The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities linked to a North Korean IT worker network that defrauds companies to fund the nation’s weapons of mass destruction (WMD) programs.
Secretary of the Treasury Scott Bessent stated, “The North Korean regime targets American companies through deceptive schemes carried out by overseas IT operatives, who weaponize sensitive data and extort businesses for substantial payments.”
The operation, also referred to as Coral Sleet/Jasper Sleet, PurpleDelta, and Wagemole, uses stolen identities, fabricated resumes, and bogus documentation to conceal the true origin of IT workers. Recruited employees secure legitimate positions at U.S. companies, while a significant portion of their salaries is funneled back to North Korea to support missile programs in violation of international sanctions.
Methods and Tradecraft
Some campaigns have employed malware to steal proprietary data or conducted extortion by threatening to publicly release stolen information. Threat actors also rely on AI-powered tools to fabricate digital identities, generate realistic headshots, and create convincing resumes. Applications like Faceswap are used to insert North Korean operatives’ faces into stolen identity documents.
Remote IT workers utilize agentic AI tools to generate fake company websites, automate malware components, and maintain operational persistence. Microsoft highlighted that AI reduces barriers for reconnaissance, persona creation, and long-term infiltration.
The actors typically operate from countries like China, using VPNs such as Astrill to bypass the Great Firewall and appear as legitimate U.S.-based employees.
Operational Structure
The IT worker network is structured into four tiers:
- Recruiters – Screen potential IT workers and record initial interviews for facilitators.
- Facilitators – Help craft digital personas, secure employment, and onboard new hires.
- IT Workers – Perform the assigned work while channeling portions of earnings to North Korea.
- Collaborators – Voluntarily or unknowingly provide personal information or identities to assist the network in securing jobs and devices.
The network has also leveraged tools such as IP Messenger (IPMsg) for decentralized communication, Google Translate for cross-lingual interactions, and timesheets for tracking tasks.
Individuals and Entities Sanctioned
- Amnokgang Technology Development Company – Manages overseas IT workers and conducts illicit technology procurement.
- Nguyen Quang Viet – CEO of Quangvietdnbg International Services, allegedly facilitated $2.5 million in cryptocurrency conversion for North Korean operatives.
- Do Phi Khanh & Hoang Van Nguyen – Assisted Kim Se Un in opening bank accounts and enabling cryptocurrency transfers.
- Yun Song Guk – Led IT workers in Laos since 2023, coordinating payments and contracts with collaborators.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
