There’s been extensive changes in cybersecurity policy in the shift from the Biden to Trump Administration, but one area that seems to have stayed the same is the response to the expanding IT worker scam run by North Korea’s intelligence agencies.

The latest case in point is the guilty pleas this month by four Americans and a Ukrainian national for their participation in a scheme that victimized more than 135 companies in the United States and netted more than $2.2 million for the People’s Democratic Republic of Korea (DPRK).

U.S. government authorities also seized more than $15 million in cryptocurrency from the North Korean military threat group APT38, which had stolen millions of dollars in digital assets from four virtual overseas currency platforms – one each in Estonia and the Seychelles and two in Panama – in 2023 and was continuing to launder them at the time of the seizure.

The U.S. Justice Department (DOJ) said the government is looking to forfeit the $15 million and return the money to the victims, according to two civil forfeiture complaints.

“Ensuring national and economic security are paramount to the Department’s mission,” Acting Assistant Attorney General Matthew Galeotti of the DOJ’s Criminal Division, said in a statement. “Hostile nation-states raising funds for illicit programs by stealing from digital asset exchanges threatens both.”

A Longtime, Profitable Scam

The North Korean regime has been using the worker scams since at least 2020 to bypass international sanctions and bring in money for its military and weapons programs. Operatives use fake or stolen credentials, false application material such as cover letters and work histories, and increasingly AI tools like video and voice deepfakes to apply for open remote-work IT jobs.

“In an era in which remote work has become the norm, North Korea has seized the opportunity to manipulate hiring processes, using fraudulent information technology (IT) employment to generate revenue for the regime,” Insikt Group, Recorded Future’s threat intelligence unit, said. “North Korean IT workers infiltrate international companies and secure remote positions under false identities. These operatives not only violate international sanctions but also pose severe cybersecurity threats, engaging in fraud and data theft and potentially disrupting business operations.”

According to the United Nations Security Council, the IT scam can bring $220 million to $600 million a year into the North Korean regime’s coffers.

Once in, they can make as much as $300,000 a year – with the North Korean government taking as much as 85% of that – while stealing information and deploying malware into the companies’ systems. In recent years, the regime – which has targeted the scams primarily at U.S. companies – has taken the scheme global and moved beyond the tech sector to target such industries as healthcare, finance, public administration, and professional services.

About 27% of the targeted companies are based outside of the United States, according to researchers with Okta.

“Okta’s findings reveal that the DPRK’s IT Worker operation is not a niche threat confined to large technology companies,” Simon Conant, Okta’s director of threat intelligence, and Alex Tilley, global threat research coordinator, wrote in a report in September. “It’s a widespread, long-term campaign targeting organizations across almost every vertical. This means any organization offering remote or hybrid roles – especially in software development, IT services, or other knowledge-worker disciplines – is a potential target.”

False Identities, Hosted Laptops

A key component of the fraud is the cooperation of others – including U.S. citizens – as illustrated in the latest case. Audricus Phagnasay, 24, Jason Salazar, 30, Alexander Paul Travis, 34, and Erick Ntekereze Prince, 30, each pleaded guilty to one count of wire fraud conspiracy.

According to the DOJ, Phagnasay, Salazar, and Travis – who pleaded guilty in U.S. District Court in Georgia – gave their identities to people they knew were not located in the United States to allow those people to fraudulently apply for jobs with U.S. companies. They also hosted corporate-issued laptops in their homes and installed remote access software in the devices to give the false impression that the fake IT workers were working remotely in the United States.

They also helped these workers to get by employer vetting processes, with Travis and Salazar appearing for drug testing on the fake workers’ behalf.

For his part, Prince used his company, Taggcar Inc., to supply who he said were legitimate IT workers to the victim companies but were actually North Korean operatives who were located outside of the United States and using fake identities. Prince, who pleaded guilty in Florida, also housed corporate-issued laptops at various Florida residences and installed remote access software. According to the DOJ, he earned more than $89,000 for his participation.

Oleksandr Didenko, a Ukrainian national, pleaded in Federal Court in Washington D.C. to one count each of wire fraud conspiracy and aggravated identity theft for his part in a years-long scheme to steal the identities of U.S. citizens and sell them to the IT workers overseas – including North Korean IT workers – to help them get hired at 40 U.S. companies.

Those companies paid Didenko’s fraudulent IT worker clients hundreds of thousands of dollars for their work. Didenko agreed to forfeit more than $1.4 million, which includes more than $570,000 in fiat and virtual currency seized from him and his co-conspirators.