Verify a decision

{"actor":"system:backfill","investigation_id":"565e8152-725d-45c3-b97d-49211625d60e","kind":"publish","page_slug":"dprk-it-worker-network-overseas-scheme","published_at":"2026-06-03T00:08:25.094Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"DPRK IT Worker Network (Overseas Scheme)","sections":[{"content":"The DPRK IT Worker Network is a centrally coordinated program operated by the North Korean government — principally under the auspices of the Korean Worker's Party and front companies linked to the Ministry of People's Armed Forces and the Ministry of the Defence Industry — that deploys thousands of trained software engineers to work remotely for foreign companies under false identities. The overarching objective is sanctions evasion: by masquerading as freelance developers from the United States, Eastern Europe, or Southeast Asia, DPRK nationals earn hard-currency wages that are largely remitted to Pyongyang for use in prohibited weapons programs. The United Nations Multilateral Sanctions Monitoring Committee has estimated the scheme generates between $250 million and $600 million annually since approximately 2018, and U.S. State Department officials assessed that it generated approximately $800 million in 2024 alone. Google's Mandiant threat intelligence unit tracks the activity cluster as UNC5267 and has monitored it since at least 2022. CrowdStrike tracks the same threat actor group under the designation 'Famous Chollima' and reported 304 confirmed incidents in 2024, with a 220% year-over-year increase in infiltration attempts through mid-2025.","heading":"Overview and State Sponsorship","severity":"critical","sources":[{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses — U.S. Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":1,"name":"State Department: Sanctions to Disrupt DPRK IT Worker Schemes Defrauding U.S. Businesses","type":"regulatory","url":"https://www.state.gov/releases/office-of-the-spokesperson/2026/03/sanctions-to-disrupt-dprk-it-worker-schemes-defrauding-u-s-businesses"},{"credibility":2,"name":"DPRK IT Workers Expanding in Scope and Scale — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale"},{"credibility":2,"name":"North Korean IT worker infiltrations exploded 220% — Fortune / CrowdStrike","type":"news_article","url":"https://fortune.com/2025/08/04/north-korean-it-worker-infiltrations-exploded/"}]},{"content":"Operationally, DPRK workers obtain stolen or fabricated U.S. and third-country identity documents — including genuine U.S. passports containing the personally identifiable information of real citizens — and apply for fully remote software engineering positions through mainstream platforms including Upwork, Freelancer, LinkedIn, and Telegram. Workers have claimed nationalities including American, Italian, Japanese, Malaysian, Singaporean, Ukrainian, and Vietnamese. AI-generated profile photographs, deepfake video interviews, and AI writing tools are used to overcome language barriers and defeat identity checks. Once hired, workers use commercial remote-access software (AnyDesk, RustDesk, TinyPilot, Chrome Remote Desktop) to tunnel their real overseas location through a U.S.-based 'laptop farm': a residential address where a domestic facilitator hosts the victim company's issued laptop and routes the worker's traffic. Workers have also exploited bring-your-own-device (BYOD) policies by accessing corporate infrastructure via virtual machines, which lack standard endpoint logging. Front companies and fake websites were used to legitimize the workers' apparent U.S.-based employment history. Known shell entities created by U.S.-based facilitators include Tony WKJ LLC, Hopana Tech LLC, and Independent Lab LLC.","heading":"Scheme Mechanics and Tactics","severity":"critical","sources":[{"credibility":1,"name":"DOJ: Two North Korean Nationals and Three Facilitators Indicted (January 2025)","type":"regulatory","url":"https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote"},{"credibility":1,"name":"DOJ: Coordinated Nationwide Actions to Combat DPRK IT Workers (June 2025)","type":"regulatory","url":"https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote"},{"credibility":2,"name":"DPRK IT Workers Expanding in Scope and Scale — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale"},{"credibility":1,"name":"FBI: North Korean IT Worker Threats to