Treasury sanctions North Korea over remote IT worker schemes
The U.S. Treasury Department announced sanctions Thursday against two individuals and four entities allegedly involved in generating revenue for North Korea through illicit remote IT workforce operations, the latest salvo in ongoing efforts to disrupt financial streams that support Pyongyang’s weapons programs.
The sanctions focus on efforts in which North Korea sent thousands of skilled IT professionals outside of the country to secure freelance jobs under false pretenses and funnel their salaries back to Pyongyang. According to the U.S. Treasury’s Office of Foreign Assets Control (OFAC), the North Korean government took up to 90% of earnings from this labor, directing the funds into programs responsible for developing weapons of mass destruction and ballistic missiles.
According to OFAC, the North Korean office responsible for the scheme, Department 53, was created by the country’s Ministry of National Defense to make money through front companies in various industries like IT and software development, along with selling advanced military communications equipment and weapons. Treasury says that Department 53 was behind two front companies, Korea Osong Shipping Co. and Chonsurim Trading Corporation, that sent IT workers to Laos to gain employment working on various software projects.
OFAC also sanctioned Chinese company Liaoning China Trade Industry Co., Ltd., accusing it of supplying crucial technological equipment to Department 53 in order to facilitate IT operations abroad. Two individuals, Jong In Chol and Son Kyong Sik, were also sanctioned for their roles in running the Department 53 front companies.
North Korea “continues to rely on its thousands of overseas IT workers to generate revenue for the regime, to finance its illegal weapons programs, and to enable its support of Russia’s war in Ukraine,” said Bradley T. Smith, acting under secretary of the Treasury for terrorism and financial intelligence. “The United States remains resolved to disrupt these networks, wherever they operate, that facilitate the regime’s destabilizing activities.”
The use of North Koreans for remote IT work, albeit unknowingly, has been an ongoing issue the U.S. government has tried to thwart over the past two years. Reports from cybersecurity firms over the past year have found that North Korea goes to great lengths to keep the schemes active, creating entire fake networks of employees and companies to provide operatives with work references, redirect payments and, in at least one case, replace other operatives once they were fired or left a company.
Additionally, North Koreans have also found people in the United States willing to aid their schemes. Last August, a Tennessee man was arrested for allegedly using stolen identities to obtain remote work for North Korean nationals, who were masquerading as U.S. citizens.
Additionally, the Justice Department indicted 14 North Koreans in December, after they generated at least $88 million throughout a conspiracy that stretched over approximately six years.
As the government has been public about these schemes, tech companies have been transparent about their efforts to uncover these workers amidst their staff. Security awareness and training software company KnowBe4 announced in July it had found and removed a remote IT worker from its systems after realizing the contractor was North Korean. In October, identity security firm HYPR said it uncovered an employee thought to be from Eastern Europe was actually North Korean.
As is the case with most sanctions, all U.S.-based assets of the involved parties are frozen, and Americans are barred from conducting business with the entities or individuals named.
You can read the full list of sanctioned entities on the Treasury Department’s website.
