“A federal court in St. Louis, Missouri, yesterday indicted 14 nationals of the Democratic People’s Republic of North Korea (DPRK or North Korea) with long-running conspiracies to violate U.S. sanctions and to commit wire fraud, money laundering, and identity theft. Specifically, the conspirators, who worked for DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People’s Republic of China (PRC) and the Russian Federation (Russia), respectively, conspired to use false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote information technology (IT) workers for U.S. companies and nonprofit organizations.”
“The conspirators, some of whom were ordered by their superiors to earn at least $10,000 per month, generated at least $88 million throughout the approximately six-year conspiracy. In multiple instances, the conspirators supplemented their employment earnings by stealing sensitive company information, such as proprietary source code, and then threatening to leak such information unless the employer made an extortion payment. Ultimately, the conspirators used the U.S. and PRC financial systems to remit the proceeds of their activity to accounts in the PRC for the ultimate benefit of the DPRK government.”
“Today’s charges are the most recent step in an ongoing, two-year Department effort to disrupt this specific group of conspirators, one of multiple such DPRK groups attempting to generate revenue for the DPRK government through such schemes. Prior Department actions against this group include: (i) a January court authorized seizure of approximately $320,000 (unsealed today); (ii) a July court authorized seizure of approximately $444,800 (unsealed today); (iii) previously announced October 2022 and January 2023 court-authorized seizures of approximately $1.5 million; and (iv) previously announced October 2023 and May 2024 court-authorized seizures of 29 internet domains used by the same group to increase the bona fides and appeal of their assumed identities to prospective employers.”
“The DPRK has dispatched thousands of skilled IT workers around the world, earning revenue that contributes to the North Korean regime with the aim of deceiving U.S. and other businesses worldwide into hiring them as remote IT workers to generate revenue in violation of U.S. and U.N. sanctions. DPRK IT worker schemes involve the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, virtual private networks, virtual private servers and unwitting third parties located in the United States and elsewhere. As described in a May 2022 tri-seal public service advisory released by the FBI and its partners, which was updated in October 2023, such IT workers can individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited weapons of mass destruction programs.”
“The indictment alleges that the 14 conspirators worked for sanctioned North Korean-controlled companies Yanbian Silverstar and Volasys Silverstar in capacities ranging from senior company leaders to IT workers. These two organizations collectively employed at least 130 North Korean IT workers — referred to within these organizations as ‘IT Warriors.’ As alleged in the indictment, Yanbian Silverstar and Volasys Silverstar organized periodic ‘socialism competitions’ for their employees. During these competitions, IT workers would compete to generate money for the DPRK. Bonuses and other prizes were awarded to the top performers during these competitions. As part of their scheme, North Korean IT workers obtained salaried employment at numerous U.S.-based companies and nonprofit organizations. In some instances, U.S. employers unwittingly employed North Korean IT workers for years and paid them hundreds of thousands of dollars in salary.”
“The conspirators used many techniques to conceal their North Korean identities from employers. These included using stolen identities belonging to U.S. persons and others to apply for jobs; paying U.S. persons to attend job interviews and work meetings remotely under fake identities; and registering web domains and designing phony websites to convince prospective employers that the false identities were experienced, qualified, and previously employed by reputable contracting firms. As described in court documents, these websites contained indicia that should have aroused suspicion about their bona fides. For example, some of the physical addresses listed on the websites were home addresses, not office buildings; contact telephone numbers listed on the fake companies’ websites did not correspond to area codes of business locations; and the websites’ content included disjointed or nonsensical phrases, such as, ‘Nor, moreover, is there anyone who loves pain because it is pain, pursues it, wants to gain it, but.’”
“The conspirators also sought to avoid detection by paying U.S. persons to receive, set up, and host laptops sent from employers to the U.S. persons’ home addresses (often referred to as laptop farms). After these laptops were set up, the conspirators instructed the U.S. persons to install software that allowed them to access the laptops from overseas. By arranging to have laptops physically located in the United States, conspirators made it appear as if the fake U.S.-based employees were accessing laptops to do work, when in fact the IT workers were located outside the United States.”
“In some instances, the conspirators leveraged their access to proprietary corporate information to extort their U.S.-based employers for additional payments. These threats were not empty — IT workers would at times publish the business’s information online if they were not paid. One employer, for example, sustained hundreds of thousands of dollars in damages after it refused the extortion demand of a conspirator who then publicly released the employer’s proprietary information.”
“All 14 conspirators are charged with conspiracy to violate the International Emergency Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. Eight conspirators are charged with aggravated identity theft. If convicted, the defendants each face a maximum statutory penalty of 27 years in prison.” (Source: US Department of Justice)