North Korean IT Worker Scheme: US Department of Justice Indicts Five Nationals

The U.S. Department of Justice (DoJ) has indicted five individuals, including two North Korean nationals, a Mexican national, and two U.S. citizens, for their alleged involvement in a fraudulent information technology (IT) worker scheme. The scheme aims to generate revenue for the Democratic People’s Republic of Korea (DPRK) in violation of international sanctions.

Defendants Charged

The action targets Jin Sung-Il (진성일), Pak Jin-Song (박진성), Pedro Ernesto Alonso De Los Reyes, Erick Ntekereze Prince, and Emanuel Ashtor. Alonso, who resides in Sweden, was arrested in the Netherlands on January 10, 2025, after a warrant was issued.

Charges

All five defendants have been charged with conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. Jin and Pak have also been charged with conspiracy to violate international sanctions by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies’ proprietary code.

Theft of Company Code Repositories

Other instances entail the theft of company code repositories from GitHub and attempts to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices.

Global Impact

It’s not just a U.S. phenomenon, as a new report from threat intelligence firm Nisos reveals that several Japanese firms have also landed themselves in the crosshairs of DPRK IT workers. The report specifically highlighted the case of one such IT worker who has held software engineering and full-stack developer roles with different firms since January 2023.

Digital Persona Creation

The IT worker personas have been fleshed out digitally to lend it a veneer of legitimacy, complete with accounts on GitHub and freelance employment websites like LaborX, ProPursuit, Remote OK, Working Not Working, and Remote Hub, not to mention a personal website containing manipulated stock images.

Report Details

"The individual appears to be currently employed under the name Weitao Wang at Japanese consulting company, Tenpct Inc., and appears to have been previously employed under the name Osamu Odaka at Japanese software development and consulting firm, LinkX Inc.," the company said in a report shared with The Hacker News.

Stay Informed

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.