Over the years, The North Korean government has found emerging sources of sanctions revenue by secretly applying for remote Western technology work. A new reveal of the withdrawal action by U.S. law enforcement clearly shows how much of the infrastructure used to implement these plans is in the United States, and how many American identities have been stolen by North Korea to enforce them.
On Monday, the Justice Department announced a daunting action to combat North Korea’s remote IT workers’ program U.S.-based factors, including prosecutions of two Americans who the administration said were involved in the operation, one of which was arrested by the FBI. Authorities also searched 29 “laptop farms” in 16 states, allegedly used to receive and host PCs, remote workers access remotely, and seized 21 computers of 200 of them, as well as 21 web domains and 29 financial accounts that earned the revenue generated by the business. Authorities said the Justice Department announcement and indictment also revealed how North Koreans created fake IDs to suggest Western tech companies, but allegedly stole the identities of “more than 80 Americans” to impersonate their jobs at more than a hundred U.S. companies and bring together more than a hundred companies to Kim Jong Il’s regime.
“It’s huge,” said Michael Barnhart, an investigator for North Korean hacker hacking and espionage, DTEX is a security company focused on insider threats. “Whenever you have a laptop farm like this, that’s the soft undertone of these operations. Keeping them off in many states is huge.”
The Justice Department said a total of six Americans believed it was involved in a program that enabled North Korean tech workers to imitate people, and although only two were named and committed, both are based in New Jersey, both based in New Jersey – only Zhenxing Wang was arrested. Prosecutors acuse the two men of helping to steal the identities of scores of Americans for the North Koreans to assume, receiving laptops sent to them by their employees, setting up remote access for North Koreans to control those machines from across the world—often enabling that remote access using a hardware device called a “keyboard-video-mouse switch” or KVM—and creating shell companies and bank accounts that allowed the North Korean government to receive the salaries they allegedly won. The Justice Department said the two Americans also worked with six people named Chinese colleagues, according to the fee documents and two Taiwanese nationals.
To create a cover identity for North Korean workers, prosecutors said the two kings visited personal details of more than 700 Americans to search for private records. But for individuals impersonating North Koreans, they allegedly used the driver’s license and Social Security card of the victims’ driver’s license and social security card, allowing North Koreans to apply for jobs under their name.
It is not clear from the paid documents how these personal documents are obtained. But North Korean imitation operations often get identification files from Americans from dark network cybercrime forums or data leak sites, said Barnhart of DTEX. In fact, he said the 80 stolen identities cited by the Justice Department represent a sample of thousands of U.S. IDs he saw in some cases, sometimes withdrawn from the infrastructure of North Korean hackers.
