North Korean hacker

The Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions today against four entities and one individual for their involvement in illicit IT worker schemes and cyberattacks generating revenue to finance North Korea's weapons development programs.

North Korea's illicit revenue generation strategy relies heavily on a massive "army" of thousands of IT workers who hide their identities to get hired by companies overseas, the OFAC said in a press release published on Tuesday.

To secure employment with targeted companies, they employ various deceptive tactics, including using stolen identities, fake personas, and falsified or forged documentation.

While located in China and Russia, they're funneling the generated revenue to funds earned through these endeavors to fuel the Pyongyang regime's weapons programs.

Each year, some of the fraudulently employed North Korean IT workers can amass salaries exceeding $300,000 while intentionally obscuring their true identities, whereabouts, and nationality. 

"The DPRK conducts malicious cyber activities and deploys information technology (IT) workers abroad who fraudulently obtain employment to generate revenue that supports the Kim regime," U.S. Secretary of State Antony J. Blinken said.

"The DPRK's extensive illicit cyber and IT worker operations threaten international security by financing the DPRK regime and its dangerous activities, including its unlawful weapons of mass destruction (WMD) and ballistic missile programs."

The list of entities from the Democratic People's Republic of Korea (DPRK) sanctioned today for their involvement in cyber attacks and illicit IT worked revenue generation schemes includes:

  • Pyongyang University of Automation: responsible for the training of "malicious cyber actors," many of which work for the Reconnaissance General Bureau (RGB) (North Korea's main intelligence bureau responsible for coordinating the country's cyberattacks)
  • The RGB's Technical Reconnaissance Bureau and the 110th Research Center cyber unit: involved in the development of malicious tools, the coordination of departments linked to North Korean threat actors like the notorious Lazarus Group, and cyberattacks targeting organizations in the United States and the Republic of Korea
  • Chinyong Information Technology Cooperation Company (aka Jinyong IT Cooperation Company): linked to the North Korean Ministry of Peoples' Armed Forces and coordinating IT workers operating from Russia and Laos to generate revenue for the country's regime
  • North Korean national Kim Sang Man: involved in the payment of salaries to family members of Chinyong's overseas IT worker delegations

One year ago, the OFAC also sanctioned the Tornado Cash and the Blender.io cryptocurrency mixers used by North Korean Lazarus Group hackers to launder most of the $620 million worth of Ethereum stolen in the largest known cryptocurrency heist ever after hacking Axie Infinity's Ronin network bridge in April 2022.

DPRK hacking groups Lazarus, Bluenoroff, and Andariel were also sanctioned in September 2019 for funneling financial assets stolen in cyberattacks to the country's government.

According to a recent confidential report issued by a panel of United Nations experts, North Korean threat actors engaged in a record-breaking level of cryptocurrency theft last year. 

It estimated that they stole between $630 million to over $1 billion in 2022, surpassing previous years' figures and effectively doubling Pyongyang's illicit gains from cyber theft in 2021.

"Today's action continues to highlight the DPRK's extensive illicit cyber and IT worker operations, which finance the regime's unlawful weapons of mass destruction and ballistic missile programs," said Brian E. Nelson, the Treasury's Under Secretary for Terrorism and Financial Intelligence, today.

"The United States and our partners remain committed to combatting the DPRK's illicit revenue generation activities and continued efforts to steal money from financial institutions, virtual currency exchanges, companies, and private individuals around the world."

Related Articles:

US govt sanctions Iranians linked to government cyberattacks

US sanctions crypto exchanges used by Russian darknet market, banks

US sanctions APT31 hackers behind critical infrastructure attacks

New executive order bans mass sale of personal data to China, Russia

DPRK hacking groups breach South Korean defense contractors