A federal court in St. Louis, Missouri, has indicted 14 nationals of the Democratic People’s Republic of North Korea with long-running conspiracies to violate U.S. sanctions and to commit wire fraud, money laundering, and identity theft.
Specifically, the conspirators, who worked for DPRK-controlled companies Yanbian Silverstar and Volasys Silverstar, located in China and Russia, respectively, conspired to use false, stolen and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote IT workers for U.S. companies and nonprofit organizations.
The conspirators, some of whom were ordered by their superiors to earn at least $10,000 per month, generated at least $88 million throughout the approximately six-year conspiracy.
In multiple instances, the conspirators supplemented their employment earnings by stealing sensitive company information, such as proprietary source code, and then threatening to leak such information unless the employer made an extortion payment. Ultimately, the conspirators used the U.S. and PRC financial systems to remit the proceeds of their activity to accounts in the PRC for the ultimate benefit of the DPRK government.
Today’s charges are the most recent step in an ongoing, two-year Department effort to disrupt this specific group of conspirators, one of multiple such DPRK groups attempting to generate revenue for the DPRK government through such schemes.
Prior Department actions against this group include: (i) a January court-authorised seizure of approximately $320,000 (unsealed Thursday); (ii) a July court-authorised seizure of approximately $444,800 (unsealed Thursday); (iii) previously announced October 2022 and January 2023 court-authorized seizures of approximately $1.5 million; and (iv) previously announced October 2023 and May 2024 court-authorized seizures of 29 internet domains used by the same group to increase the bona fides and appeal of their assumed identities to prospective employers.
In addition to these actions, the State Department announced today a reward offer of up to $5 million for information on these companies, the individuals identified, their illicit activities, and/or those of associated individuals and entities. The identified individuals are Jong Song Hwa (정성화), Ri Kyong Sik (리경식), Kim Ryu Song (김류성), Rim Un Chol (림은철), Kim Mu Rim (김무림), Cho Chung Pom (조충범), Hyon Chol Song (현철성), Son Un Chol (손은철), Sok Kwang Hyok (석광혁), Choe Jong Yong (최정용), Ko Chung Sok (고충석), Kim Ye Won (김예원), Jong Kyong Chol (정경철), and Jang Chol Myong (장철명).
The State Department’s Rewards for Justice program has a standing rewards program for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support the North Korean government, including work by highly skilled North Korean nationals sent abroad whose income generates funds for the DPRK regime.
The DPRK has dispatched thousands of skilled IT workers around the world, earning revenue that contributes to the North Korean regime to deceive U.S. and other businesses worldwide into hiring them as remote IT workers to generate revenue in violation of U.S. and UN sanctions.
DPRK IT worker schemes involve using pseudonymous email, social media, payment platforms, online job site accounts, false websites, proxy computers, virtual private networks, virtual private servers, and unwitting third parties in the United States and elsewhere.
As described in a May 2022 tri-seal public service advisory released by the FBI and its partners, which was updated in October 2023, such IT workers can individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited weapons of mass destruction programs.
The indictment alleges that the 14 conspirators worked for sanctioned North Korean-controlled companies Yanbian Silverstar and Volasys Silverstar in capacities ranging from senior company leaders to IT workers. These two organizations collectively employed at least 130 North Korean IT workers — referred to within these organizations as “IT Warriors.”
As alleged in the indictment, Yanbian Silverstar and Volasys Silverstar organized periodic “socialism competitions” for their employees. IT workers would compete to generate money for the DPRK during these competitions. Bonuses and other prizes were awarded to the top performers during these competitions.
North Korean IT workers obtained salaried employment at numerous U.S.-based companies and non-profit organisations as part of their scheme. In some instances, U.S. employers unwittingly employed North Korean IT workers for years and paid them hundreds of thousands of dollars in salary.
The conspirators used many techniques to conceal their North Korean identities from employers. These included using stolen identities belonging to U.S. persons and others to apply for jobs; paying U.S. persons to attend job interviews and work meetings remotely under fake identities; and registering web domains and designing phoney websites to convince prospective employers that the false identities were experienced, qualified, and previously employed by reputable contracting firms.
As described in court documents, these websites contained indicia that should have aroused suspicion about their bona fides. For example, some of the physical addresses listed on the websites were home addresses, not office buildings; contact telephone numbers listed on the fake companies’ websites did not correspond to area codes of business locations; and the websites’ content included disjointed or nonsensical phrases, such as, “Nor, moreover, is there anyone who loves pain because it is pain, pursues it, wants to gain it, but.”
The conspirators also sought to avoid detection by paying U.S. persons to receive, set up, and host laptops sent from employers to the U.S. persons’ home addresses (often referred to as laptop farms).
After these laptops were set up, the conspirators instructed the U.S. persons to install software that allowed them to access the laptops from overseas. By arranging to have laptops physically located in the United States, conspirators made it appear as if the fake U.S.-based employees were accessing laptops to do work when the IT workers were outside the United States.
In some instances, the conspirators leveraged their access to proprietary corporate information to extort their U.S.-based employers for additional payments. These threats were not empty — IT workers would sometimes publish the business’s information online if they were not paid. One employer, for example, sustained hundreds of thousands of dollars in damages after it refused the extortion demand of a conspirator who then publicly released the employer’s proprietary information.
All 14 conspirators are charged with conspiracy to violate the International Emergency Economic Powers Act, conspiracy to commit wire fraud, conspiracy to commit money laundering, and conspiracy to commit identity theft. Eight conspirators are charged with aggravated identity theft. If convicted, the defendants each face a maximum statutory penalty of 27 years in prison.
