Summary:
Cybersecurity researchers have identified infrastructure links between North Korean threat actors behind fraudulent IT worker schemes and a 2016 crowdfunding scam, highlighting Pyongyang's long-standing involvement in illicit financial activities. According to a report from SecureWorks Counter Threat Unit , these scams predate the IT worker fraud scheme exposed in late 2023, in which North Korean actors infiltrated global companies using fake identities to generate revenue for the heavily sanctioned regime. These operations, tracked under aliases such as Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole, are reportedly conducted by the 313th General Bureau, a division of the Workers' Party of Korea's Munitions Industry Department.


A key element of the fraud involves deploying North Korean IT workers to front companies in China and Russia, including Yanbian Silverstar and Volasys Silver Star. Both entities were sanctioned by the U.S. Treasury Department in 2018 for facilitating North Korea's revenue generation and obscuring workers' true nationalities. Yanbian Silverstar's CEO, Jong Song Hwa, was also sanctioned for controlling the financial flows of North Korean developers stationed abroad. In October 2023, the U.S. seized 17 domains used by North Korean IT workers to impersonate legitimate companies and defraud businesses worldwide. One such domain, was linked to Yanbian Silverstar's offices through historical WHOIS records.


Further investigation revealed connections to a 2016 IndieGoGo crowdfunding scam orchestrated which raised $21,877 from 193 backers without delivering products or refunds. SecureWorks noted that this earlier scam was a lower-effort operation compared to the sophisticated IT worker schemes but showcased North Korean threat actors' experimentation with various illicit methods to generate revenue.

Security Officer Comments:
The DPRK's cyber activities extend into the cryptocurrency sector, with advanced persistent threat groups like Lazarus conducting large-scale thefts targeting exchanges, custodians, and individual users. A joint advisory issued in 2024 by Japan, South Korea, and the U.S. revealed that North Korean hackers stole over $659 million in cryptocurrency that year, targeting companies such as DMM Bitcoin, Upbit, Rain Management, WazirX, and Radiant Capital. This marked the first confirmation of North Korea's involvement in the hack of India's largest cryptocurrency exchange, WazirX. Nischal Shetty, WazirX's founder, called for international cooperation to recover stolen assets, emphasizing the urgency of the situation.


Suggested Corrections:

Organizations can make APT groups' lives more difficult. Here's how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://thehackernews.com/2025/01/north-korean-it-worker-fraud-linked-to.html
https://www.state.gov/office-of-the...lic-of-korea-and-public-private-collaboration