Office of Public Affairs Justice Department Announces CourtAuthorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic Peoples Republic of Korea Information Technology Workers United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
pp
This is archived content from the US Department of Justice website The information here may be outdated and links may no longer function Please contact webmasterusdojgov if you have any questions about the archive site
ppOn Oct 17 pursuant to a court order issued in the Eastern District of Missouri the United States seized 17 website domains used by Democratic Peoples Republic of Korea DPRK information technology IT workers in a scheme to defraud US and foreign businesses evade sanctions and fund the development of the DPRK governments weapons program These seizures follow the previously sealed October 2022 and January 2023 courtauthorized seizures of approximately 15 million of the revenue that the same group of IT workers collected from unwitting victims as a result of their scheme as well as the development of publicprivate informationsharing partnerships that denied the IT workers access to their preferred online freelance work and payment service providersppThe seizures announced today protect US companies from being infiltrated with North Korean computer code and help ensure that American businesses are not used to finance that regimes weapons program said Assistant Attorney General Matthew G Olsen of the Justice Departments National Security Division The Department of Justice is committed to working with private sector partners to protect US business from this kind of fraud to enhance our collective cybersecurity and to disrupt the funds fueling North Korean missilesppTodays seizures exemplify our commitment to working with our federal and international partners to recognize and disrupt the threat from illicit actors working on behalf of the Democratic Peoples Republic of Korea said Assistant Director Bryan Vorndran of the FBIs Cyber Division These takedowns also serve as reminders to ensure that our private sector partners are equipped and prepared with due diligence measures to prevent the inadvertent hiring of these bad actors across American businesses The FBI encourages US companies to report suspicious activities including any suspected DPRK IT worker activities to your local FBI field officeppEmployers need to be cautious about who they are hiring and who they are allowing to access their IT systems said US Attorney Sayler A Fleming for the Eastern District of Missouri You may be helping to fund North Koreas weapons program or allowing hackers to steal your data or extort you down the lineppThe Democratic Peoples Republic of Korea has flooded the global marketplace with illintentioned information technology workers to indirectly fund its ballistic missile program The seizing of these fraudulent domains helps protect companies from unknowingly hiring these bad actors and potentially damaging their business said Special Agent in Charge Jay Greenberg of the FBI St Louis Division This scheme is so prevalent that companies must be vigilant to verify whom theyre hiring At a minimum the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities Without due diligence companies risk losing money or being compromised by insider threats they unknowingly invited inside their systemsppAs alleged in court documents the Government of the Democratic Peoples Republic of Korea DPRK dispatched thousands of skilled IT workers to live abroad primarily in China and Russia with the aim of deceiving US and other businesses worldwide into hiring them as freelance IT workers in order to generate revenue for its weapons of mass destruction WMD programs Through this scheme which involves the use of pseudonymous email social media payment platform and online job site accounts as well as false websites proxy computers located in the United States and elsewhere and witting and unwitting third parties the IT workers generated millions of dollars a year on behalf of designated entities such as the North Korean Ministry of Defense and others directly involved in the DPRKs UNprohibited WMD programsppIn some instances the IT workers also infiltrated the computer networks of unwitting employers to steal information and maintain access for future hacking and extortion schemes The US government described this scheme in a May 2022 advisory An update to that advisory issued today is available hereppCertain DPRK IT workers designed the 17 website domains seized yesterday to appear as domains of legitimate USbased IT services companies thereby helping the IT workers to hide their true identities and location when applying online to do remote work for US and other businesses worldwide In reality this specific group of DPRK IT workers who work for the PRCbased Yanbian Silverstar Network Technology Co Ltd and the Russiabased Volasys Silver Star had previously been sanctioned in 2018 by the Department of the Treasury These IT workers funneled income from their fraudulent IT work back to the DPRK through the use of online payment services and Chinese bank accounts ppThe efforts to disrupt the DPRK IT worker threat are not limited to those of the US government Since 2022 the United States has partnered with the Republic of Korea ROK to provide threat information about fraudulent DPRK IT worker activity primarily consisting of thousands of indicators eg email addresses to multiple USbased online freelance work and payment service platforms used by the IT workers These informationsharing efforts include a May 2023 symposium jointly hosted by the US Department of State and the ROK where representatives from the United States and ROK and the providers jointly discussed efforts to enhance publicprivate partnerships to counter the DPRK IT worker threat These private companies later informed the US government that armed with that threat information they conducted independent investigations improved their fraud detection mechanisms and according to at least some of the providers shut down thousands of additional previously unidentified fraudulent accounts used by the same DPRK IT workers ppThe National Security Divisions National Security Cyber Section and the US Attorneys Office for the Eastern District of Missouri are investigating this case The FBIs St Louis Field Office conducted the investigation with the assistance of the FBI Cyber Divisionpp ppAbdullah Haji Zada 18 a native and citizen of Afghanistan and US lawful permanent resident pleaded guilty today to a criminal information charging him with knowingly receiving attempting to receiveppFormer Federal Aviation Administration FAA contractor Abouzar Rahmati 42 a naturalized US citizen and resident of Great Falls Virginia pleaded guilty today to conspiring to act and acting as anppToday in federal court in Brooklyn New York Michael McMahon 57 of Mahwah New Jersey was sentenced to 18 months in prison and ordered to pay an 11000 fine forppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
