- The North Korean IT worker scheme is getting covert assistance from Chinese firms, a new report found. Front companies in cities like Beijing and Shenyang are providing fake business affiliations so the IT workers can embed themselves in legitimate tech firms and joint ventures, making them more difficult to detect as a threat to corporate security.
An extensive consortium of Chinese businesses—broader than previously believed—could be knowingly or unknowingly propping up a vast global scheme in which North Korean tech workers fund the regime’s nuclear weapons program through remote jobs at Fortune 500 businesses, a new investigation has revealed.
According to a Tuesday report published by strategic intelligence firm Strider, a sanctioned Chinese company identified by the U.S. Treasury this year for shipping computers, graphics cards, and HDMI cables to a North Korean weapons group, is connected through personal and organizational ties to 35 other firms. Strider’s report urges further investigation into the three dozen linked firms given the threat to national security and the lucrative success of the North Korean IT worker scheme.
To level set: The Democratic People’s Republic of Korea (DPRK) has deployed thousands of trained information technology and software developers around the world as a way to illegally circumvent U.S. and UN sanctions. The North Korean IT workers, using stolen or rented identities, then pose as Americans or Europeans to get jobs at U.S. and, increasingly, European businesses.
According to the FBI, Treasury, and the Department of Justice, the scheme has infiltrated hundreds of companies, from large investment banks, to entertainment and media, to financial services firms. Tech companies are frequent targets. One crypto-startup founder told Fortune he has resorted to asking every single job applicant to make a negative comment about DPRK authoritarian ruler Kim Jong Un before he will consider an interview. An IT worker even infiltrated an American election campaign website.
The IT worker scheme generates between $250 million to $600 million per year, according to the UN. The workers share intelligence with more malicious North Korean Advanced Persistent Threat (APT) actors who operate under the Reconnaissance General Bureau of the Korean People’s Army. Between 2017 and 2023, the UN estimates DPRK attacks yielded at least $3 billion in crypto. North Korea uses the money to further expand its illegal weapons of mass destruction program.
However, the scheme doesn’t operate in isolation.
The Strider report underscores that Chinese companies serve as essential intermediaries in the North Korean IT worker conspiracy. They provide technical infrastructure, cover for the scheme, and serve as financial conduits for money laundering. Strider reported China’s proximity to North Korea and its vast digital infrastructure and loosey-goosey regulatory environment make it an enticing place for North Korea to send its IT workers. They operate out of metropolitan areas like Beijing, Dalian, and Shenyang through front companies, joint ventures, or Chinese firms.
“Nearly every Fortune 500 company has grappled with how to safeguard their workforce from the threat of infiltration by DPRK actors posing as IT workers,” Strider CEO and co-founder Greg Levesque told Fortune in a statement. “Our research at Strider reveals how front companies based in the PRC are enabling this coordinated DPRK campaign.”
In a statement, Chinese embassy spokesperson Liu Pengyu told Fortune he was not aware of the specifics in Strider’s report.
“We oppose false allegations and smears which have no factual ground at all,” Pengyu said.
North Korea Sanctions
In January, the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Liaoning China Trade Industry Co. for supplying the DPRK government with laptops, cables, graphics cards, and other equipment involved in carrying out the IT workers scheme.
OFAC found Liaoning China Trade (LCT) had shipped the tech equipment to Department 53 of The Ministry of The People’s Armed Forces, which is a DPRK weapons-trading entity under the regime’s Ministry of National Defense. The OFAC action included two Department 53 front companies, Korea Osong Shipping Co. and Chonsurium Trading Corporation, for hosting delegations of DPRK IT workers at sites in Laos. Two people, one in Laos who managed the DPRK IT workers, Jong In Chol, and Son Kyong Sik in Shenyang, China, were also sanctioned. Son was identified as being the China-based chief representative of Department 53’s Osong front company.
However, the Strider investigation concluded there may be more digging needed by U.S. authorities based on their findings. LCT is linked to 35 other companies that could potentially be involved in the scheme and interwoven into the supply chains of businesses as vendors or third-party providers. All 35 are based in the People’s Republic of China and all are trade companies similar to LCT, in that they procure, manufacture, and ship goods all over the world.
One identified in the report, Dandong Deyun Trading Co., is registered in China as a wholesaler and retailer of textiles and electronics. Another, Guangzhou Aiyixi Trading Co., is registered as a wholesaler of cosmetics, daily necessities, commercial induction cookers, and bathroom mirror cabinets. A third, Yongping Zhuoren Mining Co. is a wholesaler of minerals and building products.
The Strider report did not definitively conclude that the 35 companies linked to LCT are also providing support to the DPRK IT workers scheme but suggests that all could merit further investigation given the risk that companies could be unwittingly hiring North Korean workers.
“Treasury has begun announcing sanctions on individuals and entities engaged in these efforts, but a more wholesale examination of the infrastructure underpinning the DPRK worker scheme is crucial to upending it as an urgent corporate security threat,” said Levesque.
The Chinese embassy did not immediately respond to a request for comment.
This story was originally featured on Fortune.com
Source link