North Korea has established a global network of highly skilled IT workers who pose as professionals from other countries to secure remote jobs and freelance contracts with businesses worldwide.
These workers, operating both individually and through front companies, specialize in software development, mobile applications, blockchain, and cryptocurrency technologies.
Front companies play a crucial role in masking the workers’ true origins and managing payments. While the notable examples include:-
-
China-based Yanbian Silverstar Network Technology Co. Ltd. (disrupted in October 2023)
-
Russia-based Volasys Silver Star (sanctioned by the U.S. Department of the Treasury in 2018)
SentinelOne researchers observed that these entities facilitate fraudulent IT operations and help launder earnings through online payment services and Chinese bank accounts.
Fake copied website (Source – SentinelOne)
Four recently identified DPRK IT Worker front companies have been analyzed:-
-
Independent Lab LLC (inditechlab[.]com)
-
Shenyang Tonywang Technology LTD (tonywangtech[.]com)
-
Tony WKJ LLC (wkjllc[.]com)
-
HopanaTech (hopanatech[.]com)
However, all these companies’ websites were recently taken down by law enforcement.
Domain Seized Alerts (Source – SentinelOne)
Tactics and Techniques
The front companies employ several tactics to appear legitimate:-
-
Copying website content from legitimate businesses
-
Using fake identities and forged credentials
-
Registering domains through NameCheap
-
Utilizing hosting services like InterServer and Asia Web Services Ltd
Further investigation revealed connections to an active network of DPRK IT front companies originating in China:-
-
Shenyang Huguo Technology Ltd (huguotechltd[.]com) was identified as closely associated with the four disrupted companies.
-
A link was established between the “Tony Wang” identity and multiple front companies.
-
The Tong Yuze identity was connected to Beijing Xiwang Technology Company, previously known as Beijing Hou Pa Na Technology Company (a cognate for “HopanaTech”).
Visual representation of front company connections (Source – SentinelOne)
These schemes present significant risks to employers like potential legal violations, reputational damage, and insider threats.
The DPRK’s use of IT workers highlights their adaptability in exploiting global markets to further financial objectives and fund state programs, including weapons development.
Organizations are urged to implement robust evaluation processes and carefully inspect potential contractors and suppliers to mitigate risks and prevent inadvertent support of these illicit operations.
The exposure of these activities aims to equip businesses, governments, and the public with insights to stay ahead of these threats and safeguard the integrity of global markets.
