The U.S. Department of Justice just hit the headlines with the indictment of five men. This group includes two North Koreans, a Mexican, and two American citizens. They’re accused of a scheme that has allowed North Korean agents to secure remote IT jobs with American companies, all to funnel money back into the isolated regime.
On January 23, the men were named: Jin Sung-Il, Pak Jin-Song, Pedro Ernesto Alonso De Los Reyes, Erick Ntekereze Prince, and Emanuel Ashtor. Their operation dates back to April 2018. They managed to trick 64 companies into employing North Korean staff without the companies’ knowledge. Payments from just ten of these companies raked in over $860,000, which was funneled through a Chinese bank account.
Ntekereze and Ashtor set up a laptop farm in North Carolina, using opened laptops provided by victim companies. This trick made it seem like their new hires were working stateside. Right now, both Ntekereze and Ashtor are in custody, thanks to an FBI operation. Alonso is in custody in the Netherlands awaiting extradition, while the North Koreans remain elusive.
“The Department of Justice is serious about disrupting these schemes from North Korea that try to cheat U.S. businesses and fund the country’s dubious priorities, including its weapons programs,” said Devin DeBacker from the DOJ’s National Security Division. He mentioned the department’s commitment not just to pursue these North Korean actors but also to support U.S. companies in detecting and preventing such scams.
North Korea has sent thousands of skilled IT professionals abroad, primarily to China and Russia, to fool Western businesses into hiring them as freelancers. They pull off these schemes by crafting fake identities using pseudonymous emails, social media, and online job sites, all backed by a complex network of proxy computers.
The five men face multiple serious charges: conspiracy to damage protected computers, wire fraud, mail fraud, money laundering, and transferring false identification documents. The North Koreans have additional charges for violating the International Emergency Economic Powers Act. If convicted, the Americans could face up to 20 years behind bars.
The issue of fake North Korean IT staff infiltrating U.S. corporate settings has been a hot topic lately. Michael Barnhart from Google Cloud’s Mandiant noted that increased media attention and law enforcement pressure are starting to affect the scheme’s success. However, he also pointed out that now being on the radar, North Koreans are escalating their methods.
“We’re seeing them break into bigger organizations to steal sensitive data, and their threats are becoming more aggressive,” Barnhart said. He added that North Korea is widening its reach into Europe, where the ploys are less familiar to potential victims. They’re also taking advantage of businesses switching to virtual desktop infrastructures instead of issuing laptops, making it easier to conceal any malicious activities.
Rafe Pilling from Secureworks has been monitoring this group for the past year and noted that they’ve been increasingly using deepfakes and AI to enhance their deception tactics. “To take on state-sponsored groups like Nickel Tapestry, understanding their evolving tactics is critical,” Pilling emphasized.
For companies hiring remote IT workers, Pilling suggests a five-point checklist to guard against infiltration:
- Verify Identity: Always confirm personal and work histories against official records.
- Watch for Red Flags: Keep an eye out for odd behavior during interviews; long pauses or evasive answers may signal trouble.
- Be Cautious During Onboarding: If candidates request address changes or want pay sent through money transfer services, that’s a red flag.
- Limit Remote Access: Restrict unauthorized remote tools and ensure new hires have access only to essential tools.
- Ongoing Monitoring: It’s important to monitor employees post-hire to ensure the person contracted is indeed the person doing the work.