US Nationals Indicted For Fraudulent Remote IT Work

The Justice Department has recently announced the indictment of North Korean nationals Jin Sung-Il and Pak Jin-Song, Mexican national Pedro Ernesto Alonso De Los Reyes, and US nationals Erick Ntekereze Prince and Emanuel Ashtor, for a fraudulent scheme to obtain remote IT work with US companies that generated revenue for the Democratic People’s Republic of Korea (DPRK).

According to the indictment, over the course of their scheme, from approximately April 2018 through August 2024, the defendants and their co-conspirators obtained work from at least sixty-four US companies.

“The Department of Justice remains committed to disrupting North Korea’s cyber-enabled sanctions-evading schemes, which seek to trick US companies into funding the North Korean regime’s priorities, including its weapons programs,” said Supervisory Official Devin DeBacker of the Justice Department's National Security Division.

“FBI investigation has uncovered a years-long plot to install North Korean IT workers as remote employees to generate revenue for the DPRK) regime and evade sanctions,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

“The indictments announced today should highlight to all American companies the risk posed by the North Korean government. As always, the FBI is available to assist victims of the DPRK. Please reach out to your local FBI field office should you have any questions or concerns.”

Payments from ten of those companies generated at least $866,255 in revenue, most of which the defendants then laundered through a Chinese bank account.

As part of this prosecution, the FBI arrested Ntekereze and Ashtor and executed a search of Ashtor’s residence in North Carolina, where he previously operated a “laptop farm” that hosted victim company-provided laptops to deceive companies into thinking they had hired US-located workers.Alonso was arrested in the Netherlands on Jan. 10, pursuant to an arrest warrant from the United States.

The DPRK has dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving US and other businesses worldwide into hiring them as freelance IT workers to generate revenue for the regime.

DPRK IT worker schemes involve the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the United States and elsewhere.

As described in a May 2022 tri-seal public service advisory released by the FBI, and State and Treasury Departments, such IT workers have been known individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defence and others directly involved in the DPRK’s weapons of mass destruction programs.

According to the indictment, the defendants used forged and stolen identity documents, including US passports containing the stolen personally identifiable information of a US person, to conceal the true identities of Jin, Pak, and other North Korean co-conspirators, so that these North Korean nationals could circumvent sanctions and other laws to obtain employment with US companies.

Ntekereze and Ashtor received laptops from US company employers at their residences, downloading and installing remote access software on them, without authorisation, to facilitate IT worker access and to perpetuate the deception of US companies.

The defendants further conspired to launder payments for the remote IT work through a variety of accounts designed to promote the scheme and conceal its proceeds.

All five defendants are charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. Jin and Pak are charged with conspiracy to violate the International Emergency Economic Powers Act.

If convicted, the defendants face a maximum penalty of 20 years in prison. A federal district court judge will determine the sentence of each defendant after considering the US Sentencing Guidelines and other statutory factors.

Under the Department-wide “DPRK RevGen: Domestic Enabler Initiative,” launched in March 2024 by the National Security Division and the FBI’s Cyber and Counterintelligence Divisions, Department prosecutors and agents are prioritising the identification and shuttering of US-based “laptop farms”, locations hosting laptops provided by victim US companies to individuals they believed were legitimate US-based freelance IT workers, and the investigation and prosecution of individuals hosting them.

The FBI, in conjunction with the State and Treasury Departments, has issued updated guidance, which includes indicators to watch for that are consistent with the North Korea IT worker fraud and the use of US-based laptop farms.

The FBI has recently issued additional guidance regarding extortion and theft of sensitive company data by North Korean IT workers, along with recommended mitigations. 

U.S. Dept. of Justice     |     ic3     |     Cyber Scoop

Image: Ideogram

You Might Also Read:

KnowBe4 Duped Into Hiring A North Korean Hacker:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« EU Sanctions Russians For Attacks On Estonia
How Does DeepSeek Compare With Other Chatbot AI Tools? »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Rackspace Technology

Rackspace Technology

Rackspace Technology is a leading provider of managed services across all major public and private cloud technologies. Secure your IT environments with powerful cloud security solutions and support.

Cyber Security Recruiters

Cyber Security Recruiters

Cyber Security Recruiters is a niche recruiting firm who finds impact players for our clients in the Information Security Space.

Intertek Group

Intertek Group

Intertek Group provides Assurance, Testing, Inspection and Certification services. Activities include cybersecurity testing and certification.

ActiveCyber

ActiveCyber

ActiveCyber is a source for news, reviews, learning, and technological innovation in the active cyber defense industry.

Dathena

Dathena

Dathena is a company developing data governance software based on machine learning algorithms.

Swascan

Swascan

Swascan is the first all-in-one, GDPR Compliant, Cloud Security Suite Platform. GDPR Assessment, Web Application Scan, Network Scan, Code Review.

Mendoza Ventures

Mendoza Ventures

Mendoza Ventures is a venture capital fund focusing on pre-seed Artificial Intelligence (AI), Fintech, and Cybersecurity startups.

Ascent Solutions

Ascent Solutions

Ascent is built to help firms evolve their cybersecurity posture, modernize their Microsoft solutions, and accelerate their journey to the cloud.

Brightsolid

Brightsolid

Brightsolid are experts in Hybrid Cloud. We design, build and manage secure, scalable cloud environments that meet customers’ business ambitions.

AHAD

AHAD

AHAD provides cybersecurity, digital transformation, and risk management services and solutions to Government, Fortune 500, And Start-Up Companies in the Middle East region.

Silk Security

Silk Security

Silk is the first platform that enables enterprises to take a strategic, sustainable approach to resolving code, infrastructure and application risk.

RapidSpike

RapidSpike

RapidSpike is the only website monitoring solution that focuses all three key aspects of website health: performance, reliability AND security.

42Crunch

42Crunch

42Crunch provides API security testing and threat protection. We proactively test, fix and protect your APIs from development to runtime.

L&T Technology Services (LTTS)

L&T Technology Services (LTTS)

L&T Technology Services Limited (LTTS) is a global leader in Engineering and R&D (ER&D) services.

BlackSignal Technologies

BlackSignal Technologies

BlackSignal Technologies provides cybersecurity, digital signal processing and electronic warfare products to help DOD and IC agency customers counter near-peer threats and security challenges.

Nyx Security Solutions

Nyx Security Solutions

Nyx is committed to excellence in embedded cybersecurity, delivering top-tier secure design, development, and penetration testing services that meet and exceed industry standards.