OFAC Sanctions DPRK IT Worker Network Funding WMD Programs Through Deceptive Remote Employment Schemes
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on six individuals and two entities linked to a scheme orchestrated by the Democratic People’s Republic of Korea (DPRK). This scheme involves utilizing information technology (IT) workers to defraud U.S. businesses, generating illicit revenue aimed at funding the regime’s weapons of mass destruction (WMD) programs.
Secretary of the Treasury Scott Bessent stated that the North Korean regime employs deceptive tactics through overseas IT operatives, who exploit sensitive data and extort significant payments from American companies. This fraudulent operation, known by various names including Coral Sleet, Jasper Sleet, PurpleDelta, and Wagemole, employs fake documentation, stolen identities, and fabricated personas. Such tactics allow these IT workers to obscure their true origins and secure employment with legitimate companies in the U.S. and beyond. A substantial portion of their salaries is subsequently funneled back to North Korea, facilitating missile programs in violation of international sanctions.
The Scope of the Sanctions
The recent sanctions specifically target the following entities and individuals:
-
Amnokgang Technology Development Company: This IT firm oversees delegations of overseas IT workers and engages in illicit procurement activities to acquire and sell military and commercial technology through its networks.
-
Nguyen Quang Viet: The CEO of Quangvietdnbg International Services Company Limited, a Vietnamese firm that provides currency conversion services for North Koreans. The company is estimated to have converted approximately $2.5 million into cryptocurrency between mid-2023 and mid-2025.
-
Do Phi Khanh: An associate of Kim Se Un, who was sanctioned by the U.S. in July 2025. Do is alleged to have acted as a proxy for Kim, allowing him to use his identity to open bank accounts and launder proceeds from IT workers.
-
Hoang Van Nguyen: Another associate who assists Kim in opening bank accounts and facilitating cryptocurrency transactions.
-
Yun Song Guk: A North Korean national leading a group of IT workers conducting freelance work from Boten, Laos, since at least 2023. Yun has coordinated numerous financial transactions exceeding $70,000 related to IT services.
Technical Mechanisms of the Scheme
The IT worker scheme has been reported to utilize Astrill VPN to conduct operations from countries like China, capitalizing on the service’s ability to bypass the Great Firewall. This setup allows the operatives to tunnel traffic through U.S. exit nodes, effectively masquerading as legitimate domestic employees.
Security researcher Tue Luu noted that these threat actors often operate from China due to its more reliable internet infrastructure and the ability to leverage VPN services to conceal their geographic origins. Subgroups of the Lazarus Group, including Contagious Interview, utilize this capability to access the global internet without restrictions and manage command-and-control infrastructure.
In one instance, a North Korean IT worker was hired as a remote employee to work on Salesforce data but was terminated shortly after being identified due to consistent logins from China. This highlights the challenges organizations face in identifying and mitigating such threats.
The Role of Artificial Intelligence
A notable aspect of the Jasper Sleet operation is the integration of artificial intelligence to facilitate identity fabrication, social engineering, and long-term operational persistence. Microsoft reported that Jasper Sleet leverages AI throughout the attack lifecycle to secure employment and misuse access at scale. This includes using AI to streamline the reconnaissance process, enabling the creation of convincing digital personas tailored to specific job markets.
Another critical component is the use of an AI application called Faceswap, which allows operatives to insert the faces of North Korean IT workers into stolen identity documents and generate polished headshots for resumes. This enhances the credibility of their digital identities, making it easier to penetrate organizations.
Operational Structure and Collaboration
The IT worker scheme operates within a multi-tiered structure involving recruiters, facilitators, IT workers, and collaborators. Each role plays a distinct part in the operation:
-
Recruiters: Responsible for screening potential IT workers and recording interviews for facilitators.
-
Facilitators and IT Workers: Tasked with persona creation, securing freelance or full-time employment, and onboarding new hires.
-
Collaborators: Individuals who provide their personal identities or information to assist IT workers in completing the hiring process and receiving company-issued laptops.
According to a report shared with The Hacker News, the involvement of recruited Western collaborators, primarily from LinkedIn and GitHub, allows North Korean IT workers to penetrate organizations more deeply and reliably over extended periods.
Implications for Cybersecurity
The operations of North Korea’s IT worker network are extensive and intricately woven into the fabric of the DPRK’s party-state. This scheme is a crucial component of the regime’s revenue generation and sanctions evasion strategies. Organizations must remain vigilant against such sophisticated threats, treating fraudulent employment and access misuse as insider-risk scenarios.
The cybersecurity landscape continues to evolve, necessitating robust defenses against these deceptive tactics. Organizations are encouraged to focus on detecting the misuse of legitimate credentials, abnormal access patterns, and sustained low-and-slow activities.
For further insights into the tactics and techniques employed by these operatives, a detailed report from Flare and IBM X-Force highlights their use of timesheets for tracking job applications, decentralized communication tools, and translation services to navigate job descriptions and responses.
According to publicly available thehackernews.com reporting, North Korea’s IT worker operations are not only a significant cybersecurity threat but also a matter of international concern, given their implications for global security and compliance with sanctions.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
