The Justice Department indicted five people connected to a North Korean IT worker scam who prosecutors said stole more than $866,000 from 10 U.S. companies and caused more than $1 million in damage to at least three of them.

The indictments handed up last week against the men – two U.S. citizens, two more from China, and the fifth from Mexico – are the latest salvo in the United States’ year-long effort to curb the ongoing schemes run by the North Korean government to steal information and money and to bypass U.S. sanctions to bring in money for their nuclear and other weapons programs.

The two U.S. citizens indicted were Erick Ntekereze Prince and Emanuel Ashtor, while Jin Sung-Il and Pak Jin-Song, both of North Korea, also face charges. Mexican national Pedro Ernesto Alonso De Los Reyes also was indicted.

The five are accused of being part of a scheme that got the two North Korean citizens and other unindicted co-conspirators from the rogue country hired as IT workers with 64 U.S. companies.

All were charged with conspiracy to cause damage to a protected computer, to commit wire fraud and mail fraud, to commit money laundering, and to transfer false identification documents. In addition, Jin and Pak were charged with conspiracy to violate the International Emergency Economic Powers Act.

Following a Pattern

The suspects’ alleged activity since 2018 fall in line with other operations uncovered in the United States. North Korean operatives acting as IT workers from other countries, such as China, using false identities, are able to get hired by companies as remote IT workers. In this case, they used forged and stolen identity documents – at one time using U.S. passports that included personal information stolen by from a U.S. citizen – to conceal the identity of Pak, Jin, and other North Korean operatives.

The fake identities allowed the North Koreans to get hired by U.S. companies. Once they were hired in, Ntekereze and Ashtor received laptops at their residences that the U.S. companies believed they were sending to Pak, Jin, and others. The two Americans would then download and install access software on them to allow the North Korean nationals to access them and keep of the false front that they were working in the United States.

False Identities

Between 2021 and 2022, Ntekereze and Alonso used Alonso’s identity to help Jin get hired by one company to work as a mobile phone application developer, a job that paid about $120,000 a year. At points during the operation, both Ntekereze and Ashtor registered companies – at least one described as a staffing agency – to help the North Koreans get hired.

Ntekereze also is accused of using his company, Taggcar Inc., of collecting $75,709 by invoicing a staffing company in the United States eight times for work done by Jin. Much of the money created over the six years by the defendants was laundered through a Chinese bank account, according to prosecutors.

FBI’s Latest Warning

The case was announced as the FBI issued a warning about the scammers’ “increasingly malicious activity, which has recently included data extortion. … In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”

It also came a week after the U.S. Treasury Department sanctioned two people and four entities for their roles in the IT hiring scams. One of the entities is Department 53, a weapons-trading entity underneath North Korea’s military, and two others in Laos are companies – Korea Osong Shipping Co. and Chonsurim Trading Corp. – acting as fronts for Department 53. An executive from each company also were sanctioned.

The fourth, Liaoning China Trade Industry Co., is a China company that has supplied Department 53 with equipment to conduct its IT worker activities.

The DOJ in March 2024 launched a program aimed at cracking down on such North Korean operations, including finding and shutting down laptop farms such as those run allegedly run by Ntekereze and Ashtor. The department pointed to law enforcement actions between 2023 and last year that targeted the scams.

In most of these schemes, the North Korean government takes about 90% of the salaries brought in by the fraudulent IT workers, according to U.S. officials, who believe Pyongyang has collected hundreds of millions of dollars over the years through these operations.