielliu[.]info
• jinyang[.]asia
• jinyang[.]services
• ktsolution[.]tech

Cybersecurity Threats

The North Korean IT workers have continued to pose a significant threat, deploying highly-skilled individuals who engage in legitimate IT work but misuse their access to enable malicious cyber intrusions. They are known to acquire freelance contracts from clients worldwide and sometimes pretend to be based in the U.S. or other countries to secure employment. Their activities help finance North Korea’s weapons of mass destruction and ballistic missile programs.

Remediation Steps

In light of this development, businesses need to exercise caution when hiring IT workers and granting them access to their systems. Here are some important steps to protect your business from falling victim to deceptive schemes similar to those orchestrated by North Korean IT scammers:

• Screen Job Applicants: Implement thorough background checks and verification processes for potential employees or contractors, especially those seeking remote IT work.
• Identity Verification: Verify the identity of individuals, especially if they claim to be based in a different country, and ensure they provide authentic documentation.
• Source Code Protection: Protect your proprietary source codes and intellectual property. Limit access to sensitive information and monitor code repositories for unauthorized access.
• Cybersecurity Training: Provide cybersecurity training to your employees to recognize and report suspicious activity and phishing attempts.
• Payment Vigilance: Be cautious about additional payment requests after hiring IT workers. Ensure that all payment terms are clearly defined in contracts.
• Regular Audits: Conduct regular security audits and penetration testing to identify vulnerabilities in your IT systems.
• Stay Informed: Keep up with the latest cybersecurity threats and trends through threat intelligence companies and government advisories.

By taking these precautionary measures, you can significantly reduce the risk of falling victim to deceptive schemes and protect your business from cyber threats. The recent U.S. government action serves as a reminder of the importance of vigilance and due diligence in the digital age.