North Korea's Remote Worker Scheme Steals $88M from US Companies
An investigation has uncovered a sophisticated North Korean scheme involving remote workers using stolen identities to infiltrate US companies and non-profits. The operation has been active for at least six years, generating over $88 million USD for the DPRK government.
The scheme was exposed following the US Department of Justice's (DOJ) indictment of fourteen North Korean nationals on December 12, 2024. These individuals used fake identities and references, including companies like Baby Box Info, Helix US, and Cubix Tech US, to gain remote IT jobs at US-based organizations. Our investigation revealed that these actors employed malware to steal information, with infected hosts in Lahore, Pakistan, providing valuable insights into their tactics, techniques, and procedures (TTPs).
Browser history on these infected hosts showed extensive use of Google Translate between English and Korean, indicating a supervisory relationship between Korean speakers and non-Korean speakers. Messages uncovered hinted at advice and tradecraft being exchanged. Additionally, the 'jsilver617' username, potentially tied to the 'J.S.' identity mentioned in the indictment, was found on an infected host. Since the discovery of this scheme, Fortune 500 companies, technology, and cryptocurrency industries have reported an increase in secret DPRK agents siphoning funds, intellectual property, and information.
The North Korean remote work scheme has been a significant threat to US companies and non-profits, with the DPRK government benefiting to the tune of at least $88 million USD over six years. As more companies report incidents, it is crucial for organizations to remain vigilant and implement robust cybersecurity measures to protect against such threats.
