DPRK Telework Scheme Targeted


The Justice Department announced a series of coordinated actions to disrupt the illicit revenue generation efforts North Korean (DPRK) information Technology workers, while the State Department announced a $5 million reward to help shut down the schemes.

As part of a Department-wide initiative – the DPRK RevGen: Domestic Enabler Initiative – Justice will continue to prioritize high-impact, strategic, and unified enforcement and disruption operations across the U.S. Government targeting U.S.-based enablers of unlawful DPRK IT workers overseas.

The DPRK government has dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers, to generate revenue for its weapons of mass destruction  programs.

The DPRK IT workers’ scheme involved the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the United States and elsewhere.

Maryland Arrest

Thursday May 16, Federal agents arrested Minh Phuong Vong of Bowie, Maryland, for his alleged participation in a scheme to assist overseas IT workers – posing with his identity – in working at U.S. companies in remote IT positions. 

According to the criminal complaint, Vong and other conspirators engaged in a scheme to fraudulently gain employment at companies located in the United States. These U.S. companies provided information technology services, including software development services, to the U.S. government. While Vong was nominally employed by these U.S. companies, he was not in fact the individual performing work for them. Remote IT workers based overseas instead posed as Vong and performed Vong’s job duties.

Throughout the course of Vong’s employment with U.S. company, remote IT workers based overseas performed Vong’s job duties by accessing protected victim computer systems via remote internet connections and posing as Vong on work-related videoconferences.

Vong also shipped one or more laptops to an address in China. Vong also received payment from U.S. Company and other employers, which he then transmitted to individuals located overseas, keeping a percentage for himself.

Missouri Website Seizures

On May 15, federal agents seized 12 website domains used by DPRK IT workers to hide their true identities and locations when applying to do remote work for U.S. and other businesses worldwide.

The specific group of DPRK IT workers who created these domains work for the PRC-based Yanbian Silverstar Network Technology Co. Ltd. and the Russia-based Volasys Silver Star, both of which were sanctioned in 2018 by the Department of the Treasury.

These IT workers funneled income from their fraudulent IT work back to North Korea using online payment services and Chinese bank accounts.

“Shutting down these websites is just one of the ways we are working to disrupt the flow of money to the North Korean weapons program,” said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. “The business community can do their part by carefully vetting their online hires.”

The 12 website domains seized yesterday, partial images of which are included in the unsealed affidavit, were designed to appear as domains of legitimate, U.S.-based IT services companies located in Portland, Oregon; Houston; Lancaster, Pennsylvania; Oklahoma City; Indianapolis; New York; and Richmond, Virginia.

Three of the entities that claimed to own these domains were officially registered in Wyoming. The website contents included a variety of designed to entice potential victims, such as claims that the firms assisted hundreds of “happy clients” including Fortune 500 companies (potentially a fictitious claim) and completed hundreds of projects over thousands of work hours.

Other websites included claims of having helped clients benefit from new technologies, such as artificial intelligence and machine learning, “blockchain solutions,” cloud computing skills, and internet of things knowledge.

Red Flags

The website domains included indicia that should have aroused suspicion about their bona fides. For example:

  • The phone numbers used to register these domains, or advertised as belonging to these businesses, did not have area codes that corresponded with the locations where these businesses claimed to have offices;
  • Some of the addresses listed were homes, versus office buildings;
  • The content included disjointed phrases that appeared to be attempts at inspirational quotes – e.g., “Nor, moreover, is there anyone who loves pain because it is pain, pursues it, wants to gain it, but;” and
  • Awkward promotional phrases such as “here are our main features & many more features.”

$5 Million Reward 

The State Department is offering a reward of up to $5 million for information about a money laundering scheme involving North Korean information technology (IT) workers obtaining telework employment with U.S. companies using false identities. The illicit scheme generated at least $6.8 million for the DPRK.

From about October 2020 until October 2023, U.S. national and Arizona resident Christina Chapman helped the North Koreans obtain work as remote software and applications developers with companies in a range of sectors and industries.

They also attempted — but failed — to gain similar employment at two U.S. government agencies.

These IT workers are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs.

Chapman assisted the North Korean IT workers in acquiring valid identities of real U.S. citizens. She also received and hosted laptop computers issued to the IT workers by U.S. employers to make it appear that the overseas workers were located in the United States and assisted the workers in connecting remotely to the U.S. companies’ IT networks on a daily basis.

She also helped launder the proceeds from the scheme by receiving, processing, and distributing paychecks from the U.S. firms to these IT workers and others.

Additionally Ukrainian national Oleksandr Didenko has been charged for similar conduct. As alleged, Didenko created fake accounts at U.S. IT job search platforms and with money service transmitters. Didenko was arrested in Poland on May 7 pursuant to an arrest warrant from the United States.

[Rewards for Justice website]


No comments on this item Please log in to comment by clicking here