U.S. Businesses","type":"regulatory","url":"https://www.fbi.gov/investigate/cyber/alerts/2025/north-korean-it-worker-threats-to-u-s-businesses"}]},{"content":"Two primary DPRK-controlled organizational umbrellas have been identified and prosecuted. Yanbian Silverstar Network Technology Co., Ltd., based in the People's Republic of China, and Volasys Silver Star, based in the Russian Federation, collectively employed at least 130 North Korean 'IT Warriors' between approximately 2017 and 2023 and generated at least $88 million for the regime. Both entities were operated under Jong Song Hwa (CEO), Kim Ryu Song (Yanbian Silverstar president), and Ri Kyong Sik (Volasys president). A second major delegation network, Chinyong Information Technology Cooperation Company, is linked to the DPRK Ministry of People's Armed Forces and deploys workers in Russia and Laos; it was sanctioned by OFAC in August 2025. Amnokgang Technology Development Company, a DPRK IT company managing additional overseas worker delegations and illicit technology procurement, was sanctioned by OFAC in March 2026. Chinese front company Shenyang Geumpungri Network Technology Co., Ltd. served as a cover for Chinyong-affiliated delegations, and Korea Sinjin Trading Corporation provided additional cover under the Ministry of People's Armed Forces. Vietnam-based Quangvietdnbg International Services Company Limited, whose CEO Nguyen Quang Viet converted approximately $2.5 million in cryptocurrency between mid-2023 and mid-2025, facilitated currency conversion for the scheme.","heading":"Front Companies and Organizational Structure","severity":"critical","sources":[{"credibility":1,"name":"DOJ: Fourteen North Korean Nationals Indicted — $88M IT Worker Scheme (December 2024)","type":"regulatory","url":"https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information"},{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud (March 2026)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":2,"name":"US Treasury Sanctions Russian National and Entities Supporting North Korean IT Worker Scheme — TRM Labs (August 2025)","type":"research","url":"https://www.trmlabs.com/resources/blog/us-treasury-sanctions-russian-national-and-entities-supporting-north-korean-it-worker-scheme"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis (March 2026)","type":"research","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"}]},{"content":"The DOJ launched the DPRK RevGen: Domestic Enabler Initiative in March 2024 under its National Security Division and the FBI's Cyber and Counterintelligence Divisions, specifically to identify and shut down U.S.-based laptop farms and prosecute domestic facilitators. Major enforcement waves include: (1) May 2024 — arrest of Matthew Isaac Knoot (Nashville facilitator); (2) August 2024 — related seizures; (3) December 2024 — indictment of 14 North Korean nationals including officers of Yanbian Silverstar and Volasys Silver Star, charging conspiracy to violate IEEPA, wire fraud, money laundering, and identity theft (maximum 27 years per count); (4) January 2025 — indictment of North Korean nationals Jin Sung-Il and Pak Jin-Song and facilitators Pedro Ernesto Alonso De Los Reyes (Mexico), Erick Ntekereze Prince (U.S.), and Emanuel Ashtor (U.S.) for obtaining work from at least 64 U.S. companies and generating at least $866,255 between April 2018 and August 2024; (5) June–July 2025 — coordinated nationwide actions including two additional indictments, an information and related plea agreement, searches of 29 known or suspected laptop farms across 16 states, seizure of 29 financial accounts, and seizure of 21 fraudulent websites. The DOJ's forfeiture complaint of June 2025 seeks recovery of $7.74 million in cryptocurrency tied to Sim Hyon Sop's laundering network. Sentencings of U.S.-based facilitators in 2025–2026 include: Kejia Wang (108 months in prison, April 2026) and Zhenxing Wang (92 months in prison, April 2026), both New Jersey residents who between 2021 and October 2024 used stolen identities of more than 80 U.S. citizens to place workers at over 100 U.S. companies and generated more than $5 million for the DPRK.","heading":"DOJ Enforcement Actions and Indictments","severity":"critical","sources":[{"credibility":1,"name":"DOJ: Fourteen North Korean Nationals Indicted — $88M IT Worker Scheme (December 2024)","type":"regulatory","url":"https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information"},{"credibility":1,"name":"DOJ: Two North Korean Nationals and Three Facilitators