{"id":2037360,"date":"2024-11-22T09:54:07","date_gmt":"2024-11-22T14:54:07","guid":{"rendered":"https:\/\/securityboulevard.com\/?p=2037360"},"modified":"2024-11-22T12:25:28","modified_gmt":"2024-11-22T17:25:28","slug":"u-s-agencies-seize-four-north-korean-it-worker-scam-websites","status":"publish","type":"post","link":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/","title":{"rendered":"U.S. Agencies Seize Four North Korean IT Worker Scam Websites"},"content":{"rendered":"<p>U.S. law enforcement agencies have seized four websites used by North Korean operatives as part of the country\u2019s ongoing efforts to plant IT workers in companies around the world to evade sanctions and generate money for its weapons programs.<\/p>\n<p>The fraudulent companies were identified by threat researchers at SentinelOne and their websites seized last month by U.S. agencies, including the Justice Department (DOJ), FBI, and Department of Homeland Security (DOH). The sites now have a message in both English and Korean saying that they\u2019d been seized through a federal court in Massachusetts.<\/p>\n<p>The fake businesses posed as legitimate U.S.-based technology and software consultancy firms offering contractors and other IT workers to companies, according to SentinelOne researchers Tom Hegel and Dakota Cary. They also traced the four fake businesses to a larger network of front companies based in China, which they <a href=\"https:\/\/www.sentinelone.com\/labs\/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china\/\" target=\"_blank\" rel=\"noopener\">wrote in a report<\/a> \u201cemphasizes the scale and complexity of North Korea\u2019s financial schemes and the importance of vigilance across industries. \u2026 Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the workers\u2019 true origins and managing payments.\u201d<\/p>\n<p>The Biden Administration has been aggressive in pushing back against North Korean IT worker scams, <a href=\"https:\/\/securityboulevard.com\/2023\/10\/u-s-seizes-money-domains-involved-in-north-korea-it-worker-scam\/\">seizing sites<\/a> and <a href=\"https:\/\/securityboulevard.com\/2024\/08\/doj-shuts-down-another-north-korean-laptop-farm\/\" target=\"_blank\" rel=\"noopener\">shutting down laptop farms<\/a> in the United States that are used to facilitate the fraud. In the scams, skilled North Korean operatives posing as IT workers from other countries try to get hired by IT companies in the United States and elsewhere for remote IT work.<\/p>\n<h3>Funding Weapon Programs<\/h3>\n<p>Once in, the money they earn is sent back to the North Korea regime to help fund its nuclear and ballistic weapons program. In addition, some of the scammers deploy malware in their employers\u2019 systems to steal information and money.<\/p>\n<p>In one case, KnowBe4 CEO founder and CEO Stu Sjouwerman wrote about how his company was <a href=\"https:\/\/securityboulevard.com\/2024\/07\/knowbe4-unknowingly-hires-fake-north-korean-it-worker\/\" target=\"_blank\" rel=\"noopener\">duped into hiring one of these workers<\/a>, noting that the operative was able to navigate through a background check, reference verifications, and four video conferenced-based interviews before being hired. Immediately after being hired, the Mac workstation sent by the company and the moment it was received, it began to load malware. The activity was detected by KnowBe4&#8217;s endpoint detection and response (EDR) software and no illegal entry was gained.<\/p>\n<p>\u201cThese workers are highly skilled in areas like software development, mobile applications, blockchain, and cryptocurrency technologies,\u201d Hegel and Cary wrote. \u201cBy posing as professionals from other countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with businesses worldwide.\u201d<\/p>\n<p>The front companies in countries like China and Russia help the North Korean workers launder their wages through online payment services and bank accounts in China, with payments many times routed through cryptocurrencies or \u201cshadow banking systems,\u201d they wrote.<\/p>\n<h3>Four Websites Seized<\/h3>\n<p>SentinelOne identified four fraudulent companies, including Independent Lab LLC, which has been active since at least February and possibly acquired and operating using web and cloud hosting service InterServer. The domain was registered via Namecheap.<\/p>\n<p>\u201cThe content of the website is in line with what you would expect of a legitimate software development outsourcing business, with no obvious major indicators associated with the DPRK, or even illegitimate in any way,\u201d Hegel and Cary wrote. \u201cIn the case of Independent Lab LLC, the website format and content was copied from Kitrum, a legitimate custom software firm headquartered in the United States.\u201d<\/p>\n<p>Another website, Shenyang Tonywang Technology, became active in November 2023 on the InterServer hosting infrastructure and registered with NameCheap. Like Independent Lab, Shenyang Tonywang Technology advertises itself as a software consulting company with bespoke solutions like DevOps and cloud consulting. The website\u2019s format and content was copied from Urolime, a legitimate U.S.-based DevOps consulting company.<\/p>\n<p>Tony WKJ LLC IT Services website promotes itself as a software development company specializing in Agile development. Active since May, it also copies the format and content from a legitimate business, this time from\u00a0software and web development ArohaTech IT Services, which is headquartered in India.