US offers $5 million reward to disrupt North Korea’s illicit activity overseas


Kim Jong-un is building weapons of mass destruction with Western money. The US offers up to $5 million for information leading to disruption of any activity supporting the regime.

Last year alone, North Korean threat actors stole at least $400 million. In April, the FBI attributed the March 29 hack of the Ronin decentralized currency exchange to Lazarus Group and APT 38. Both groups are associated with the Democratic People's Republic of Korea (DPRK).

ADVERTISEMENT

But it's not only hackers who help Kim Jong-un fund the regime. Thousands of North Korean IT workers try to land freelance jobs abroad, providing a critical stream of revenue for the weapon development program.

"The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction and ballistic missile programs, in violation of US and United Nations (UN) sanctions," the US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) advisory reads.

Masters of disguise

North Korea takes advantage of the global skills shortage, especially when it comes to specific IT skills, such as software and mobile application development. Companies in North America, Europe, and East Asia are eager to hire a specialist and may end up signing a contract with a freelancer, unaware that they are from North Korea.

“There are reputational risks and the potential for legal consequences, including sanctions designation under US and UN authorities, for individuals and entities engaged in or supporting DPRK IT worker-related activity and processing related financial transactions,” the advisory reads.

North Korean IT workers are mainly located in China and Russia. Some try to land contracts while residing in Africa, South East Asia, and North Korea. They often pose as US-based and non-North Korean freelancers, obfuscating their identities and location by subcontracting work to non-North Koreans.

“DPRK IT managers have also hired their own teams of non-North Korean IT workers who are usually unaware of the real identity of their North Korean employer or the fact that their employer is a DPRK company. The DPRK IT managers use their outsourced employees to make software purchases and interact with customers in situations that might otherwise expose a DPRK IT worker,” the advisory reads.

Even though North Korean IT workers can get the work done, be it a development of a mobile application or general IT support, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions.

ADVERTISEMENT

“Additionally, there are likely instances where workers are subjected to forced labor.”

SchemeNorthKoreanIT
Overview of DPRK IT Worker Operations

Modus operandi

The vast majority of North Korean IT workers are “subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited weapons of mass destruction and ballistic missile programs and its advanced conventional weapons development and trade sectors.”

North Korean entities dispatching IT workers overseas include the 313 General Bureau of the Munitions Industry Department (MID), the Ministry of Atomic Energy Industry, military entities subordinate to the Ministry of Defense and Korea People’s Army, and many other lesser-known organizations.

“An overseas DPRK IT worker earns at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas, “ the advisory reads.

In some cases, North Koreans can earn up to $300,000 a year, while teams of IT workers collectively can make more than $3 million a year. They engage in a wide range of IT development work, from dating apps to AI applications, and often take on projects related to virtual currency.

“IT workers target freelance contracts from employers located in wealthier nations, including those in North America, Europe, and East Asia. In many cases, they present themselves as South Korean, Chinese, Japanese, or Eastern European, and US-based teleworkers,” the advisory reads.

Grave consequences

ADVERTISEMENT

They routinely use falsified documents and forged signatures to land a contract, which could have severe outcomes for their employer. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) can impose financial sanctions on any company or a person who assists or supports North Korean activity overseas.

In 2018, the US sanctioned a China-based technology firm Yanbian Silverstar Network Technology, nominally a Chine IT company that turned out to be managed by North Koreans.

The State Department’s Rewards for Justice program offers up to $5 million for information that might lead to the disruption of “financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, the exportation of luxury goods to North Korea, specified cyber-activity and actions that support weapons of mass destruction proliferation.”

The advisory also shared a comprehensive list of indicators and behaviors of North Korean IT workers and mitigation measures.