DPRK IT Workers - A network of active front companies and their links to China
November 2024 by SentinelLabs
North Korea operates a global network of IT workers, both as individuals and under front companies, to evade sanctions and generate revenue for the regime. These workers are highly skilled in areas like software development, mobile applications, blockchain, and cryptocurrency technologies. By posing as professionals from other countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with businesses worldwide.
SentinelLabs explores four newly identified examples of DPRK IT Worker front companies, analysing their online presence and the methods they have used to appear legitimate to unsuspecting targets in recent months. These four companies’ websites were recently subject to law enforcement action and taken offline. Drawing on details from the four companies disrupted by US Government agencies, SentinelLabs was able to find multiple leads to an active network of DPRK IT front companies originating in China.
Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the workers’ true origins and managing payments. Notable examples include China-based Yanbian Silverstar Network Technology Co. Ltd., disrupted in October 2023, and Russia-based Volasys Silver Star, sanctioned by the US Department of the Treasury in 2018, for their roles in facilitating fraudulent IT operations. These entities helped DPRK workers launder earnings through online payment services and Chinese bank accounts. The payments, often routed through cryptocurrencies or shadow banking systems, ultimately support state programmes, including weapons development, circumventing international sanctions.
These schemes present significant risks to employers, including potential legal violations, reputational damage, and insider threats such as intellectual property theft or malware implantation. Addressing these risks requires heightened awareness and stringent vetting processes to limit North Korea’s ability to exploit global tech markets.
Key points:
• SentinelLabs has identified unique characteristics of multiple websites, now seized by the US Government, associated with the DPRK IT Worker front companies.
• Threat researchers assess with high confidence that DPRK actors seek to impersonate US-based software and technology consulting businesses by copying the online brands of legitimate organisations seeking to use these for financial objectives.
• SentinelLabs has linked the activity to several active front companies and links these with high confidence to a larger set of organisations being created in China.
• SentinelLabs findings link additional companies, which remain active today, to the DPRK IT Workers scheme.
Conclusion
The DPRK’s use of the IT Worker scheme underscores the regime’s adaptability in exploiting global markets to further its financial objectives. By impersonating legitimate US-based software and technology consulting firms, North Korean actors aim to gain trust and access to sensitive contracts, circumventing sanctions and evading detection. These tactics highlight a deliberate and evolving strategy that leverages the global digital economy to fund state activities, including weapons development.
SentinelLabs research not only exposes the deceptive tactics employed by DPRK IT workers but also connects these efforts to a broader, active network of front companies originating in China. This linkage emphasises the scale and complexity of North Korea’s financial schemes and the importance of vigilance across industries. Organisations are urged to implement robust vetting processes, including careful scrutiny of potential contractors and suppliers, to mitigate risks and prevent inadvertent support of such illicit operations. By shedding light on these activities, SentinelLabs aims to equip businesses, governments, and the public with the insights needed to stay ahead of these threats and safeguard the integrity of global markets.