DoJ Cracks Down on Global DPRK IT Worker Scam

How the Scam Worked

According to the DoJ, North Korean nationals Pak Jin-Song, Jin Sung-Il, and their co-conspirators managed to secure remote IT jobs at 64 different U.S. companies using fake identities. These identities were provided by Pedro Ernesto Alonso De Los Reyes, a Mexican citizen residing in Sweden, and supported by U.S.-based accomplices Emanuel Ashtor and Erick Ntekereze Prince.

The scheme operated from April 2018 until August last year, and it proved highly profitable. The DoJ reported that earnings from just 10 of the 64 targeted companies totalled $866,255.

Uncovering the Operation

This scam is part of North Korea’s broader efforts to bypass economic sanctions imposed by the U.S. By securing high-paying tech roles under false identities, the operatives were able to funnel money back to their government, which is known to allocate funds to its nuclear and missile programs.

Executing such a scam wasn’t an overnight process. North Korea enlisted foreign nationals to assist in setting up fraudulent credentials and logistical support. In some cases, Alonso provided his own identity, which the job seekers used during interviews and onboarding processes. Other times, the scammers stole real U.S. government-issued IDs and altered them to include their own photos.

Once hired, corporate laptops were shipped to Ashtor and Prince in North Carolina, where they set up sophisticated "laptop farms." These devices were configured with remote access software, allowing North Korean operatives based in China to seamlessly perform their jobs as if they were working from the U.S. Meanwhile, payroll was funnelled through fake companies and Chinese bank accounts to avoid detection.

Authorities Take Action

Law enforcement authorities eventually caught up with the operation. Ashtor and Prince were arrested in North Carolina, while Alonso was detained in the Netherlands. The five individuals now face charges including:

1. Conspiracy to commit wire and mail fraud

2. Conspiracy to commit money laundering

3. Conspiracy to transfer false identification documents

4. Conspiracy to cause damage to a protected computer

Additionally, the two North Korean nationals face charges of violating the International Emergency Economic Powers Act, with potential sentences of up to 20 years if convicted.

Is the Crackdown Making a Difference?

The DoJ’s efforts to combat these scams gained momentum last March with the launch of the DPRK RevGen: Domestic Enabler Initiative, aimed at shutting down key infrastructure such as laptop farms. So far, authorities have conducted four major enforcement actions, leading to arrests and asset seizures.

Despite these efforts, fraudulent applications from North Korean operatives have continued. Some organisations that have previously fallen victim to such scams report still receiving applications from fake IT workers, indicating that the threat remains persistent.

This ongoing activity underscores the need for businesses to remain vigilant and proactive. Companies must implement thorough vetting processes, robust identity verification, and continuous monitoring to stay ahead of evolving threats.

Lessons for Businesses

With remote work becoming the norm, businesses must be more diligent than ever in their hiring processes. To reduce the risk of falling victim to similar scams, companies should:

1. Conduct rigorous background checks using multiple verification sources.

2. Be cautious of applicants unwilling to engage in video interviews.

3. Monitor for unusual activity from remote employees, such as unexpected login locations.

4. Educate hiring teams about potential red flags and warning signs.

As cyber threats continue to evolve, staying informed and proactive is key to protecting your organisation from deceptive tactics like this North Korean IT worker scam.