Five men have admitted to orchestrating fraudulent operations that enabled North Koreans to acquire remote IT positions at U.S. firms, contravening American legal statutes, according to statements from federal prosecutors.
This development is part of a broader pattern of similar schemes orchestrated by North Korean government-backed hacking and threat organizations. These activities, intensified over the past five years, are designed to divert millions in job revenues and cryptocurrencies towards North Korea's weapons programs. Additionally, these schemes aim to establish cyber attack vectors for surveillance purposes. A notable case involved a North Korean national who secured a job under false pretenses at the U.S. security firm KnowBe4, where he installed malware immediately upon employment.
On Friday, the U.S. Justice Department disclosed that five men, identified as participants in a scheme led by the entity known as APT38, also referred to as Lazarus, had pleaded guilty. APT38 has orchestrated numerous attacks on the U.S. and other nations over the past decade, with increasing sophistication and audacity. Each of the five defendants conceded to charges of wire fraud, with one additionally acknowledging aggravated identity theft.
False Appearances with Hosted Laptops
Prosecutors outlined tactics used by the defendants, including providing false or stolen identities and positioning company-provided laptops at U.S. residences. This setup created the misleading impression that North Korean IT workers were operating domestically from within the U.S. According to prosecutors, these fraudulent activities affected over 136 U.S. companies, generating more than $2.2 million in revenue for the North Korean regime and compromising the identities of over 18 U.S. individuals. Similar incidents have been documented in various reports.
Four of the men—Audricus Phagnasay, 24; Jason Salazar, 30; Alexander Paul Travis, 34; and Erick Ntekereze Prince, 30—have pleaded guilty to one count of wire fraud. Phagnasay, Salazar, and Travis confessed to providing their identities to applicants for IT roles known to be based outside the U.S. These fraudulent identities were leveraged to bypass employment prohibitions. All four also installed remote access programs on laptops at their residences, deceitfully simulating remote operation by North Korean IT workers from within the defendants' homes rather than from abroad.