pp
This is archived content from the US Department of Justice website The information here may be outdated and links may no longer function Please contact webmasterusdojgov if you have any questions about the archive site
ppOn Oct 17 pursuant to a court order issued in the Eastern District of Missouri the United States seized 17 website domains used by Democratic Peoples Republic of Korea DPRK information technology IT workers in a scheme to defraud US and foreign businesses evade sanctions and fund the development of the DPRK governments weapons program These seizures follow the previously sealed October 2022 and January 2023 courtauthorized seizures of approximately 15 million of the revenue that the same group of IT workers collected from unwitting victims as a result of their scheme as well as the development of publicprivate informationsharing partnerships that denied the IT workers access to their preferred online freelance work and payment service providersppThe seizures announced today protect US companies from being infiltrated with North Korean computer code and help ensure that American businesses are not used to finance that regimes weapons program said Assistant Attorney General Matthew G Olsen of the Justice Departments National Security Division The Department of Justice is committed to working with private sector partners to protect US business from this kind of fraud to enhance our collective cybersecurity and to disrupt the funds fueling North Korean missilesppTodays seizures exemplify our commitment to working with our federal and international partners to recognize and disrupt the threat from illicit actors working on behalf of the Democratic Peoples Republic of Korea said Assistant Director Bryan Vorndran of the FBIs Cyber Division These takedowns also serve as reminders to ensure that our private sector partners are equipped and prepared with due diligence measures to prevent the inadvertent hiring of these bad actors across American businesses The FBI encourages US companies to report suspicious activities including any suspected DPRK IT worker activities to your local FBI field officeppEmployers need to be cautious about who they are hiring and who they are allowing to access their IT systems said US Attorney Sayler A Fleming for the Eastern District of Missouri You may be helping to fund North Koreas weapons program or allowing hackers to steal your data or extort you down the lineppThe Democratic Peoples Republic of Korea has flooded the global marketplace with illintentioned information technology workers to indirectly fund its ballistic missile program The seizing of these fraudulent domains helps protect companies from unknowingly hiring these bad actors and potentially damaging their business said Special Agent in Charge Jay Greenberg of the FBI St Louis Division This scheme is so prevalent that companies must be vigilant to verify whom theyre hiring At a minimum the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities Without due diligence companies risk losing money or being compromised by insider threats they unknowingly invited inside their systemsppAs alleged in court documents the Government of the Democratic Peoples Republic of Korea DPRK dispatched thousands of skilled IT workers to live abroad primarily in China and Russia with the aim of deceiving US and other businesses worldwide into hiring them as freelance IT workers in order to generate revenue for its weapons of mass destruction WMD programs Through this scheme which involves the use of pseudonymous email social media payment platform and online job site accounts as well as false websites proxy computers located in the United States and elsewhere and witting and unwitting third parties the IT workers generated millions of dollars a year on behalf of designated entities such as the North Korean Ministry of Defense and others directly involved in the DPRKs UNprohibited WMD programsppIn some instances the IT workers also infiltrated the computer networks of unwitting employers to steal information and maintain access for future hacking and extortion schemes The US government described this scheme in a May 2022 advisory An update to that advisory issued today is available hereppCertain DPRK IT workers designed the 17 website domains seized yesterday to appear as domains of legitimate USbased IT services companies thereby helping the IT workers to hide their true identities and location when applying online to do remote work for US and other businesses worldwide In reality this specific group of DPRK IT workers who work for the PRCbased Yanbian Silverstar Network Technology Co Ltd and the Russiabased Volasys Silver Star had previously been sanctioned in 2018 by the Department of the Treasury These IT workers funneled income from their fraudulent IT work back to the DPRK through the use of online payment services and Chinese bank accounts ppThe efforts to disrupt the DPRK IT worker threat are not limited to those of the US government Since 2022 the United States has partnered with the Republic of Korea ROK to provide threat information about fraudulent DPRK IT worker activity primarily consisting of thousands of indicators eg email addresses to multiple USbased online freelance work and payment service platforms used by the IT workers These informationsharing efforts include a May 2023 symposium jointly hosted by the US Department of State and the ROK where representatives from the United States and ROK and the providers jointly discussed efforts to enhance publicprivate partnerships to counter the DPRK IT worker threat These private companies later informed the US government that armed with that threat information they conducted independent investigations improved their fraud detection mechanisms and according to at least some of the providers shut down thousands of additional previously unidentified fraudulent accounts used by the same DPRK IT workers ppThe National Security Divisions National Security Cyber Section and the US Attorneys Office for the Eastern District of Missouri are investigating this case The FBIs St Louis Field Office conducted the investigation with the assistance of the FBI Cyber Divisionpp ppAbdullah Haji Zada 18 a native and citizen of Afghanistan and US lawful permanent resident pleaded guilty today to a criminal information charging him with knowingly receiving attempting to receiveppFormer Federal Aviation Administration FAA contractor Abouzar Rahmati 42 a naturalized US citizen and resident of Great Falls Virginia pleaded guilty today to conspiring to act and acting as anppToday in federal court in Brooklyn New York Michael McMahon 57 of Mahwah New Jersey was sentenced to 18 months in prison and ordered to pay an 11000 fine forppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
