{ "id": "cb6582e2-3fee-4ffb-a8b6-72498fc01285", "created_at": "2026-04-06T15:53:01.84267Z", "updated_at": "2026-04-10T13:11:36.095405Z", "deleted_at": null, "sha1_hash": "576fd73f3eb78a86eb728dde80ecf9c88c0dc06b", "title": "DPRK IT Workers | A Network of Active Front Companies and Their Links to China", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9472358, "plain_text": "DPRK IT Workers | A Network of Active Front Companies and\r\nTheir Links to China\r\nBy Tom Hegel \u0026 Dakota Cary\r\nPublished: 2024-11-21 · Archived: 2026-04-06 15:38:32 UTC\r\nExecutive Summary\r\nSentinelLABS has identified unique characteristics of multiple websites, now seized by the US\r\nGovernment, associated with the DPRK IT Worker front companies.\r\nWe assess with high confidence that DPRK actors seek to impersonate US based software and technology\r\nconsulting businesses by copying the online brands of legitimate organizations, seeking to use these for\r\nfinancial objectives.\r\nSentinelLABS has linked the activity to several active front companies and links these with high\r\nconfidence to a larger set of organizations being created in China.\r\nOur findings link additional companies, which remain active today, to the DPRK IT Workers scheme.\r\nBackground\r\nNorth Korea operates a global network of IT workers, both as individuals and under front companies, to evade\r\nsanctions and generate revenue for the regime. These workers are highly skilled in areas like software\r\ndevelopment, mobile applications, blockchain, and cryptocurrency technologies. By posing as professionals from\r\nother countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with\r\nbusinesses worldwide.\r\nOur PinnacleOne team has compiled an executive summary of this threat, available here.\r\nFront companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the\r\nworkers’ true origins and managing payments. Notable examples include China-based Yanbian Silverstar Network\r\nTechnology Co. Ltd., disrupted in October 2023, and Russia-based Volasys Silver Star, sanctioned by the U.S.\r\nDepartment of the Treasury in 2018, for their roles in facilitating fraudulent IT operations. These entities helped\r\nDPRK workers launder earnings through online payment services and Chinese bank accounts. The payments,\r\noften routed through cryptocurrencies or shadow banking systems, ultimately support state programs, including\r\nweapons development, circumventing international sanctions.\r\nThese schemes present significant risks to employers, including potential legal violations, reputational damage,\r\nand insider threats such as intellectual property theft or malware implantation. Addressing these risks requires\r\nheightened awareness and stringent vetting processes to limit North Korea’s ability to exploit global tech markets.\r\nThis blog explores four newly identified examples of DPRK IT Worker front companies, analyzing their online\r\npresence and the methods they use to appear legitimate to unsuspecting targets in recent months. These four\r\ncompanies’ websites were recently subject to law enforcement action and taken offline.\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 1 of 13\n\nIndependent Lab LLC\r\nThe Independent Lab LLC website, inditechlab[.]com was active since at least February 2024, with indication\r\nit was acquired and operated using InterServer hosting since May 2022 ( 174.138.181[.]198 ). The domain itself\r\nwas registered through NameCheap.\r\nThe content of the website is in line with what you would expect of a legitimate software development\r\noutsourcing business, with no obvious major indicators associated with the DPRK, or even illegitimate in any\r\nway. In the case of Independent Lab LLC, the website format and content was copied from Kitrum, a legitimate\r\ncustom software firm headquartered in the United States. The DPRK actors did not retain the “We Stand with\r\nUkraine” link or menu header.\r\nDPRK IT Worker Front Company Website – Independent Lab LLChot\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 2 of 13\n\nLegitimate business, source of copied website design used by DPRK\r\nThe content of the website centered around the Contact Us form, enticing visitors to engage in communications,\r\nproviding no contact details on the website itself.\r\nShenyang Tonywang Technology LTD\r\nThe name “Shenyang Tonywang Technology” was used in the formal content of the website; however, the domain\r\nitself is tonywangtech[.]com . The website first became active in November 2023, overlapping with previously\r\nused InterServer hosting infrastructure ( 174.138.181[.]198 ), and was also registered via NameCheap.\r\nSimilar to the previous example, Shenyang Tonywang Technology advertises itself as a top software consulting\r\ncompany with bespoke solutions, including DevOps \u0026 cloud consulting. In this case, the website format and\r\ncontent was copied from Urolime, a legitimate DevOps consulting company headquartered in the United States.\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 3 of 13\n\nDPRK IT Worker Front Company Website – Shenyang Tonywang Technology LTD\r\nLegitimate Urolime business, source of copied website design used by DPRK\r\nTony WKJ LLC\r\nTony WKJ LLC IT Services website, wkjllc[.]com , was active since at least May 2024, with indication it was\r\nacquired and operated using InterServer hosting ( 174.138.181[.]198 ) since May 2022. The domain itself was\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 4 of 13\n\nregistered through NameCheap.