Cyber Security

OFAC Sanctions DPRK IT Worker Network Funding WMD Programs For Fake Remote Activities

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 4 weeks ago
0 3 4 minutes read
OFAC Sanctions DPRK IT Worker Network Funding WMD Programs For Fake Remote Activities

The US Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities for their involvement in the Democratic People’s Republic of Korea’s (DPRK) information technology (IT) program to defraud US businesses and to launder money to finance the regime’s weapons of mass destruction (WMD) programs.

“The North Korean regime has targeted American companies through fraudulent schemes carried out by its overseas IT staff, who steal sensitive information and defraud businesses for large payments,” said Treasury Secretary Scott Bessent.

The fraud scheme, also known as Coral Sleet/Jasper Sleet, PurpleDelta and Wagemole, relies on fake documents, stolen information, and fictitious people to help IT workers hide their true origins and global activities from legitimate companies in the US and elsewhere. A disproportionate share of the earnings is then sent back to North Korea to facilitate the country’s missile programs in violation of international sanctions.

In some cases, these efforts are accompanied by the deployment of malware to steal proprietary and sensitive information, as well as engaging in extortion efforts by demanding ransoms for refunds by not publicly disclosing the stolen data.

The individuals and organizations targeted by the latest round of OFAC sanctions are listed below –

  • Amnokgang Technology Development Companyan IT company that hosts overseas IT staff delegations and conducts other illegal procurement activities to acquire and sell military and commercial technology through their overseas networks.
  • Nguyen Quang VietCEO of a Vietnamese company Quangvietnbg International Services Company Limited that facilitates currency conversion services for North Koreans. The company is estimated to have converted around $2.5 million to cryptocurrency between 2023 and mid-2025.
  • Is Phi Khanhan associate of Kim Se Un, who was sanctioned by the US in July 2025. Do allegedly acted as Kim’s proxy and allowed Kim to use his identity to open bank accounts and income from IT staff.
  • Hoang Van Nguyenwho also assists Kim in opening bank accounts and enables the sale of cryptocurrency to Kim.
  • Yun Guk’s songa North Korean citizen who has been leading a group of IT freelancers from Boten, Laos, since at least 2023. Yun has put together a dozen fund sales totaling over $70,000 with Hoang Minh Quang related to IT resources, and work with it York Louis Celestino Herrera developing independent IT service contracts.

The development comes as LevelBlue highlighted IT staff’s use of Astrill VPN to perform their duties while in countries such as China, due to the service’s ability to bypass the Great Firewall of China. The idea is to funnel traffic through US exit points, effectively allowing them to pose as legal domestic workers.

“These threat actors often operate from China instead of North Korea for two reasons: reliable internet infrastructure and the ability to use VPN services to hide their true origins,” said security researcher Tue Luu. “Groups under the Lazarus Group, including Contagious Interview, rely on this ability to access the global Internet unhindered, manage control and regulatory infrastructure, and hide their true location.”

The cybersecurity firm also said it discovered a failed attempt by North Korea to infiltrate the organization in response to a wanted ad. The IT employee, who was hired on August 15, 2025, as a remote worker to work with Salesforce data, was terminated after 10 days after showing indications of persistent logins from China.

A notable feature of Jasper Sleet’s commercial work is the use of artificial intelligence to enable the creation of identity, social engineering, and long-term persistence of low-cost operations, emphasizing how AI-enabled services can lower technological barriers and increase the power of threat actors.

“Jasper Sleet uses AI throughout the attack cycle to monitor, stay monitored, and exploit access at scale,” Microsoft said. “Creative actors are using AI to disrupt the screening process and inform the development of persuasive digital personas tailored for specific job markets and roles.”

Another key component involves using an AI program called Faceswap to insert the faces of North Korean IT workers into stolen IDs and create polished headshots for resumes. By doing so, these efforts not only aim to improve the accuracy of their campaigns, but also increase credibility by creating a satisfying digital identity.

In addition, the threat of remote IT staff is assessed to have AI tools that work to create fake company websites, as well as to quickly generate, refine, and update malware components, in some cases by hacking large-scale language models (LLMs).

“Threat actors like North Korean IT workers rely on long-term, reliable access,” Microsoft said. “Because of this fact, defenders must treat fraudulent recruitment and access abuse as a dangerous situation internally, focusing on detecting misuse of legitimate information, unusual access patterns, and ongoing low and slow activity.”

In a detailed report published by Flare and IBM X-Force examining the tactics and strategies used by IT workers, it was revealed that malicious actors are using time sheets to track job requests and work progress, IP Messenger (also known as IPMsg) for decentralized internal communications, and Google Translate to translate job descriptions, even ChatGPT responses, and even creative responses.

The IT staffing system is built on a multi-tiered functional structure that includes recruiters, facilitators, IT staff, and collaborators, each of whom plays a different role –

  • Recruiters, responsible for screening potential IT employees and recording initial interview sessions to send to recruiters.
  • Recruiters and IT staff, tasked with creating a persona, finding freelance or full-time work, and recruiting new people.
  • Participants, recruited to provide identity and/or information to help IT staff complete the recruitment process and obtain company-issued laptops.

“With the help of western collaborators hired, mainly from LinkedIn and GitHub, who, willingly or unwillingly, provide their identities to be used in the fraud scheme of IT employees, NKITW is able to penetrate deeply and reliably into the organization, for a long time,” the companies said in a report shared with Hacker News.

“The activities of North Korean IT personnel are widespread and deeply integrated within the DPRK party state. They are an important part of the DPRK’s machine for generating revenue and evading sanctions.”

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 4 weeks ago
0 3 4 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

Will XRP price break above the symmetrical triangle as the daily MACD turns bullish?

Will XRP price break above the symmetrical triangle as the daily MACD turns bullish?

4 hours ago
Strategic STRC ATM Clears .7B in 48 Hours

Strategic STRC ATM Clears $2.7B in 48 Hours

6 hours ago
Patch Tuesday, April 2026 Edition – Krebs on Security

Patch Tuesday, April 2026 Edition – Krebs on Security

6 hours ago
4 questions to ask before issuing an MDR

4 questions to ask before issuing an MDR

7 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button