FBI: Thousands of Remote IT Workers Sent Wages to North Korea to Help Fund Weapons Program

Federal authorities announced the seizure of $1.5 million and 17 domain names.

FBI Special Agent In Charge Jay Greenberg, right, speaks during a news conference Wednesday, Oct. 18, 2023, at the Federal Bureau of Investigation's St. Louis field office in downtown St. Louis.
FBI Special Agent In Charge Jay Greenberg, right, speaks during a news conference Wednesday, Oct. 18, 2023, at the Federal Bureau of Investigation's St. Louis field office in downtown St. Louis.
Christine Tannous/St. Louis Post-Dispatch via AP

ST. LOUIS (AP) — Thousands of information technology workers contracting with U.S. companies have for years secretly sent millions of dollars of their wages to North Korea for use in its ballistic missile program, FBI and Department of Justice officials said.

The Justice Department said Wednesday that IT workers dispatched and contracted by North Korea to work remotely with companies in St. Louis and elsewhere in the U.S. have been using false identities to get the jobs. The money they earned was funneled to the North Korean weapons program, FBI leaders said at a news conference in St. Louis.

Court documents allege that North Korea's government dispatched thousands of skilled IT workers to live primarily in China and Russia with the goal of deceiving businesses from the U.S. and elsewhere into hiring them as freelance remote employees. The workers used various techniques to make it look like they were working in the U.S., including paying Americans to use their home Wi-Fi connections, said Jay Greenberg, special agent in charge of the St. Louis FBI office.

Greenberg said any company that hired freelance IT workers "more than likely" hired someone participating in the scheme. An FBI spokeswoman said Thursday that the North Koreans contracted with companies across the U.S. and in some other countries.

"We can tell you that there are thousands of North Korea IT workers that are part of this," spokeswoman Rebecca Wu said.

Federal authorities announced the seizure of $1.5 million and 17 domain names as part of the investigation, which is ongoing.

FBI officials said the scheme is so prevalent that companies must be extra vigilant in verifying whom they are hiring, including requiring interviewees to at least be seen via video.

"At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities," Greenberg said in a news release.

The IT workers generated millions of dollars a year in their wages to benefit North Korea's weapons programs. In some instances, the North Korean workers also infiltrated computer networks and stole information from the companies that hired them, the Justice Department said. They also maintained access for future hacking and extortion schemes, the agency said.

Officials didn't name the companies that unknowingly hired North Korean workers, say when the practice began, or elaborate on how investigators became aware of it. But federal authorities have been aware of the scheme for some time.

In May 2022, the State Department, Department of the Treasury, and the FBI issued an advisory warning of attempts by North Koreans "to obtain employment while posing as non-North Korean nationals." The advisory noted that in recent years, the regime of Kim Jong Un "has placed increased focus on education and training" in IT-related subjects.

John Hultquist, the head of threat intelligence at the cybersecurity firm Mandiant, said North Korea's use of IT freelancers to help fund the weapons program has been in play for more than a decade, but the effort got a boost from the COVID-19 pandemic.

"I think the post-COVID world has created a lot more opportunity for them because freelancing and remote hiring are a far more natural part of the business than they were in the past," Hultquist said.

North Korea also uses workers in other fields to funnel money back for the weapons program, Hultquist said, but higher pay for tech workers provides a more lucrative resource.

Tensions on the Korean Peninsula are high as North Korea has test-fired more than 100 missiles since the start of 2022 and the U.S. has expanded its military exercises with its Asian allies, in tit-for-tat responses.

The Justice Department in recent years has sought to expose and disrupt a broad variety of criminal schemes aimed at bolstering the North Korean regime, including its nuclear weapons program.

In 2016, for instance, four Chinese nationals and a trading company were charged in the U.S. with using front companies to evade sanctions targeting North Korea's nuclear weapons and ballistics initiatives.

Two years ago, the Justice Department charged three North Korean computer programmers and members of the government's military intelligence agency in a broad range of global hacks that officials say were carried out at the behest of the regime. Law enforcement officials said at the time that the prosecution highlighted the profit-driven motive behind North Korea's criminal hacking, a contrast from other adversarial nations like Russia, China and Iran that are generally more interested in espionage, intellectual property theft or even disrupting democracy.

In September, North Korean leader Kim Jong Un called for an exponential increase in production of nuclear weapons and for his country to play a larger role in a coalition of nations confronting the United States in a "new Cold War," state media said.

In February, United Nations experts said that North Korean hackers working for the government stole record-breaking virtual assets last year estimated to be worth between $630 million and more than $1 billion. The panel of experts said in a report that the hackers used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance, and to steal information that could be useful in North Korea's nuclear and ballistic missile programs from governments, individuals and companies.

—-

Eric Tucker in Washington, D.C, contributed to this report.

More in Cybersecurity