Indicted (January 2025)","type":"regulatory","url":"https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote"},{"credibility":1,"name":"DOJ: Coordinated Nationwide Actions to Combat DPRK IT Workers (June 2025)","type":"regulatory","url":"https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote"},{"credibility":1,"name":"DOJ: Two U.S. Nationals Sentenced — $5M DPRK IT Worker Scheme (April 2026)","type":"regulatory","url":"https://www.justice.gov/opa/pr/two-us-nationals-sentenced-facilitating-fraudulent-remote-information-technology-worker"},{"credibility":1,"name":"DOJ: Civil Forfeiture Complaint Against $7.74M Tied to DPRK Government (June 2025)","type":"court_filing","url":"https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean"},{"credibility":2,"name":"DOJ lauds series of gains against North Korean IT worker scheme — CyberScoop","type":"news_article","url":"https://cyberscoop.com/doj-north-korea-it-worker-scheme-cases-crypto-seized/"}]},{"content":"OFAC has issued multiple rounds of sanctions designations targeting the DPRK IT worker network. Key actions include: (1) August 2025 designation of Russian national Vitaliy Sergeyevich Andreyev for facilitating payments to Chinyong, together with sanctions on Shenyang Geumpungri Network Technology Co., Ltd. (China), and Korea Sinjin Trading Corporation (DPRK); (2) March 12, 2026 designation of six individuals and two entities (Amnokgang Technology Development Company and Quangvietdnbg International Services Company Limited), with OFAC identifying 21 cryptocurrency wallet addresses across Ethereum, Tron, and Bitcoin. Specifically sanctioned individuals in the March 2026 action include: Nguyen Quang Viet (Vietnam, Quangvietdnbg CEO; converted approximately $2.5 million in crypto between mid-2023 and mid-2025); Yun Song Guk (DPRK national, led IT worker group in Boten, Laos since 2023); Hoang Minh Quang (coordinated financial transactions exceeding $70,000 with Yun); and Sim Hyon Sop (China-based North Korean Foreign Trade Bank representative, previously designated, updated with new wallet addresses). The March 2026 action was accompanied by a coordinated State Department statement noting the network generated approximately $800 million in 2024 for DPRK weapons programs. OFAC's multichain designation — spanning Ethereum, Tron, and Bitcoin — reflects what Chainalysis researchers characterized as the DPRK's 'increasingly multichain approach' to moving illicit funds.","heading":"OFAC Sanctions Designations","severity":"critical","sources":[{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses (March 2026)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":1,"name":"Sanctions Imposed on DPRK IT Workers Generating Revenue for the Kim Regime — Treasury (August 2025)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0190"},{"credibility":1,"name":"Treasury Sanctions Fraud Network Funding DPRK Weapons Programs — Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0230"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis (March 2026)","type":"research","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":2,"name":"U.S. sanctions network laundering $800M in crypto for North Korea — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/03/13/u-s-sanctions-6-people-2-companies-that-laundered-usd800-million-in-crypto-for-north-korea"}]},{"content":"DPRK IT workers strongly prefer payment in stablecoins, reportedly due to their consistent value and compatibility with OTC cryptocurrency traders who facilitate off-ramping to fiat currency. Upon receipt, funds are laundered through a multi-step process: (1) chain-hopping and token swaps through decentralized exchanges to obscure origins; (2) use of bridge protocols to move assets across blockchains; (3) consolidation and commingling of proceeds with funds from other DPRK criminal activities (e.g., exchange hacks attributed to Lazarus Group); and (4) final off-ramping via fictitious accounts at mainstream exchanges or through unregulated OTC traders. Sim Hyon Sop, a North Korean Foreign Trade Bank representative based in China, is alleged to have received tens of millions of dollars in virtual currency from the IT worker schemes and coordinated OTC trading networks. Lu Huaying, a UAE-based OTC trader, is alleged to have been a key final off-ramp. The OFAC March 2026 action identified 21 wallet addresses spanning Ethereum, Tron, and Bitcoin, underscoring the multichain nature of the