Related Post
Note: View the indictment here and FBI Wanted Posters here.
A federal court in St. Louis, Missouri, yesterday indicted 14 nationals of the Democratic People’s Republic of North Korea (DPRK or North Korea) with long-running conspiracies to violate U.S. sanctions and to commit wire fraud, money laundering, and identity theft. Specifically, the conspirators, who worked for DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People’s Republic of China (PRC) and the Russian Federation (Russia), respectively, conspired to use false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote information technology (IT) workers for U.S. companies and nonprofit organizations.
The conspirators, some of whom were ordered by their superiors to earn at least $10,000 per month, generated at least $88 million throughout the approximately six-year conspiracy. In multiple instances, the conspirators supplemented their employment earnings by stealing sensitive company information, such as proprietary source code, and then threatening to leak such information unless the employer made an extortion payment. Ultimately, the conspirators used the U.S. and PRC financial systems to remit the proceeds of their activity to accounts in the PRC for the ultimate benefit of the DPRK government.
“To prop up its brutal regime, the North Korean government directs IT workers to gain employment through fraud, steal sensitive information from U.S. companies, and siphon money back to the DPRK,” said Deputy Attorney General Lisa Monaco. “This indictment of 14 North Korean nationals exposes their alleged sanctions evasion and should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime.”
“Yesterday’s indictment is the latest in a series of actions under a National Security Division initiative launched earlier this year to disrupt North Korea’s efforts to generate revenue by duping American companies into hiring its citizens for remote work,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s for National Security Division. “This indictment and associated disruptions highlight the cybersecurity dangers associated with this threat, including theft of sensitive business information for the purposes of extortion.”
“The fourteen conspirators indicted yesterday victimized companies across the United States, as well as many Americans whose identities they stole, to generate revenue for the North Korean regime,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “The FBI will continue to work with our partners to expose and mitigate these fraudulent IT schemes and provide unwavering support to victims of North Korean cyber actors.”
“North Korean IT workers pose a sophisticated and persistent threat, especially to businesses seeking to employ large numbers of contract workers quickly,” said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. “North Korean IT workers continue to find ways to evade detection, so businesses need to closely vet employees to avoid having their sensitive data stolen and unwittingly funding North Korea’s government.”
“While we have disrupted this group and identified its leadership, this is just the tip of the iceberg. The government of North Korea has trained and deployed thousands of IT workers to perpetrate this same scheme against U.S. companies every day,” said Special Agent in Charge Ashley T. Johnson of the FBI St. Louis Field Office. “Protect your business by thoroughly vetting fully remote IT workers. One of the ways to help minimize your risk is to insist current and future IT workers appear on camera as often as possible if they are fully remote.”
Today’s charges are the most recent step in an ongoing, two-year Department effort to disrupt this specific group of conspirators, one of multiple such DPRK groups attempting to generate revenue for the DPRK government through such schemes. Prior Department actions against this group include: (i) a January court authorized seizure of approximately $320,000 (unsealed today); (ii) a July court authorized seizure of approximately $444,800 (unsealed today); (iii) previously announced October 2022 and January 2023 court-authorized seizures of approximately $1.5 million; and (iv) previously announced October 2023 and May 2024 court-authorized seizures of 29 internet domains used by the same group to increase the bona fides and appeal of their assumed identities to prospective employers.
In addition to these actions, the State Department announced today a reward offer of up to $5 million for information on these companies, the individuals identified, their illicit activities, and/or those of associated individuals and entities. The identified individuals are: Jong Song Hwa (정성화), Ri Kyong Sik (리경식), Kim Ryu Song (김류성), Rim Un Chol (림은철), Kim Mu Rim (김무림), Cho Chung Pom (조충범), Hyon Chol Song (현철성), Son Un Chol (손은철), Sok Kwang Hyok (석광혁), Choe Jong Yong (최정용), Ko Chung Sok (고충석), Kim Ye Won (김예원), Jong Kyong Chol (정경철), and Jang Chol Myong (장철명). The State Department’s Rewards for Justice program has a standing rewards program for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support the North Korean government, including work by highly skilled North Korean nationals sent abroad whose income generates funds for the DPRK regime.
The DPRK has dispatched thousands of skilled IT workers around the world, earning revenue that contributes to the North Korean regime with the aim of deceiving U.S. and other businesses worldwide into hiring them as remote IT workers to generate revenue in violation of U.S. and U.N. sanctions. DPRK IT worker schemes involve the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, virtual private networks, virtual private servers and unwitting third parties located in the United States and elsewhere. As described in a May 2022 tri-seal public service advisory released by the FBI and its partners, which was updated in October 2023, such IT workers can individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited weapons of mass destruction programs.
The indictment alleges that the 14 conspirators worked for sanctioned North Korean-controlled companies Yanbian Silverstar and Volasys Silverstar in capacities ranging from senior company leaders to IT workers. These two organizations collectively employed at least 130 North Korean IT workers — referred to within these organizations as “IT Warriors.” As alleged in the indictment, Yanbian Silverstar and Volasys Silverstar organized periodic “socialism competitions” for their employees. During these competitions, IT workers would compete to generate money for the DPRK. Bonuses and other prizes were awarded to the top performers during these competitions. As part of their scheme, North Korean IT workers obtained salaried employment at numerous U.S.-based companies and nonprofit organizations. In some instances, U.S. employers unwittingly employed North Korean IT workers for years and paid them hundreds of thousands of dollars in salary.
The conspirators used many techniques to conceal their North Korean identities from employers. These included using stolen identities belonging to U.S. persons and others to apply for jobs; paying U.S. persons to attend job interviews and work meetings remotely under fake identities; and registering web domains and designing phony websites to convince prospective employers that the false identities were experienced, qualified, and previously employed by reputable contracting firms. As described in court documents, these websites contained indicia that should have aroused suspicion about their bona fides. For example, some of the physical addresses listed on the websites were home addresses, not office buildings; contact telephone numbers listed on the fake companies’ websites did not correspond to area codes of business locations; and the websites’ content included disjointed or nonsensical phrases, such as, “Nor, moreover, is there anyone who loves pain because it is pain, pursues it, wants to gain it, but.”
The conspirators also sought to avoid detection by paying U.S. persons to receive, set up, and host laptops sent from employers to the U.S. persons’ home addresses (often referred to as laptop farms). After these laptops were set up, the conspirators instructed the U.S. persons to install software that allowed them to access the laptops from overseas. By arranging to have laptops physically located in the United States, conspirators made it appear as if the fake U.S.-based employees were accessing laptops to do work, when in fact the IT workers were located outside the United States.
In some instances, the conspirators leveraged their access to proprietary corporate information to extort their U.S.-based employers for additional payments. These threats were not empty — IT workers would at times publish the business’s information online if they were not paid. One employer, for example, sustained hundreds of thousands of dollars in damages after it refused the extortion demand of a conspirator who then publicly released the employer’s proprietary information.
All 14 conspirators are charged with conspiracy to violate the International Emergency Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. Eight conspirators are charged with aggravated identity theft. If convicted, the defendants each face a maximum statutory penalty of 27 years in prison.
The FBI St. Louis Field Office investigated the case, with assistance from the FBI Cyber Division.
Trial Attorneys Jacques Singer-Emery and Alexandra Cooper-Ponte of the National Security Division’s National Security Cyber Section and Assistant U.S. Attorney Matthew Drake for the Eastern District of Missouri are prosecuting the case. Substantial assistance was also provided Trial Attorney Emma Ellenrieder of the National Security Division’s Counterintelligence and Export Control Section and Assistant U.S. Attorney Kyle Bateman for the Eastern District of Missouri.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty.
