The U.S. Department of Justice (DoJ) has indicted five individuals—two North Korean nationals, a Mexican citizen, and two U.S. citizens—for their roles in a fraudulent IT worker scheme that violated international sanctions and generated $866,255 for the Democratic People's Republic of Korea (DPRK).
Details of the Indictment
The accused include Jin Sung-Il (진성일), Pak Jin-Song (박진성), Pedro Ernesto Alonso De Los Reyes, Erick Ntekereze Prince, and Emanuel Ashtor. Pedro Alonso, a Mexican national residing in Sweden, was arrested in the Netherlands on January 10, 2025.
Charges against the group include:
- Conspiracy to cause damage to a protected computer
- Conspiracy to commit wire fraud and mail fraud
- Conspiracy to commit money laundering
- Conspiracy to transfer false identification documents
Additionally, Jin and Pak face charges of violating the International Emergency Economic Powers Act (IEEPA). If convicted, each defendant could face up to 20 years in prison.
Fraudulent IT Worker Scheme Uncovered
The scheme involved North Korean nationals leveraging stolen or forged identities to secure remote IT positions with U.S. companies. Many operated from laptop farms in China and Russia while deceiving employers into believing they were based in the U.S.
The DoJ disclosed that between April 2018 and August 2024, the defendants infiltrated at least 64 U.S. companies. Payments from ten of these firms contributed to the $866,255 in revenue, which was laundered through a Chinese bank account.
Key Findings
Identity Fraud for High Salaries
- Jin Sung-Il used Pedro Alonso's identity and a New York address to secure a $120,000-per-year IT job in 2021.
Laptop Farms for Remote Access
- Emanuel Ashtor and Erick Prince hosted laptops at their homes, installing remote access tools like AnyDesk and TeamViewer without employer authorization.
Money Laundering
- Ntekereze leveraged his company, Taggcar Inc., to invoice a U.S. staffing agency for $75,709, channeling the funds to accounts accessible to both Jin and Alonso.
A Broader Campaign of Cyber Deception
This indictment is part of a larger U.S. effort to combat DPRK's fraudulent IT schemes. These operations aim to funnel high-paying salaries back to North Korea, supporting the regime's priorities and enabling access to sensitive corporate data.
Past Actions Include:
- August 2024: A Tennessee man was arrested for aiding North Koreans in obtaining U.S. jobs.
- December 2024: 14 DPRK nationals were indicted for generating $88 million over six years.
- January 2025: The U.S. Treasury sanctioned two North Korean nationals and four companies in Laos and China for involvement in the scheme.
Cybercrime and Data Extortion
The Federal Bureau of Investigation (FBI) has highlighted additional risks posed by DPRK IT workers:
- Corporate Data Theft: Unauthorized access to sensitive networks and proprietary data.
- Extortion: Threats to release stolen data unless ransom demands are met.
- Code Repository Theft: Targeting GitHub accounts to exfiltrate company code.
Global Reach
The scheme is not limited to the U.S. Japanese companies have also fallen victim, as revealed by threat intelligence firm Nisos. One such IT worker, operating under the alias Weitao Wang, secured roles with Japanese firms by presenting fake credentials and manipulated GitHub accounts.
How the Scheme Operates
North Korean IT workers utilize:
- Pseudonymous accounts on job sites and social media
- Proxy computers to hide their real location
- Fake personal websites with stock images and stolen resumes
Conclusion
This indictment underscores the persistent threat posed by North Korean cyber actors who exploit global IT markets to fund illicit activities. Companies are urged to enhance cybersecurity measures and vet remote employees rigorously to combat such schemes.