<\/p>\n<p>\u201cHowever, a comparison to the legitimate website reveals that the DPRK [Democratic People\u2019s Republic of Korea] actors have not only placed their own name, and removed original ArohaTech logos, they have also modified the content to clearly attempt to brand Tony WKJ LLC as a US based company,\u201d the researchers wrote.<\/p>\n<h3>A Unique \u2013 but Still Fake \u2013 Company<\/h3>\n<p>They wrote that the HopanaTech website was unique from the others. It was first registered in November 2020 and began hosting publicly through Asia Web Services a month later. Like the others, it describes itself as a custom software development company, though the version of the content was significantly modified.<\/p>\n<p>\u201cIt continued to make use of customer reviews and marketing content from legitimate public websites,\u201d the researchers wrote. \u201cHowever, in some cases, content that would have required more than a simple text edit remains unchanged, showing the original sources name, such as the legitimate ITechArt firm\u2019s website.\u201d<\/p>\n<p>Hegel and Cary said they followed multiple leads to link them to front companies in China, including an address for a site called \u201cBuilding A1\u201d in Shenyang, the capital city of Liaoning in China.<\/p>\n<p>They warned companies about falling for the North Korean IT worker scams.<\/p>\n<p>\u201cThese schemes present significant risks to employers, including potential legal violations, reputational damage, and insider threats such as intellectual property theft or malware implantation,\u201d they wrote. \u201cAddressing these risks requires heightened awareness and stringent vetting processes to limit North Korea\u2019s ability to exploit global tech markets.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>U.S. law enforcement agencies seized the websites of four North Korean fake IT worker scams that were uncovered by SentinelOne threat researchers and linked to a larger network of Chinese front companies.<\/p>\n","protected":false},"author":20461,"featured_media":1802863,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[230,23406,13571,21132,782,21858,308,30691,14089,14098,30205,14097,98631,99462,99461,13418,14096],"tags":[61469,78577,103364,103339],"class_list":["post-2037360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-security","category-blogs","category-data-security","category-devops","category-endpoint","category-sb-featured","category-identity-access","category-sb-industry-spotlight","category-network-security","category-sb-news","category-security-awareness","category-sb","category-social-facebook","category-social-linkedin","category-social-x","category-sb-spotlight","category-threat-intelligence","tag-china-espionage","tag-department-of-justice-doj","tag-fake-it-worker-scam","tag-north-korean-cyber-espionage"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v23.9 (Yoast SEO v23.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>U.S. Agencies Seize Four North Korean IT Worker Scam Websites - Security Boulevard<\/title>\n<meta name=\"description\" content=\"SentinelOne threat researchers uncovered the operations and linked them to a larger network of front companies operating from China.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"U.S. Agencies Seize Four North Korean IT Worker Scam Websites\" \/>\n<meta property=\"og:description\" content=\"U.S. law enforcement agencies seized the websites of four North Korean fake IT worker scams that were uncovered by SentinelOne threat researchers and linked to a larger network of Chinese front companies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Boulevard\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/groups\/24445075146\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-22T14:54:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-22T17:25:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"770\" \/>\n\t<meta property=\"og:image:height\" content=\"330\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jeffrey Burt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@securityblvd\" \/>\n<meta name=\"twitter:site\" content=\"@securityblvd\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/\",\"url\":\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/\",\"name\":\"U.S. Agencies Seize Four North Korean IT Worker Scam Websites - Security Boulevard\",\"isPartOf\":{\"@id\":\"https:\/\/securityboulevard.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg\",\"datePublished\":\"2024-11-22T14:54:07+00:00\",\"dateModified\":\"2024-11-22T17:25:28+00:00\",\"author\":{\"@id\":\"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a\"},\"description\":\"SentinelOne threat researchers uncovered the operations and linked them to a larger network of front companies operating from China.\",\"breadcrumb\":{\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#primaryimage\",\"url\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg\",\"contentUrl\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg\",\"width\":770,\"height\":330,\"caption\":\"North Korea IT worker scam\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/securityboulevard.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\/\/securityboulevard.com\/category\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Network Security\",\"item\":\"https:\/\/securityboulevard.com\/category\/blogs\/network-security\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"U.S. Agencies Seize Four North Korean IT Worker Scam Websites\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/securityboulevard.com\/#website\",\"url\":\"https:\/\/securityboulevard.com\/\",\"name\":\"Security Boulevard\",\"description\":\"The Home of the Security Bloggers Network\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/securityboulevard.