North Korea’s IT Worker Scam: New Links Expose Decade-Long Global Fraud Operation

North Korea's IT Worker Scam: New Links Expose Decade-Long Global Fraud Operation

North Korean Cyber Operations: From IT Worker Fraud to Cryptocurrency Heists

Recent investigations have uncovered connections between North Korean threat actors’ fraudulent IT worker schemes and a 2016 crowdfunding scam, according to SecureWorks Counter Threat Unit. The scheme, known under various names including Famous Chollima and Wagemole, involves North Korean operatives securing employment in Western companies using false identities to generate revenue for their sanctioned nation.

These IT workers, linked to the 313th General Bureau of North Korea’s Workers’ Party, typically operate through front companies in China and Russia, such as Yanbian Silverstar and Volasys Silver Star. Both companies faced U.S. Treasury sanctions in 2018 for facilitating North Korean worker deployment.

Key Developments:
– U.S. authorities seized 17 domains in October 2023 that impersonated legitimate IT companies
– Historical WHOIS records connected these operations to a 2016 IndieGoGo scam that defrauded 193 backers of $21,877
– Recent joint warning from Japan, South Korea, and the U.S. highlighted ongoing cryptocurrency threats from North Korean actors
– In 2024, North Korean hackers have already stolen $659 million from various cryptocurrency platforms including DMM Bitcoin, Upbit, and WazirX
– Chainalysis reports North Korean actors stole $1.34 billion across 47 cryptocurrency hacks in 2024, up from $660.50 million in 2023

The evidence suggests a long-term evolution of North Korean cyber operations, from simple crowdfunding scams to sophisticated IT worker fraud and large-scale cryptocurrency heists, demonstrating their increasing capabilities in cyber-enabled financial crime.

Share This Article