\r\nTony WKJ LLC advertises itself as a leading software development company that specializes in Agile IT\r\ndevelopment. Once again, In this case the website format and content was copied from a legitimate business.\r\nSpecifically, this website is a copy from  ArohaTech IT Services, a software and web development company\r\nheadquartered in Noida, India.\r\nHowever, a comparison to the legitimate website reveals that the DPRK actors have not only placed their own\r\nname, and removed original ArohaTech logos, they have also modified the content to clearly attempt to brand\r\nTony WKJ LLC as a US based company.\r\nDPRK IT Worker Front Company Website – Tony WKJ LLC\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 5 of 13\n\nLegitimate business, source of copied website design used by DPRK\r\nHopanaTech\r\nHopanaTech website, hopanatech[.]com is a bit more unique from the others above. The domain itself was first\r\nregistered in November 2020, and began hosting publicly via Asia Web Services Ltd ( 180.235.135[.]177 ) in\r\nDecember 2020. The website has been presented as shown below since at least the end of 2021. The domain was\r\nregistered through NameCheap.\r\nThe website content aligns with the previous examples, including the description of being a custom software\r\ndevelopment company. The HopanaTech version of the content has been modified significantly; however, it\r\ncontinued to make use of customer reviews and marketing content from legitimate public websites. However, in\r\nsome cases, content that would have required more than a simple text edit remains unchanged, showing the\r\noriginal sources name, such as the legitimate ITechArt firm’s website.\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 6 of 13\n\nDPRK IT Worker Front Company Website – HopanaTech\r\nDPRK IT Worker Front Company Website – HopanaTech – Showing content source\r\nUnited States Government Response\r\nEach of the above four companies has been disrupted by US Government agencies, specifically the Department of\r\nJustice, Federal Bureau of Investigation, Homeland Security Investigations, Defense Criminal Investigative\r\nService, and the United States Postal Inspection Service.\r\nOn October 10th, the US Government seized the four domains belonging to the front companies, each of which\r\nnow shows the standard takedown alert and links to the 2022 US Treasury fact sheet on DPRKs IT Worker\r\nscheme. The websites rotate between English and Korean language versions.\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 7 of 13\n\nDomain Seized Alert – English\r\nDomain Seized Alert – Korean\r\nExpanded Analysis\r\nDrawing on details from the four companies disrupted by US Government agencies, SentinelLABS was able to\r\nfind multiple leads to an active network of DPRK IT front companies originating in China.\r\nThe Mysterious A1 Building\r\nIn an early 2024 archived snapshot of Shenyang Tonywang Technology’s website, tonywangtech[.]com , we can\r\nsee the actor added the following address:\r\nNo. 1006-25, Building A1, No. 11, Tawan Street, Huanggu District, Shenyang City Liaoning 110036\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 8 of 13\n\ntonywangtech[.]com listed address and contact details\r\nWe identified an additional company with similar traits. First, the address happens to be highly close in proximity\r\n– listed next to each other on the same floor of the same building. No. 1006-23, Building A1, No. 11, Tawan Street,\r\nHuanggu, Shenyang, Liaoning, China\r\nThe additional company is Shenyang Huguo Technology Ltd, which uses the domain huguotechltd[.]com in a\r\nsimilar way to the previous four. The website uses copied content and logos from the legitimate Indian software\r\nfirm TatvaSoft.\r\nActive DPRK linked company website -Shenyang Huguo Technology Ltd\r\nThe huguotechltd[.]com domain was registered in October 2023 via NameCheap. The domain has since been\r\nand continues to be hosted at 103.15.29[.]44 , of Asia Web Services Ltd.\r\nWe assess Shenyang Huguo Technology Ltd. is closely associated with the previously four reviewed DPRK IT\r\nWorker front companies, and had remained online long enough to have been used to achieve the DPRKs\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 9 of 13\n\nobjectives.\r\nThe Tony Wang Link\r\nHopanaTech’s website, hopanatech[.]com , listed three contacts before it was taken down by law enforcement.\r\nThe first person, Wang Kejia, is listed with the email address “Tonywkj”.\r\nContacts from the now-seized HopanaTech website\r\nThe “wkj” is almost certainly the acronym for the preceding Chinese name, Wang Kejia. The Tonywkj@Hopana\r\nemail address establishes a link between Wang Kejia, a real person who is a resident of the address in New Jersey\r\nand the “Tony Wang” identity. The Shenyang Tonywang Technology Company website discussed above was also\r\nsubject to law enforcement action, and its name bears resemblance to the same Tongwkj listed by Hopana.\r\nFurthermore, the Tonywkj email also directly matches the domain of another taken-down DPRK IT Worker site\r\ndiscussed above, Tony WKJ LLC.\r\nThe Tong Yuze Identity\r\nLaw enforcement action established that Hopana Tech and Hopanatech[.]com are DRPK IT Worker Front\r\ncompanies. This analysis expands on the Hopana Tech company corporate registration data inside China.