cryptocurrency, cybercrime, north korea, dprk

On Mar. 21, 2023, the Federal Bureau of Investigation (FBI) issued a federal arrest warrant for Shim Hyon-Sop and offered a USD 5 million reward for information leading to his arrest. The North Korean national and representative of the North Korean Foreign Trade Bank (FTB) is accused of laundering approximately USD 12 million in illegally obtained wages from undercover North Korean IT workers employed by US companies between 2021 and 2023. Apparently, Shim arranged for their salaries to be converted first into virtual currency and later, with the help of a Chinese broker, into real currency and sent to North Korea.

Both the South Korean and US governments believe that thousands of North Koreans like Shim and his accomplices are secretly working for technology companies around the world to earn foreign currency for the DPRK. “They are everywhere, from Asia to Africa, and sometimes even employed by US companies,” said Jung H. Pak, US deputy special representative for the DPRK at the US State Department (DOS), at a Korean-American symposium in California on May 24.

The event, co-hosted by the South Korean Ministry of Foreign Affairs and the DOS, served to address the DPRK’s circumvention of sanctions in the area of remote IT work and to discuss countermeasures. Last month, the two countries also jointly placed Shim Hyon-Sop on a list of sanctions – the first instance in which the two governments have taken simultaneous cyber action against the same individual.

DPRK remote IT workers may be subjected to forced labor and close surveillance

According to the DOS, North Korean IT professionals are being used by the Kim regime to exploit the global demand for IT skills and work freelance or remotely for clients around the world, including in North America, Europe, and East Asia. In some cases, they can each earn more than USD 300,000 per year.

The increasingly digital and decentralized workplace created by the COVID-19 pandemic has made it easier for North Koreans to secretly infiltrate technology companies despite international sanctions. To apply for jobs, they deliberately obfuscate their identities, locations and nationalities by using fake personas, proxy accounts, stolen identities and forged or counterfeit documents. The US State Department also alleges that some DPRK IT personnel are using the privileged access they have gained through their employment to conduct malicious cyber operations – particularly hacking attacks.

It is very likely that the regime is actively pushing these tactics, the DOS believes, as DPRK remote IT workers “may be subjected to forced labor and close surveillance by government security agents.” North Korean IT professionals are also reportedly being forced to work up to 16 hours a day, which “may be an indicator of forced labor and an abuse of their human rights.”

The US and ROK impose sanctions on the North’s “illicit cyber and IT worker operations”

The DPRK relies on financial fraud, money laundering and cybercrime to fund its weapons of mass destruction and ballistic missile programs. In doing so, it violates several United Nations (UN) Security Council resolutions. Both the White House and the UN have claimed that half of North Korea’s weapons development could be funded through cyberattacks and cryptocurrency theft.

According to the US Department of Treasury, North Korea has earned about KPW 1.7 trillion (USD 1.2 billion) in virtual assets globally since 2017 through cybercrimes like hacking, stealing virtual assets and spreading ransomware – malicious programs that lock the system and then demand a large sum of money for normalization. A March 2023 UN Panel of Experts report concluded that DPRK cyber actors stole more virtual currency in 2022 than in any previous year, with estimates ranging from USD 630 million to more than USD 1 billion. This is reportedly double Pyongyang’s total cyber theft revenue in 2021.

As a result, the US and South Korea announced sanctions against North Korean actors on May 23. One individual, Kim Sang Man, and the North Korea-based Chinyong Information Technology Cooperation Company were jointly sanctioned by the two countries for their illicit cyber activities, the US Treasury Department said in a press release.

In addition, the US blacklisted three other North Korean organizations: the 110th Research Center for conducting global cyber operations, Pyongyang University of Automation for training malicious cyber actors, and the Technical Reconnaissance Bureau, which not only develops offensive cyber tools but also oversees employees affiliated with the notorious Lazarus hacking group.

Edited by Robert Lauler.