Fourteen North Korean Nationals Indicted for Carrying Out Multi-Year Fraudulent Information Technology Worker Scheme and Related Extortions

Justice Department Continues Efforts to Seize the Illicit Proceeds of the

Scheme

A federal court in St. Louis, Missouri, yesterday indicted 14 nationals of the Democratic

People’s Republic of North Korea (DPRK or North Korea) with long-running conspiracies to violate U.S. sanctions and to commit wire fraud, money laundering, and identity theft.

Specifically, the conspirators, who worked for DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in the People’s Republic of China (PRC) and the Russian Federation (Russia), respectively, conspired to use false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote information technology (IT) workers for U.S. companies and nonprofit organizations.

The conspmultiple instances, the conspirators supplemented their employment earnings by stealing sensitive company information, such as proprietary source code, and then threatening to leak such information unless the employer made an extortion payment. Ultimately, the conspirators used the U.S. and PRC financial systems to remit the proceeds of their activity to accounts in the PRC for the ultimate benefit of the DPRK government.

“To prop up its brutal regime, the North Korean government directs IT workers to gain

employment through fraud, steal sensitive information from U.S. companies, and siphon

money back to the DPRK,” said Deputy Attorney General Lisa Monaco. 

“This indictment of 14 North Korean nationals exposes their alleged sanctions evasion and should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime.”

“Yesterday’s indictment is the latest in a series of actions under a National Security Division initiative launched earlier this year to disrupt North Korea’s efforts to generate revenue by duping American companies into hiring its citizens for remote work,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s for National Security Division. “This indictment and associated disruptions highlight the cybersecurity dangers associated with this threat, including theft of sensitive business information for the purposes of extortion.”

“The fourteen conspirators indicted yesterday victimized companies across the United

States, as well as many Americans whose identities they stole, to generate revenue for the North Korean regime,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “The FBI will continue to work with our partners to expose and mitigate these fraudulent IT schemes and provide unwavering support to victims of North Korean cyber actors.”

“North Korean IT workers pose a sophisticated and persistent threat, especially to

businesses seeking to employ large numbers of contract workers quickly,” said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. “North Korean IT workers continue to find ways to evade detection, so businesses need to closely vet employees to avoid having their sensitive data stolen and unwittingly funding North Korea’s government.”

“While we have disrupted this group and identified its leadership, this is just the tip of the iceberg. The government of North Korea has trained and deployed thousands of IT workers to perpetrate this same scheme against U.S. companies every day,” said Special Agent in Charge Ashley T. Johnson of the FBI St. Louis Field Office. “Protect your business by thoroughly vetting fully remote IT workers. One of the ways to help minimize your risk is to insist current and future IT workers appear on camera as often as possible if they are fully remote.”

Today’s charges are the most recent step in an ongoing, two-year Department effort to

disrupt this specific group of conspirators, one of multiple such DPRK groups attempting to generate revenue for the DPRK government through such schemes. Prior Department actions against this group include: (i) a January court authorized seizure of approximately $320,000 (unsealed today); (ii) a July court authorized seizure of approximately $444,800(unsealed today); (iii) previously announced October 2022 and January 2023 court￾authorized seizures of approximately $1.5 million; and (iv) previously announced October 2023 and May 2024 court-authorized seizures of 29 internet domains used by the same group to increase the bona fides and appeal of their assumed identities to prospective employers.

In addition to these actions, the State Department announced today a reward offer of up to $5 million for informationapply for jobs; paying U.S. persons to attend job interviews and work meetings remotely under fake identities; and registering web domains and designing phony websites to convince prospective employers that the false identities were experienced, qualified, and previously employed by reputable contracting firms. As described in court documents, these websites contained indicia that should have aroused suspicion about their bona fides. 

For example, some of the physical addresses listed on the websites were home addresses, not office buildings; contact telephone numbers listed on the fake companies’ websites did not correspond to area codes of business locations; and the websites’ content included disjointed or nonsensical phrases, such as, “Nor, moreover, is there anyone who loves pain because it is pain, pursues it, wants to gain it, but.”

The conspirators also sought to avoid detection by paying U.S. persons to receive, set up, and host laptops sent from employers to the U.S. persons’ home addresses (often referred to as laptop farms). After these laptops were set up, the conspirators instructed the U.S. persons to install software that allowed them to access the laptops from overseas. By arranging to have laptops physically located in the United States, conspirators made it appear as if the fake U.S.-based employees were accessing laptops to do work, when in fact the IT workers were located outside the United States.

In some instances, the conspirators leveraged their access to proprietary corporate

information to extort their U.S.-based employers for additional payments. These threats were not empty — IT workers would at times publish the business’s information online if they were not paid. One employer, for example, sustained hundreds of thousands of dollars in damages after it refused the extortion demand of a conspirator who then publicly released the employer’s proprietary information.

All 14 conspirators are charged with conspiracy to violate the International Emergency

Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money

laundering, and conspiracy to commit identity theft. Eight conspirators are charged with

aggravated identity theft. If convicted, the defendants each face a maximum statutory

penalty of 27 years in prison.

The FBI St. Louis Field Office investigated the case, with assistance from the FBI Cyber

Division.

Trial Attorneys Jacques Singer-Emery and Alexandra Cooper-Ponte of the National Security

Division’s National Security Cyber Section and Assistant U.S. Attorney Matthew Drake for the

Eastern District of Missouri are prosecuting the case. Substantial assistance was also

provided Trial Attorney Emma Ellenrieder of the National Security Division’s

Counterintelligence and Export Control Section and Assistant U.S. Attorney Kyle Bateman

for the Eastern District of Missouri.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty.