Skip to content

North Korean shell companies found impersonating US IT firms to fund missiles

  • by
  • 3 min read

Security researchers have discovered threat actors with ties to the Democratic People’s Republic of Korea (DPRK) are now impersonating US-based software and technology consulting businesses to achieve their financial goals as part of a larger IT worker scheme. This is a way to bypass international sanctions and generate illegal streams of revenue, which are reportedly being used to fund weapons of mass destruction and ballistic missile programs.

A report from SentinelOne claims that the campaign works by allowing people to use false identities to get jobs at US companies and then sending most of their income home to finance weapon development. North Korea has been known to operate a global network of IT workers who, either individually or under the guise of shell companies, usually based in China, Russia, Southeast Asia, and Africa, gain employment in US software firms and funnel money back to the DPRK.

The most notable example was when the US Department of Justice sanctioned Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star located in China and Russia, respectively, in 2018, for facilitating fraudulent IT operations. The companies were letting DPRK workers launder their salaries via online payment services or Chinese bank accounts — with the money often routed via cryptocurrency or shadow banking systems back to North Korea.

This is an image of dprk front company cconnections
A visual representation of front company connections originating from the known DPRK IT Worker Front. | Source: SentinelLabs

SentinelOne researchers found four additional companies during their investigation. All four companies have since been subject to law enforcement action and taken offline. They’re as follows:

  • Independent Lab LLC was found copying its website format from a US company called Kitrium.
  • Shenyang Tonywang Technology LTD copied its website format from a US company called Urolime.
  • Tony WKJ LLC copied its website format from an Indian company called ArohaTech IT Services.
  • HopanaTech copied its website format from a US company called ITechArt.

The US government seized control of all four domains on October 10, 2024. Each domain now shows the standard US law enforcement takedown alert. The action itself was a coordinated attempt by the Department of Justice, the Federal Bureau of Investigation, Homeland Security Investigations, the Defense Criminal Investigative Service, and the United States Postal Inspection Service.

The fake IT worker scheme has largely been successful for North Korea so far, and given the size of its network, it is proving to be an effective way to fund the hermit nation’s arsenal. That said, global law enforcement, especially from the US, is catching up quickly.

In the News: Lumma Stealer gains traction in India, USA through Telegram channels

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of iphone 16e vs iphone 15

iPhone 16e vs iPhone 15: Which one you should you buy?

This is an image of malware featured security

Malicious campaign uses anime wallpaper to spread AsyncRAT

This is an image of investing. Com featured

Hackers sell 6.5 million Investing.com user records online

This is an image of google ads featured

Google Ads expose sensitive user data of US officials, patients

This is an image of fraud scam featured

Indian Embassy rescues 53 Indians from cyber scam syndicate in Laos

This is an image of microsoft featured 13211

Microsoft patches actively exploited Power Pages zero day vulnerability

>