laundering infrastructure.","heading":"Cryptocurrency Laundering Methods","severity":"critical","sources":[{"credibility":2,"name":"North Korea IT Workers: Inside the DPRK's Crypto Laundering Network — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/"},{"credibility":2,"name":"DOJ Seeks Forfeiture of $7.7 Million in Cryptocurrency Tied to DPRK IT Worker Network — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/doj-seeks-forfeiture-of-7-7-million-in-cryptocurrency-tied-to-north-korean-it-worker-laundering-network"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis (March 2026)","type":"research","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"}]},{"content":"Since at least late 2024, DPRK IT workers have materially escalated their tactics beyond wage collection. Mandiant documented a sharp increase in extortion attempts beginning in October 2024, correlated with increased U.S. law enforcement actions and the likely termination of previously placed workers. In the December 2024 indictment of 14 North Korean nationals, the DOJ detailed instances in which conspirators stole sensitive proprietary source code and threatened to publish it unless the employer paid a ransom; at least one company sustained hundreds of thousands of dollars in damages after refusing to pay and having its proprietary data publicly released. Some conspirators were directed by superiors to earn at least $10,000 per month. The FBI's IC3 January 2025 advisory noted that workers had leveraged unlawful corporate network access to exfiltrate credentials, session cookies, and ITAR-controlled data; one case involved theft of data from a California-based defense contractor developing AI-powered military equipment. Mandiant noted that for the first time in early 2025, DPRK IT workers were observed following through on threats to release sensitive data rather than merely threatening to do so.","heading":"Extortion and Data Theft Escalation","severity":"critical","sources":[{"credibility":1,"name":"DOJ: Fourteen North Korean Nationals Indicted — $88M IT Worker Scheme (December 2024)","type":"regulatory","url":"https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information"},{"credibility":1,"name":"FBI IC3: North Korean IT Workers Conducting Data Extortion (January 2025)","type":"regulatory","url":"https://www.ic3.gov/PSA/2025/PSA250123"},{"credibility":2,"name":"DPRK IT Workers Expanding in Scope and Scale — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale"},{"credibility":1,"name":"DOJ: Two U.S. Nationals Sentenced — $5M DPRK IT Worker Scheme (April 2026)","type":"regulatory","url":"https://www.justice.gov/opa/pr/two-us-nationals-sentenced-facilitating-fraudulent-remote-information-technology-worker"}]},{"content":"DPRK IT workers are physically stationed primarily in China and Russia, with significant clusters also documented in Laos (Boten special economic zone), Vietnam, and historically in other Southeast Asian locations. U.S. facilitators operate across at least 16 states. The geographic footprint of sanctioned facilitators as of March 2026 spans the DPRK, Vietnam, Laos, and Spain. The scheme has expanded beyond the United States to target European companies. One Google/Mandiant-documented operative managed at least 12 fraudulent personas across European and U.S. job markets simultaneously. Workers have applied for positions in a broad range of sectors: technology, defense industrial base, government contractors, financial services, and general software development. Financial services rose from the sixth most-targeted sector in Q1 2025 to the fourth most-targeted in Q1 2026, according to CrowdStrike, which designated the activity the most prevalent state-sponsored intrusion threat facing financial firms. Hundreds of Fortune 500 companies have unknowingly hired DPRK IT workers, according to court records and public statements from U.S. prosecutors.","heading":"Geographic Reach and Sector Targeting","severity":"high","sources":[{"credibility":2,"name":"North Korean operatives stole $2 billion last year — financial firms are the next target (Fortune / CrowdStrike, May 2026)","type":"news_article","url":"https://fortune.com/2026/05/14/north-korea-it-workers-stealing-billions-financial-firms-next-target-crowdstrike/"},{"credibility":2,"name":"DPRK IT Workers Expanding in Scope and Scale — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale"},{"credibility":2,"name":"Treasury sanctions 8 for laundering