Cybersecurity researchers have uncovered connections between North Korean cybercriminal operations involving fraudulent IT worker schemes and a 2016 crowdfunding scam, suggesting a long-standing pattern of illicit activities.
Tracing North Korea's Financial Schemes
A report by SecureWorks Counter Threat Unit (CTU) highlights evidence that North Korean threat groups engaged in scams predating their recent IT worker schemes. These groups, sanctioned by the international community, have consistently exploited vulnerabilities to generate revenue for the regime.
In 2023, it was revealed that North Korean operatives were infiltrating global companies by posing as IT workers under fake identities. This scheme, known as Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole, has allowed the regime to bypass sanctions and fund its operations.
According to South Korea’s Ministry of Foreign Affairs, these fraudulent IT workers are linked to the 313th General Bureau, a division of the Workers' Party of Korea’s Munitions Industry Department. Many of these operatives are sent to China and Russia to work for front companies such as Yanbian Silverstar and Volasys Silver Star. Both entities have faced sanctions from the U.S. Treasury Department for exporting North Korean workers and hiding their true identities from clients.
Fraudulent IT Schemes and Cybersecurity Threats
In October 2023, U.S. authorities seized 17 domains used to impersonate legitimate IT services companies. These domains enabled North Korean operatives to apply for freelance work while concealing their locations. Among the confiscated domains was "silverstarchina[.]com," which had ties to Yanbian Silverstar.
SecureWorks’ analysis revealed that the registrant details for these domains matched Yanbian Silverstar’s address and were also linked to a 2016 crowdfunding scam. The domain "kratosmemory[.]com" was associated with a fraudulent IndieGoGo campaign that raised over $21,000 from 193 backers. The promised product was never delivered, and no refunds were issued. Notably, the domain’s registrant information was altered in mid-2016 to reflect a persona named Dan Moulding, matching the IndieGoGo profile for the scam.
SecureWorks noted that while the crowdfunding scam was a relatively low-effort operation compared to current IT fraud schemes, it demonstrates the evolution of North Korean financial tactics.
Growing Cybersecurity Concerns
Japan, South Korea, and the U.S. recently issued a joint warning about North Korea’s cyber activities targeting the blockchain industry. Groups like the Lazarus Group continue to engage in cryptocurrency theft, targeting exchanges and digital asset custodians.
In 2024 alone, North Korean hackers were responsible for stealing over $659 million in cryptocurrency from companies such as DMM Bitcoin, Upbit, and WazirX. Blockchain intelligence firm Chainalysis reported that North Korean-affiliated actors have stolen $1.34 billion through 47 cryptocurrency hacks in 2024, a significant increase from $660.50 million in 2023.
The founder of WazirX, Nischal Shetty, emphasized the need for swift international action to recover stolen assets and prevent further losses. "We will leave no stone unturned in our pursuit of justice," Shetty stated.
Conclusion
The discovery of North Korea’s involvement in diverse financial schemes underscores the regime’s reliance on cybercrime to sustain its economy. These findings highlight the importance of global collaboration to counteract such threats and safeguard industries from further exploitation.
0 Comments