US Indicts Five People Accused of Running ‘IT Worker’ Scheme for North Korean Regime

The US Justice Department has indicted five people in connection with a fraudulent scheme to obtain remote IT jobs with US firms and generate revenue for North Korea’s regime.

North Korea continues to put fake “IT workers” inside US organizations for the purpose of data exfiltration and extortion, the FBI warned recently. The public service announcement says the trend not only hasn’t ended but has been taken further by the theft of proprietary data and extortion.

At the same time, the DOJ has announced the indictment of two North Korean nationals and three facilitators from Mexico and the US over the classical IT worker scheme devised by Pyongyang to allegedly obtain funding for the North Korean regime’s priorities, including its weapons programs.

A multi-year operation

“The Justice Department today announced the indictment of North Korean nationals Jin Sung-Il (진성일) and Pak Jin-Song (박진성), Mexican national Pedro Ernesto Alonso De Los Reyes, and U.S. nationals Erick Ntekereze Prince and Emanuel Ashtor for a fraudulent scheme to obtain remote information technology (IT) work with U.S. companies that generated revenue for the Democratic People’s Republic of Korea (DPRK or North Korea),” reads the DOJ announcement.

According to the indictment, from around April 2018 through August 2024, the defendants obtained work from at least 64 US companies. Of those, 10 employments yielded handsome revenues totaling more than a combined $860,000, most of which was laundered through a Chinese bank account.

The FBI arrested Ntekereze and Ashtor and searched Ashtor’s residence in North Carolina, where he had operated a “laptop farm” that hosted victim company-provided laptops to deceive companies into thinking they had hired US-located workers.

On Jan. 10, Alonso was cuffed in the Netherlands.

“The DPRK has dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers to generate revenue for the regime,” according to the DOJ press release.

The defendants used forged and stolen IDs, including US passports containing stolen personally identifiable information of a US citizen, to conceal the true identities of Jin, Pak, and other North Korean co-conspirators, so they could circumvent sanctions and other laws to obtain employment with US firms.

Ntekereze and Ashtor received company-issued laptops at their residences, on which they downloaded and installed remote access software without authorization.

Modus operandi

The “IT worker” rulebook tells recruits to use pseudonymous emails, social media, payment platforms, and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the United States and elsewhere.

According to the FBI notice, the rogue applicants have been observed using face-swapping technology in video job interviews to obfuscate their true identities.

After being discovered on company networks, the perps started extorting their employer, demanding a ransom so they wouldn’t release stolen proprietary data and code, says the bureau. In some instances, the “workers” publicly released victims’ proprietary code.

According to the DOJ, “such IT workers have been known individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s weapons of mass destruction programs.”

Up to 20 years behind bars

All five defendants are charged with conspiracy to damage a protected computer, conspiracy to commit wire and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents.

The two North Koreans, Jin and Pak, are also charged with conspiracy to violate the International Emergency Economic Powers Act.

If convicted, all five face up to 20 years in prison. Their final sentence will be determined by a federal district court judge after considering sentencing guidelines and other statutory factors.

Tips to combat fake/rogue remote workers

As we note in our comprehensive guide to cyber-proofing a business, today’s offices find themselves in the crosshairs of cybercriminals, not least of which rogue employees. Our guide lays out key aspects such as protecting your data, spotting deceptive emails and impersonation attacks, securing partners and vendors, and turning your team into a line of defense against malice.

Read: Small Office, Big Threats: 7 Ways to Cyber-Proof Your Business in 2025

The FBI’s guidance to firms considering remote hires includes a list of mitigation actions, such as:

·      Practice the Principle of Least Privilege on your networks, including disabling local administrator accounts and limiting privileges for installing remote desktop applications

·      Monitor and investigate unusual network traffic, including remote connections to devices or the installation/presence of prohibited remote desktop protocols or software

·      Monitor network logs and browser session activity to identify data exfiltration through easily accessible means such as shared drives, cloud accounts, and private code repositories

·      Monitor endpoints for the use of software that allows for multiple concurrent audio/video calls

Bitdefender recommends that companies big and small deploy a dedicated security solution to limit the chances of a breach by rogue employees.

Bitdefender Ultimate Small Business Security is an extended version of our consumer-friendly security suite. It includes malware detection, ransomware prevention, email protection, account breach protection, scam protection, and a trusty VPN. Thanks to a natural, intuitive dashboard designed for use even by non-techies, it can be administered by anyone in your organization.

To see it in action, visit https://www.bitdefender.com/en-us/consumer/small-business-security.