North Korea earnings — The Record","type":"news_article","url":"https://therecord.media/north-korea-us-sanctions-it-worker-scams-cybercrime"}]},{"content":"The U.S. government has issued multiple public advisories to assist private-sector organizations in identifying DPRK IT workers. Key red flags documented by the FBI and IC3 include: (1) use of public VPN services, remote management tools, or unauthorized remote desktop applications on corporate devices; (2) frequent excuses for avoiding video calls, last-minute cancellations, or insistence on audio-only communication; (3) noticeable variability between interview performance and on-the-job performance — including the inability to explain code the worker ostensibly authored, suggesting multiple operators sharing a single role; (4) requests for payment in cryptocurrency; (5) frequent changes to linked bank accounts; (6) identity documents with misspellings or photographs inconsistent across social media, portfolio sites, and payment platforms; and (7) requests to redirect company-issued devices to a third-party address. The State Department's Rewards for Justice program announced a reward of up to $5 million for information on Yanbian Silverstar and Volasys Silver Star in December 2024. The FBI maintains a DPRK IT Fraud most-wanted page at fbi.gov/wanted/cyber/dprk-it-workers.","heading":"U.S. Government Advisories and Detection Guidance","severity":"medium","sources":[{"credibility":1,"name":"FBI: North Korean IT Worker Threats to U.S. Businesses (2025)","type":"regulatory","url":"https://www.fbi.gov/investigate/cyber/alerts/2025/north-korean-it-worker-threats-to-u-s-businesses"},{"credibility":1,"name":"FBI IC3: North Korean IT Workers Conducting Data Extortion (January 2025)","type":"regulatory","url":"https://www.ic3.gov/PSA/2025/PSA250123"},{"credibility":1,"name":"FBI DPRK IT Fraud — Most Wanted","type":"regulatory","url":"https://www.fbi.gov/wanted/cyber/dprk-it-workers"},{"credibility":2,"name":"US offers $5 million for info on North Korean IT workers — The Record","type":"news_article","url":"https://therecord.media/north-korea-it-workers-accused-money-laundering-5million-reward"}]},{"content":"The crypto and blockchain industry has been a primary target of the DPRK IT worker scheme. The sector's widespread use of fully remote work arrangements, cryptocurrency-denominated compensation, pseudonymous team structures, and rapid hiring cycles makes it particularly vulnerable. DPRK workers have applied for and obtained roles as Solana/Anchor smart contract developers, MERN stack engineers, React/Next.js/Tailwind developers, and blockchain infrastructure engineers. At least one Atlanta-based blockchain firm and one Serbian cryptocurrency company were identified in a DOJ indictment as victims whose developer access was used to steal approximately $915,000. DOJ's June 2025 forfeiture complaint noted that North Korean workers embedded at crypto firms used their privileged access to exfiltrate funds directly. The scheme's financial flows heavily involve stablecoin payments (USDT on Ethereum and Tron being preferred), OTC conversion, and cross-chain laundering through decentralized exchanges and bridge protocols — all native infrastructure of the crypto ecosystem.","heading":"Crypto and Blockchain Industry Exposure","severity":"critical","sources":[{"credibility":1,"name":"DOJ: Coordinated Nationwide Actions to Combat DPRK IT Workers (June 2025)","type":"regulatory","url":"https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote"},{"credibility":2,"name":"North Korea IT Workers: Inside the DPRK's Crypto Laundering Network — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis (March 2026)","type":"research","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"}]}],"sources_used":[{"credibility":1,"name":"DOJ: Fourteen North Korean Nationals Indicted — $88M IT Worker Scheme (December 2024)","type":"regulatory","url":"https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information"},{"credibility":1,"name":"DOJ: Two North Korean Nationals and Three Facilitators Indicted (January 2025)","type":"regulatory","url":"https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote"},{"credibility":1,"name":"DOJ: Coordinated Nationwide Actions to Combat DPRK IT Workers (June 2025)","type":"regulatory","url":"https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote"},{"credibility":1,"name":"DOJ: Nationwide Actions to Combat Illicit