{
	"id": "30dd05cc-aa4e-4909-884e-7abe1cb94b38",
	"created_at": "2026-04-06T00:06:32.162511Z",
	"updated_at": "2026-04-10T03:24:26.258145Z",
	"deleted_at": null,
	"sha1_hash": "b4d378a263f3e49223d0cdc078d1d4fbd9afaeaa",
	"title": "US offers $5 million for info on North Korean IT worker farms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1978626,
	"plain_text": "US offers $5 million for info on North Korean IT worker farms\r\nBy Sergiu Gatlan\r\nPublished: 2024-12-12 · Archived: 2026-04-05 17:05:57 UTC\r\nThe U.S. State Department is offering a reward of up to $5 million for information that could help disrupt the activities of\r\nNorth Korean front companies and employees who generated over $88 million via illegal remote IT work schemes in six\r\nyears.\r\nThe two companies, Chinese-based Yanbian Silverstar and Volasys Silverstar from Russia, tricked businesses worldwide\r\ninto employing North Korean staff as freelance IT workers.\r\nThese illegally obtained funds are then laundered in violation of international sanctions and sent back to the Pyongyang\r\nregime to support the country's UN-prohibited nuclear missile programs. As the FBI, the State Department, and the Justice\r\nDepartment said in a May 2022 tri-seal advisory, each of North Korea's IT workers can earn up to $300,000 annually,\r\ngenerating hundreds of millions of dollars collectively every year.\r\nhttps://www.bleepingcomputer.com/news/security/us-offers-5-million-for-info-on-north-korean-it-worker-farms/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-offers-5-million-for-info-on-north-korean-it-worker-farms/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Yanbian Silverstar and Volasys Silverstar together employ more than 130 DPRK IT workers, who refer to themselves as 'IT\r\nwarriors,'\" the State Department said on Thursday.\r\n\"These IT workers use the fraudulently acquired identities of hundreds of U.S. persons to gain remote employment and\r\ngenerate tens of millions of dollars which are laundered and sent back to the North Korean regime.\"\r\n14 Yanbian and Volasys Silverstar employees indicted\r\nToday, the DOJ also indicted 14 North Korean \"IT warriors\" linked to Yanbian Silverstar and Volasys Silverstar for their\r\ninvolvement in conspiracies to violate U.S. sanctions and to commit identity theft, wire fraud, and money laundering.\r\nLed by Jong Song Hwa, Yanbian Silverstar's and Volasys Silverstar's CEO, they generated at least $88 million over\r\napproximately six years.\r\nPrior DOJ actions targeting this group include the seizure of roughly $320,000 in January, another approximately $444,800\r\nin July, court-authorized seizures of around $1.5 million in October 2022 and January 2023, and the seizure of 29 internet\r\ndomains in October 2023 and May 2024.\r\nWhen communicating with prospective employers, the threat actors used dozens of such domains to make their stolen\r\nidentities more legitimate.\r\nThroughout the conspiracy, Volasys Silverstar and Yanbian Silverstar workers stole, borrowed, and purchased the identities\r\nof U.S. citizens, which were used to hide their true identities and obtain remote employment with U.S. businesses and\r\norganizations.\r\nThey also used them to register domain names to host websites that helped dupe U.S. employers into thinking they were\r\npreviously hider by other reputable U.S. companies and to create accounts to collect the funds earned from employers,\r\nwhich were later transferred to North Korean-controlled accounts at Chinese banks.\r\nAfter being discovered and fired, some of the North Korean IT workers used insider knowledge and coding skills to extort\r\ntheir former employers, threatening to leak stolen sensitive information online.\r\nIn August, U.S. law enforcement dismantled a laptop farm used by undercover North Korean \"IT warriors\" to work from\r\nlocations in China while appearing to connect to the victim companies' systems from Nashville.\r\nIn May, Arizona woman Christina Marie Chapman was also arrested and charged with running another North Korean laptop\r\nfarm in her own home.\r\nhttps://www.bleepingcomputer.com/news/security/us-offers-5-million-for-info-on-north-korean-it-worker-farms/\r\nPage 3 of 4\n\nToday's charges emphasize the ongoing danger presented by North Korean IT workers who impersonate U.S.-based IT staff,\r\nsomething that the FBI has warned for years. As it has repeatedly cautioned, North Korea maintains a large army of IT\r\nworkers trained to conceal their true identities to secure employment at hundreds of American companies.\r\nMost recently, cybersecurity company KnowBe4 hired a North Korean malicious actor as a Principal Software Engineer.\r\nHowever, the \"IT warrior\" immediately attempted to install information-stealing malware on company-provided devices.\r\nEven though KnowBe4 had conducted background checks, verified references, and held four video interviews before hiring\r\nthe North Korean, they later discovered that the person had used a stolen identity and AI tools to deceive the company\r\nduring video calls.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-offers-5-million-for-info-on-north-korean-it-worker-farms/\r\nhttps://www.bleepingcomputer.com/news/security/us-offers-5-million-for-info-on-north-korean-it-worker-farms/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/us-offers-5-million-for-info-on-north-korean-it-worker-farms/"
	],
	"report_names": [
		"us-offers-5-million-for-info-on-north-korean-it-worker-farms"
	],
	"threat_actors": [
		{
			"id": "7187a642-699d-44b2-9c69-498c80bce81f",
			"created_at": "2025-08-07T02:03:25.105688Z",
			"updated_at": "2026-04-10T02:00:03.78394Z",
			"deleted_at": null,
			"main_name": "NICKEL TAPESTRY",
			"aliases": [
				"CL-STA-0237 ",
				"CL-STA-0241 ",
				"DPRK IT Workers",
				"Famous Chollima ",
				"Jasper Sleet Microsoft",
				"Purpledelta Recorded Future",
				"Storm-0287 ",
				"UNC5267 ",
				"Wagemole "
			],
			"source_name": "Secureworks:NICKEL TAPESTRY",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775433992,
	"ts_updated_at": 1775791466,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4d378a263f3e49223d0cdc078d1d4fbd9afaeaa.pdf",
		"text": "https://archive.orkl.eu/b4d378a263f3e49223d0cdc078d1d4fbd9afaeaa.txt",
		"img": "https://archive.orkl.eu/b4d378a263f3e49223d0cdc078d1d4fbd9afaeaa.jpg"
	}
}