\r\nA corporate records website from the PRC indicates the Beijing Xiwang Technology Company (北京市戏网科技\r\n有限公司), previously used the name Beijing Hou Pa Na Technology Company (北京后帕纳科技有限公司), a\r\nclear cognate for the English-translated “HopanaTech.”\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 10 of 13\n\nCorporate record showing Xiwang’s previous use of the Hopana Technology name\r\nFurthermore, the above screenshot of HopanaTech’s website, which lists the Tonywkj email address, also lists\r\nTong Yuze (佟雨泽). The same name is used for the corporate registrant of Beijing Xiwang Technology\r\nCompany.Highlighted text shows that Beijing Xiwang Technology was previously known as Hopana Tech.\r\nContacts from the now-seized HopanaTech website\r\nAs if to allay concerns that Beijing Xiwang Technology Company was not a front company, corporate records\r\nshow the firm only pays unemployment insurance, health insurance, and employee injury liability insurance for\r\none person.\r\nCorporate records for Bejing Xiwang Technology Company\r\nTong Yuze is currently listed as the corporate registrant of 25 companies in China, including many restaurants and\r\ncatering companies. Owing to increased data protection measures by the PRC, a complete accounting of Tong\r\nYuze’s companies is not possible.\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 11 of 13\n\nSome companies identified as Tong Yuze’s include:\r\n海口宜路畅佟科技贸易有限公司\r\n北京上日清新食品有限公司\r\n京山味诚(北京)餐饮管理有限公司\r\n泽日启程(北京)餐饮管理有限公司\r\n北京哈巴萨科贸有限公司\r\nThis foray into restaurants does not appear to be a case of mistaken identity. The email provided for Tong Yuze on\r\nthe registration of Beijing Xiwang Technology Company is tongyuze@jswc[.]com[.]cn . The email domain\r\n“JSWC” aligns with the name of some of Tong Yuze’s restaurant companies. In this case, Jing Shan Wei Cheng\r\n(京山味诚), matches the acronym of the email domain. This provides reasonable evidence of a legitimate\r\nconnection between Tong Yuze and the mentioned food service companies.\r\nGiven the very real businesses being run by Tong Yuze’s other corporate registrations– seemingly many franchises\r\nof Yiwei Yicheng (一味一诚) –it’s possible this individual is serving as a cut-out for the DPRK. We hypothesize\r\nthat his collection of businesses may serve to provide cover for illegal ones.\r\nThe Haikou Yilu Changtong Technology Trading Company\r\nOne of the companies connected to the Tong Yuze identity and accessible on corporate registration sites is Haikou\r\nYilu Changtong Technology Trading Company (海口宜路畅佟科技贸易有限公司).\r\nHaikou Yilu Changtong Technology Trading Company corporate registration\r\nHaikou Yilu is distinct from the other Tong Yuze-registered companies for two reasons. First, it is another\r\ntechnology company–not a restaurant. Second, its corporate registration makes use of a telephone number that\r\ndiffers from Tong Yuze’s restaurant businesses but is shared with the Beijing Xiwang Technology Company\r\ncorporate registration.\r\nTo help visualize the connections we described, the graphic below provides a simplified representation of the key\r\nrelationships and pivots.\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 12 of 13\n\nVisual representation of front company connections\r\nConclusion\r\nThe DPRK’s use of the IT Worker scheme underscores the regime’s adaptability in exploiting global markets to\r\nfurther its financial objectives. By impersonating legitimate U.S.-based software and technology consulting firms,\r\nNorth Korean actors aim to gain trust and access to sensitive contracts, circumventing sanctions and evading\r\ndetection. These tactics highlight a deliberate and evolving strategy that leverages the global digital economy to\r\nfund state activities, including weapons development.\r\nOur research not only exposes the deceptive tactics employed by DPRK IT workers but also connects these efforts\r\nto a broader, active network of front companies originating in China. This linkage emphasizes the scale and\r\ncomplexity of North Korea’s financial schemes and the importance of vigilance across industries. Organizations\r\nare urged to implement robust vetting processes, including careful scrutiny of potential contractors and suppliers,\r\nto mitigate risks and prevent inadvertent support of such illicit operations. By shedding light on these activities,\r\nSentinelLABS aims to equip businesses, governments, and the public with the insights needed to stay ahead of\r\nthese threats and safeguard the integrity of global markets.\r\nSource: https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nhttps://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/\r\nPage 13 of 13\n\nIn an early 2024 see the actor added archived snapshot of the following address: Shenyang Tonywang Technology’s website, tonywangtech[.]com , we can\nNo. 1006-25, Building A1, No. 11, Tawan Street, Huanggu District, Shenyang City Liaoning 110036\n Page 8 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/" ], "report_names": [ "dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775490781, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/576fd73f3eb78a86eb728dde80ecf9c88c0dc06b.pdf", "text": "https://archive.orkl.eu/576fd73f3eb78a86eb728dde80ecf9c88c0dc06b.txt", "img": "https://archive.orkl.eu/576fd73f3eb78a86eb728dde80ecf9c88c0dc06b.jpg" } }