North Korean Government Revenue Generation","type":"regulatory","url":"https://www.justice.gov/opa/pr/justice-department-announces-nationwide-actions-combat-illicit-north-korean-government"},{"credibility":1,"name":"DOJ: Civil Forfeiture Complaint Against $7.74M Tied to DPRK Government (June 2025)","type":"court_filing","url":"https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean"},{"credibility":1,"name":"DOJ: Two U.S. Nationals Sentenced for $5M DPRK IT Worker Scheme (April 2026)","type":"regulatory","url":"https://www.justice.gov/opa/pr/two-us-nationals-sentenced-facilitating-fraudulent-remote-information-technology-worker"},{"credibility":1,"name":"DOJ: Nashville Facilitator Arrest for DPRK Remote IT Worker Fraud (August 2024)","type":"regulatory","url":"https://www.justice.gov/archives/opa/pr/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and"},{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses (March 2026)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":1,"name":"Sanctions Imposed on DPRK IT Workers Generating Revenue for the Kim Regime — Treasury (August 2025)","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0190"},{"credibility":1,"name":"Treasury Sanctions Fraud Network Funding DPRK Weapons Programs — Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0230"},{"credibility":1,"name":"OFAC: Publication of North Korea Information Technology Workers Advisory (May 2022)","type":"regulatory","url":"https://ofac.treasury.gov/recent-actions/20220516"},{"credibility":1,"name":"State Department: Sanctions to Disrupt DPRK IT Worker Schemes Defrauding U.S. Businesses (March 2026)","type":"regulatory","url":"https://www.state.gov/releases/office-of-the-spokesperson/2026/03/sanctions-to-disrupt-dprk-it-worker-schemes-defrauding-u-s-businesses"},{"credibility":1,"name":"FBI: North Korean IT Worker Threats to U.S. Businesses (2025)","type":"regulatory","url":"https://www.fbi.gov/investigate/cyber/alerts/2025/north-korean-it-worker-threats-to-u-s-businesses"},{"credibility":1,"name":"FBI IC3: North Korean IT Workers Conducting Data Extortion (January 2025)","type":"regulatory","url":"https://www.ic3.gov/PSA/2025/PSA250123"},{"credibility":1,"name":"FBI: DPRK IT Workers — Most Wanted","type":"regulatory","url":"https://www.fbi.gov/wanted/cyber/dprk-it-workers"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis (March 2026)","type":"research","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":2,"name":"North Korea IT Workers: Inside the DPRK's Crypto Laundering Network — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/"},{"credibility":2,"name":"DPRK IT Workers Expanding in Scope and Scale — Google Cloud / Mandiant","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale"},{"credibility":2,"name":"Mitigating the DPRK IT Worker Threat — Google Cloud Blog","type":"research","url":"https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat"},{"credibility":2,"name":"DOJ Seeks Forfeiture of $7.7 Million in Cryptocurrency Tied to DPRK IT Worker Network — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/doj-seeks-forfeiture-of-7-7-million-in-cryptocurrency-tied-to-north-korean-it-worker-laundering-network"},{"credibility":2,"name":"US Treasury Sanctions Russian National and Entities Supporting DPRK IT Worker Scheme — TRM Labs (August 2025)","type":"research","url":"https://www.trmlabs.com/resources/blog/us-treasury-sanctions-russian-national-and-entities-supporting-north-korean-it-worker-scheme"},{"credibility":2,"name":"U.S. sanctions network laundering $800M in crypto for North Korea — CoinDesk (March 2026)","type":"news_article","url":"https://www.coindesk.com/business/2026/03/13/u-s-sanctions-6-people-2-companies-that-laundered-usd800-million-in-crypto-for-north-korea"},{"credibility":2,"name":"Court indicts 14 North Korean IT workers tied to $88 million in illicit gains — CyberScoop (December 2024)","type":"news_article","url":"https://cyberscoop.com/court-indicts-14-north-korean-it-workers-tied-to-88-million-in-illicit-gains/"},{"credibility":2,"name":"DOJ lauds series of gains against North Korean IT worker scheme — CyberScoop","type":"news_article","url":"https://cyberscoop.com/doj-north-korea-it-worker-scheme-cases-crypto-seized/"},{"credibility":2,"name":"US nationals sentenced for aiding North Korea's tech worker scheme — CyberScoop","type":"news_article","url":"https://cyberscoop.com/us-nationals-sentenced-facilitate-north-korea-tech-worker-scheme/"},{"credibility":2,"name":"North