US government targets North Korea's illicit IT workforce with new sanctions

·2 min read

The U.S. government announced new sanctions against North Korea related to its army of illicit IT workers that have fraudulently gained employment to finance the regime's weapons of mass destruction programs.

North Korea maintains thousands of “highly skilled” IT workers around the world, primarily in China and Russia, which “generate revenue that contributes to its unlawful weapons of mass destruction and ballistic missile programs," according to an announcement from the U.S. Treasury Department on Tuesday.

These individuals, which in some cases earn upwards of $300,000 a year, deliberately obfuscate their identities, locations and nationalities using stolen identities and falsified documentation to apply for jobs with employers located in "wealthier countries." They have secretly worked in various positions and industries, including the fields of "business, health and fitness, social networking, sports, entertainment, and lifestyle," the announcement read.

While these individuals tend to engage in legitimate IT work unrelated to malicious cyber activity, mainly on cryptocurrency projects, they use virtual currency exchanges and trading platforms to launder illicitly obtained funds back to the DPRK, according to the announcement.

The Treasury on Tuesday announced sanctions against four entities employing “thousands” of North Korean IT workers. One of these is the Pyongyang University of Automation, which the Treasury described as one of North Korea’s “premier cyber instruction institutions.” The institution is said to have been training cybercriminals who go on to work in cyber units tied to the Reconnaissance General Bureau (RGB) — the country’s primary intelligence agency.

The Treasury also sanctioned the Technical Reconnaissance Bureau and its 110th Research Center, which lead the DPRK’s development of offensive cyber tactics and tools. The center is also believed to have trained operatives of the notorious Lazarus Group, which was linked to the theft of $625 million in cryptocurrency from Ronin, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity.

Sanctions were also announced against the Chinyong Information Technology Cooperation Company and an individual named King San Man in relation to their IT worker activities.

“Today’s action continues to highlight the DPRK’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States and our partners remain committed to combatting the DPRK’s illicit revenue generation activities and continued efforts to steal money from financial institutions, virtual currency exchanges, companies, and private individuals around the world.”

The U.S. government also warned earlier last year that North Korean-backed hackers were targeting employees of cryptocurrency companies by sending highly-targeted phishing emails that would include a high-paying job offer to try to entice the victim to download a trojanized cryptocurrency application.