{ "id": "e4656e8e-b2c1-4d15-988f-f326ee663311", "created_at": "2026-04-06T00:17:24.907236Z", "updated_at": "2026-04-10T03:24:26.290571Z", "deleted_at": null, "sha1_hash": "9a19f4bd5ffddc75bec8aa5c9c36eddbdb80de82", "title": "Justice Department Announces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic People’s Republic of Korea Information Technology Workers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45676, "plain_text": "Justice Department Announces Court-Authorized Action to\r\nDisrupt Illicit Revenue Generation Efforts of Democratic People’s\r\nRepublic of Korea Information Technology Workers\r\nPublished: 2023-10-18 · Archived: 2026-04-05 22:47:17 UTC\r\nOn Oct. 17, pursuant to a court order issued in the Eastern District of Missouri, the United States seized 17\r\nwebsite domains used by Democratic People’s Republic of Korea (DPRK) information technology (IT) workers in\r\na scheme to defraud U.S. and foreign businesses, evade sanctions and fund the development of the DPRK\r\ngovernment’s weapons program. These seizures follow the previously sealed October 2022 and January 2023\r\ncourt-authorized seizures of approximately $1.5 million of the revenue that the same group of IT workers\r\ncollected from unwitting victims as a result of their scheme, as well as the development of public-private\r\ninformation-sharing partnerships that denied the IT workers access to their preferred online freelance work and\r\npayment service providers.\r\n“The seizures announced today protect U.S. companies from being infiltrated with North Korean computer code\r\nand help ensure that American businesses are not used to finance that regime’s weapons program,” said Assistant\r\nAttorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The Department of\r\nJustice is committed to working with private sector partners to protect U.S. business from this kind of fraud, to\r\nenhance our collective cybersecurity and to disrupt the funds fueling North Korean missiles.”\r\n“Today's seizures exemplify our commitment to working with our federal and international partners to recognize\r\nand disrupt the threat from illicit actors working on behalf of the Democratic People’s Republic of Korea,” said\r\nAssistant Director Bryan Vorndran of the FBI's Cyber Division. “These takedowns also serve as reminders to\r\nensure that our private sector partners are equipped and prepared with due diligence measures to prevent\r\nthe inadvertent hiring of these bad actors across American businesses. The FBI encourages U.S. companies to\r\nreport suspicious activities, including any suspected DPRK IT worker activities, to your local FBI field office.”\r\n“Employers need to be cautious about who they are hiring and who they are allowing to access their IT systems,”\r\nsaid U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. “You may be helping to fund North\r\nKorea’s weapons program or allowing hackers to steal your data or extort you down the line.”\r\n“The Democratic People’s Republic of Korea has flooded the global marketplace with ill-intentioned information\r\ntechnology workers to indirectly fund its ballistic missile program. The seizing of these fraudulent domains helps\r\nprotect companies from unknowingly hiring these bad actors and potentially damaging their business,” said\r\nSpecial Agent in Charge Jay Greenberg of the FBI St. Louis Division. “This scheme is so prevalent that\r\ncompanies must be vigilant to verify whom they're hiring. At a minimum, the FBI recommends that employers\r\ntake additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities.\r\nWithout due diligence, companies risk losing money or being compromised by insider threats they unknowingly\r\ninvited inside their systems.”\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation\r\nPage 1 of 4\n\nAs alleged in court documents, the Government of the Democratic People’s Republic of Korea (DPRK)\r\ndispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of\r\ndeceiving U.S. and other businesses worldwide into hiring them as freelance IT workers, in order to generate\r\nrevenue for its weapons of mass destruction (WMD) programs. Through this scheme, which involves the use of\r\npseudonymous email, social media, payment platform and online job site accounts, as well as false websites,\r\nproxy computers located in the United States and elsewhere, and witting and unwitting third parties, the IT\r\nworkers generated millions of dollars a year on behalf of designated entities, such as the North Korean Ministry of\r\nDefense and others, directly involved in the DPRK’s UN-prohibited WMD programs.\r\nIn some instances, the IT workers also infiltrated the computer networks of unwitting employers to steal\r\ninformation and maintain access for future hacking and extortion schemes. The U.S. government described this\r\nscheme in a May 2022 advisory\r\n. An update to that advisory, issued today, is available here.\r\nCertain DPRK IT workers designed the 17 website domains seized yesterday to appear as domains of legitimate,\r\nU.S.-based IT services companies, thereby helping the IT workers to hide their true identities and location when\r\napplying online to do remote work for U.S. and other businesses worldwide. In reality, this specific group of\r\nDPRK IT workers, who work for the PRC-based Yanbian Silverstar Network Technology Co. Ltd. and the Russia-based Volasys Silver Star, had previously been sanctioned in 2018\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation\r\nPage 2 of 4\n\nby the Department of the Treasury. These IT workers funneled income from their fraudulent IT work back to the\r\nDPRK through the use of online payment services and Chinese bank accounts. \r\nThe efforts to disrupt the DPRK IT worker threat are not limited to those of the U.S. government. Since 2022, the\r\nUnited States has partnered with the Republic of Korea (ROK) to provide threat information about fraudulent\r\nDPRK IT worker activity, primarily consisting of thousands of indicators (e.g., email addresses), to multiple U.S.-\r\nbased online freelance work and payment service platforms used by the IT workers. These information-sharing\r\nefforts include a May 2023 symposium\r\n, jointly hosted by the U.S. Department of State and the ROK, where representatives from the United States and\r\nROK, and the providers, jointly discussed efforts to enhance public-private partnerships to counter the DPRK IT\r\nworker threat. These private companies later informed the U.S. government that, armed with that threat\r\ninformation, they conducted independent investigations, improved their fraud detection mechanisms and,\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation\r\nPage 3 of 4\n\naccording to at least some of the providers, shut down thousands of additional, previously unidentified fraudulent\r\naccounts used by the same DPRK IT workers. \r\nThe National Security Division’s National Security Cyber Section and the U.S. Attorney’s Office for the Eastern\r\nDistrict of Missouri are investigating this case. The FBI’s St. Louis Field Office conducted the investigation, with\r\nthe assistance of the FBI Cyber Division.\r\nSource: https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation\r\nhttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation" ], "report_names": [ "justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434644, "ts_updated_at": 1775791466, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a19f4bd5ffddc75bec8aa5c9c36eddbdb80de82.pdf", "text": "https://archive.orkl.eu/9a19f4bd5ffddc75bec8aa5c9c36eddbdb80de82.txt", "img": "https://archive.orkl.eu/9a19f4bd5ffddc75bec8aa5c9c36eddbdb80de82.jpg" } }