Korean operatives stole $2 billion last year — financial firms are the next target (Fortune / CrowdStrike, May 2026)","type":"news_article","url":"https://fortune.com/2026/05/14/north-korea-it-workers-stealing-billions-financial-firms-next-target-crowdstrike/"},{"credibility":2,"name":"North Korean IT worker infiltrations exploded 220% — Fortune / CrowdStrike (August 2025)","type":"news_article","url":"https://fortune.com/2025/08/04/north-korean-it-worker-infiltrations-exploded/"},{"credibility":2,"name":"US nationals behind DPRK IT worker laptop farm sent to prison — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/us-nationals-behind-north-korean-it-worker-laptop-farm-sent-to-prison/"},{"credibility":2,"name":"North Korean IT workers are stealing remote jobs — Americans are helping (Fortune, April 2026)","type":"news_article","url":"https://fortune.com/2026/04/25/north-korean-it-worker-scheme-american-faciliators/"},{"credibility":2,"name":"Treasury sanctions 8 for laundering North Korea earnings — The Record","type":"news_article","url":"https://therecord.media/north-korea-us-sanctions-it-worker-scams-cybercrime"}],"summary":"The DPRK IT Worker Network is a state-directed, multi-year operation run by the North Korean government that places thousands of fraudulently credentialed software developers inside U.S. and global technology and crypto companies using stolen identities, fake personas, and U.S.-based facilitators. Workers generate hundreds of millions of dollars annually in illicit wages funneled back to Pyongyang to fund weapons of mass destruction and ballistic missile programs, and have escalated to data theft and extortion. The operation has drawn DOJ indictments of dozens of individuals across multiple enforcement waves (2024–2026), OFAC sanctions designating front companies and facilitators in China, Vietnam, Laos, Russia, and Spain, and FBI warnings to private industry.","timeline":[{"date":"2017-04-01","event":"Yanbian Silverstar and Volasys Silver Star begin operating; DPRK IT workers placed in U.S. companies under false identities (approximate start date per DOJ indictment).","source":"DOJ: Fourteen North Korean Nationals Indicted (December 2024)","source_url":"https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information"},{"date":"2018-04-01","event":"Second cohort of DPRK IT workers (Jin Sung-Il, Pak Jin-Song network) begins placing workers at U.S. companies under stolen U.S. passport identities (approximate start date per DOJ indictment).","source":"DOJ: Two North Korean Nationals and Three Facilitators Indicted (January 2025)","source_url":"https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote"},{"date":"2022-05-16","event":"OFAC publishes advisory on North Korea IT Workers; first U.S. government public warning to the private sector.","source":"OFAC: Publication of North Korea Information Technology Workers Advisory","source_url":"https://ofac.treasury.gov/recent-actions/20220516"},{"date":"2023-04-01","event":"Sim Hyon Sop indicted for conspiring with DPRK IT workers to generate revenue and with OTC crypto traders to launder funds; $7.74 million restrained by U.S. government.","source":"DOJ: Civil Forfeiture Complaint Against $7.74M (June 2025)","source_url":"https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean"},{"date":"2024-03-01","event":"DOJ launches DPRK RevGen: Domestic Enabler Initiative under National Security Division and FBI Cyber and Counterintelligence Divisions, specifically targeting U.S.-based laptop farm operators.","source":"DOJ: Nationwide Actions to Combat Illicit North Korean Government Revenue Generation","source_url":"https://www.justice.gov/opa/pr/justice-department-announces-nationwide-actions-combat-illicit-north-korean-government"},{"date":"2024-08-01","event":"DOJ arrests Nashville-based facilitator Matthew Isaac Knoot; disrupts North Korean remote IT worker fraud schemes. Seizures of related financial accounts.","source":"DOJ: Justice Department Disrupts DPRK Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator","source_url":"https://www.justice.gov/archives/opa/pr/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and"},{"date":"2024-10-01","event":"Google/Mandiant documents sharp increase in extortion attempts by DPRK IT workers, coinciding with increased law enforcement pressure. Workers begin targeting larger organizations.","source":"DPRK IT Workers Expanding in