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a\",\"name\":\"Jeffrey Burt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityboulevard.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg\",\"contentUrl\":\"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg\",\"caption\":\"Jeffrey Burt\"},\"description\":\"Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He\u2019s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.\",\"url\":\"https:\/\/securityboulevard.com\/author\/jeffrey-burt\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"U.S. Agencies Seize Four North Korean IT Worker Scam Websites - Security Boulevard","description":"SentinelOne threat researchers uncovered the operations and linked them to a larger network of front companies operating from China.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/","og_locale":"en_US","og_type":"article","og_title":"U.S. Agencies Seize Four North Korean IT Worker Scam Websites","og_description":"U.S. law enforcement agencies seized the websites of four North Korean fake IT worker scams that were uncovered by SentinelOne threat researchers and linked to a larger network of Chinese front companies.","og_url":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/","og_site_name":"Security Boulevard","article_publisher":"https:\/\/www.facebook.com\/groups\/24445075146\/","article_published_time":"2024-11-22T14:54:07+00:00","article_modified_time":"2024-11-22T17:25:28+00:00","og_image":[{"width":770,"height":330,"url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg","type":"image\/jpeg"}],"author":"Jeffrey Burt","twitter_card":"summary_large_image","twitter_creator":"@securityblvd","twitter_site":"@securityblvd","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/","url":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/","name":"U.S. Agencies Seize Four North Korean IT Worker Scam Websites - Security Boulevard","isPartOf":{"@id":"https:\/\/securityboulevard.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#primaryimage"},"image":{"@id":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#primaryimage"},"thumbnailUrl":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg","datePublished":"2024-11-22T14:54:07+00:00","dateModified":"2024-11-22T17:25:28+00:00","author":{"@id":"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a"},"description":"SentinelOne threat researchers uncovered the operations and linked them to a larger network of front companies operating from China.","breadcrumb":{"@id":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#primaryimage","url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg","contentUrl":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg","width":770,"height":330,"caption":"North Korea IT worker scam"},{"@type":"BreadcrumbList","@id":"https:\/\/securityboulevard.com\/2024\/11\/u-s-agencies-seize-four-north-korean-it-worker-scam-websites\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/securityboulevard.com\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/securityboulevard.com\/category\/blogs\/"},{"@type":"ListItem","position":3,"name":"Network Security","item":"https:\/\/securityboulevard.com\/category\/blogs\/network-security\/"},{"@type":"ListItem","position":4,"name":"U.S. Agencies Seize Four North Korean IT Worker Scam Websites"}]},{"@type":"WebSite","@id":"https:\/\/securityboulevard.com\/#website","url":"https:\/\/securityboulevard.com\/","name":"Security Boulevard","description":"The Home of the Security Bloggers Network","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/securityboulevard.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/securityboulevard.com\/#\/schema\/person\/f38bb7663c788778985274cf1b68758a","name":"Jeffrey Burt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityboulevard.com\/#\/schema\/person\/image\/","url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg","contentUrl":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2023\/07\/cropped-Jeffrey-Burt-photo-96x96.jpg","caption":"Jeffrey Burt"},"description":"Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He\u2019s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.","url":"https:\/\/securityboulevard.com\/author\/jeffrey-burt\/"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2019\/03\/Hackathons-Cybersecurity.jpg","jetpack_shortlink":"https:\/\/wp.me\/p91vu9-8y0E","_links":{"self":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts\/2037360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/users\/20461"}],"replies":[{"embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/comments?post=2037360"}],"version-history":[{"count":3,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts\/2037360\/revisions"}],"predecessor-version":[{"id":2037378,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/posts\/2037360\/revisions\/2037378"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/media\/1802863"}],"wp:attachment":[{"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/media?parent=2037360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/categories?post=2037360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securityboulevard.com\/wp-json\/wp\/v2\/tags?post=2037360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}