One Worker Also Sanctioned for Transferring IT Earnings to North Korean Government
The U.S. government sanctioned four entities and one individual involved in helping to funnel payments from malicious activities to support the Democratic People’s Republic of Korea government’s illicit activities such as unlawful weapons of mass destruction and ballistic missile programs.
The Department of Treasury sanctioned Pyongyang University of Automation, Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center for playing a key role in conducting malicious cyber activities and deploying IT workers who fraudulently obtained jobs to generate revenue, including virtual currency, to support the Kim regime and its priorities.
U.S. government alleges North Korean IT workers can earn more than $300,000 per year under the program.
“They deliberately obfuscate their identities, locations and nationalities, typically using fake personas, proxy accounts, stolen identities and falsified or forged documentation to apply for jobs at these companies,” Treasury’s Office of Foreign Assets Control said.
The department alleges that North Korea generates revenue through the deployment of IT workers who fraudulently obtain employment with companies around the world, maintaining a workforce of thousands of highly skilled IT workers, mostly located in the People’s Republic of China and Russia.
The department alleges that workers target employers using a variety of mainstream and industry-specific freelance contracting, payment and social media and networking platforms.
The agency also sanctioned one individual, Kim Sang Man, for his role in transferring IT earnings to the Pyongyang-based North Korean government.
The Treasury Department coordinated the latest sanction with the Republic of Korea, which imposed sanctions against one entity and one individual associated with overseas DPRK IT workers.
“DPRK malicious actors stole more virtual currency in 2022 than in any previous year, with estimates ranging from $630 million to over $1 billion reportedly doubling Pyongyang’s total cyber theft proceeds in 2021,” according to a March 2023 UN Panel of Experts report.
Treasury Undersecretary for Terrorism and Financial Intelligence Brian Nelson said the action continues to highlight North Korea’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs.
This development follows a similar action taken by South Korea that sanctioned four North Korean individuals and seven organizations for similar charges in February.
The three sanctioned entities were previously sanctioned by South Korea on February 10, for allegedly engaging in cyber operations and illicit revenue generation that support the DPRK’s weapons of mass destruction programs (see: South Korea Sanctions Pyongyang Hackers).
One of the sanctioned entities, Pyongyang University of Automation, is North Korea’s premier cyber instruction institution. The university provides training on malicious cyber activities and offers a platform to work at the Reconnaissance General Bureau, the regime’s primary intelligence bureau and the main entity responsible for its malicious cyber activities.
The North Korea-based Technical Reconnaissance Bureau, which was also sanctioned, heads the country’s development of offensive cyber tactics and tools and operates several departments, including those affiliated with the Lazarus Group, which was recently carried out the largest virtual currency heist to date, stealing about $620 million in virtual currency from a blockchain project linked to the online game Axie Infinity in March 2022 (SEE: Crypto Hackers Exploit Ronin Network for $615 Million).
The Treasury Department also sanctioned the fourth entity, the Chinyong Information Technology Cooperation company office in Vladivostok, Russia. The DPRK-based company employs delegations of North Korean IT workers that operate in Russia and Laos, the department said.
One employee, Kim Sang Man, is responsible for transferring IT earnings to the Pyongyang-based North Korean government and is involved in the payment of salaries to family members of Chinyong’s overseas DPRK worker delegations.
“Kim has been involved in the sale and transfer of IT equipment for the DPRK and, as recently as 2021, received cryptocurrency funds transfers from IT teams located in China and Russia that were valued at more than $2 million,” the department said.
The agency said he has been aware of cryptocurrency payments to North Korea through a company he led and is affiliated with “the U.S.-designated Korea Computer Center and worked as an IT developer in the DPRK” prior to being selected as an agent of the Reconnaissance General Bureau to earn foreign currency for North Korea.