Scope and Scale — Google Cloud / Mandiant","source_url":"https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale"},{"date":"2024-12-11","event":"DOJ indicts 14 North Korean nationals (including Yanbian Silverstar CEO Jong Song Hwa, Kim Ryu Song, Ri Kyong Sik) for $88 million IT worker fraud scheme over six years. State Department simultaneously offers $5 million Rewards for Justice bounty on the companies.","source":"DOJ: Fourteen North Korean Nationals Indicted (December 2024)","source_url":"https://www.justice.gov/archives/opa/pr/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information"},{"date":"2025-01-21","event":"DOJ indicts North Korean nationals Jin Sung-Il and Pak Jin-Song plus three facilitators for placing workers at 64 U.S. companies between 2018 and 2024, generating at least $866,255 in illicit revenue laundered through a Chinese bank account.","source":"DOJ: Two North Korean Nationals and Three Facilitators Indicted (January 2025)","source_url":"https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote"},{"date":"2025-01-23","event":"FBI IC3 issues public service announcement warning companies of data extortion by North Korean IT workers leveraging unauthorized corporate network access.","source":"FBI IC3: North Korean IT Workers Conducting Data Extortion (January 2025)","source_url":"https://www.ic3.gov/PSA/2025/PSA250123"},{"date":"2025-06-10","event":"DOJ announces coordinated nationwide enforcement: two new indictments, one information with plea, arrest of Zhenxing Wang in New Jersey. FBI executes searches of 21 premises across 14 states hosting laptop farms (June 10–17). Seizure of 29 financial accounts and 21 fraudulent websites.","source":"DOJ: Coordinated Nationwide Actions to Combat DPRK IT Workers (June 2025)","source_url":"https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote"},{"date":"2025-06-05","event":"DOJ files civil forfeiture complaint against $7.74 million in cryptocurrency tied to Sim Hyon Sop's laundering network.","source":"DOJ: Civil Forfeiture Complaint Against $7.74M Laundered on Behalf of DPRK (June 2025)","source_url":"https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean"},{"date":"2025-08-04","event":"CrowdStrike reports North Korean IT worker infiltration attempts grew 220% year-over-year; AI is weaponized at every stage of the hiring process including deepfakes and synthetic identity generation.","source":"North Korean IT worker infiltrations exploded 220% — Fortune / CrowdStrike","source_url":"https://fortune.com/2025/08/04/north-korean-it-worker-infiltrations-exploded/"},{"date":"2025-08-27","event":"OFAC designates Russian national Vitaliy Sergeyevich Andreyev, Shenyang Geumpungri Network Technology Co. (China), and Korea Sinjin Trading Corporation (DPRK) for facilitating payments to Chinyong IT worker network.","source":"Sanctions Imposed on DPRK IT Workers Generating Revenue for the Kim Regime — Treasury (August 2025)","source_url":"https://home.treasury.gov/news/press-releases/sb0190"},{"date":"2026-03-12","event":"OFAC designates six individuals and two entities (Amnokgang Technology Development Company; Quangvietdnbg International Services Company Limited) for roles in generating approximately $800 million in 2024 for DPRK weapons programs. Twenty-one cryptocurrency addresses across Ethereum, Tron, and Bitcoin identified.","source":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses (March 2026)","source_url":"https://home.treasury.gov/news/press-releases/sb0416"},{"date":"2026-04-16","event":"Kejia Wang sentenced to 108 months in prison and Zhenxing Wang sentenced to 92 months in prison for operating laptop farms for DPRK IT workers, generating more than $5 million for the regime using stolen identities of 80+ U.S. citizens.","source":"DOJ: Two U.S. Nationals Sentenced for $5M DPRK IT Worker Scheme (April 2026)","source_url":"https://www.justice.gov/opa/pr/two-us-nationals-sentenced-facilitating-fraudulent-remote-information-technology-worker"},{"date":"2026-05-14","event":"CrowdStrike reports DPRK-linked cyber groups stole a combined $2.02 billion in 2025 (up 51% year-over-year); financial services identified as an escalating target sector.","source":"North Korean operatives stole $2 billion last year — financial firms are the next target (Fortune / CrowdStrike)","source_url":"https://fortune.com/2026/05/14/north-korea-it-workers-stealing-billions-financial-firms-next-target-crowdstrike/"}]},"v":1}