Key Points:
- Major U.S. companies targeted by North Korean threat actors disguised as remote IT workers.
- Multiple individuals responsible for stealing millions of dollars have already been apprehended by U.S. authorities.
- Of the victims, a cybersecurity company called KnowBe4 was targeted in a sophisticated social engineering attack that involved using an AI-modified photo in a hiring application.
- Due to the severity of this campaign, the U.S. State Department has placed it under the Rewards for Justice (RFJ) program, offering up to $5 million for any information that may lead to the disruption of this campaign.
Summary
Several major U.S. companies, including Fortune 100 firms, have unknowingly hired North Korean IT workers using fake identities for remote roles, as part of a scheme orchestrated by a threat group tracked since 2018 as UNC5267. These workers, primarily based in China and Russia, are sent by the North Korean government to earn salaries at multiple companies, generating revenue for the regime while gaining elevated access to company networks, posing significant risks to cybersecurity. The scheme is facilitated by U.S.-based operators running "laptop farms," where remote technology allows workers to log in and perform their duties from abroad. The U.S. Department of Justice has charged individuals involved in this operation, uncovering $6.8 million in earnings from 2020 to 2023, and has taken steps to shut down this activity. The risks of North Korean workers launching cyberattacks are significant, with the potential to disrupt major organizations if instructed to do so. To prevent these schemes, cybersecurity experts have urged companies to implement stricter hiring practices, such as more rigorous background checks, video interviews, and monitoring for remote administration tools to prevent further infiltration.
Three Individuals Arrested for Helping North Korea Fund Its Weapons Programs Using U.S. Money
Three (3) individuals were arrested for allegedly helping North Korea fund its weapons programs by securing remote IT jobs in the U.S. and funneling the earnings back to the regime.1 Minh Phuong Vong, a U.S. citizen from Maryland, outsourced his IT work to North Korean nationals, keeping part of the salary while sending the rest to North Korea. Christina Marie Chapman from Arizona allegedly ran a "laptop farm" that allowed North Korean workers to remotely access U.S. laptops, defrauding over 300 companies and generating $6.8 million. She faces multiple charges, including wire fraud and identity theft. High-profile victims included a major television network, a Silicon Valley tech firm, and a multinational restaurant chain. Ukrainian national Oleksandr Didenko was also arrested in Poland for running a website that helped North Koreans secure freelance IT jobs using stolen identities. The FBI emphasized the sophistication of North Korea’s tactics in evading sanctions and victimizing American businesses. The U.S. has seized several websites associated with the fraudulent scheme, linked to companies in China and Russia. The State Department is offering a $5 million reward for information on the three (3) North Korean workers and their managers involved in the scheme.
Isaac Knoot – Laptop Farm
Matthew Isaac Knoot, a 38-year-old from Tennessee, was arrested by the FBI for allegedly running a "laptop farm" that enabled North Korean IT workers to pose as Westerners and secure jobs at U.S. and UK companies. Knoot is accused of using a stolen identity to apply for remote IT positions and outsourcing the work to North Koreans, generating over $250,0002 per worker between July 2022 and August 2023. The scheme funneled the earnings through North Korean and Chinese accounts to support North Korea's nuclear weapons program. Knoot set up work laptops in the U.S., allowing North Korean workers to access them remotely from China, creating the appearance that the tasks were being completed by U.S.-based individuals. The Justice Department claims this industrial-scale operation generates hundreds of millions of dollars3 annually for North Korea. The FBI shut down the operation in August 2023, and Knoot now faces charges of wire fraud, identity theft, and conspiracy, with a potential prison sentence of up to twenty (20) years. His arrest is part of the DoJ’s "DPRK RevGen: Domestic Enabler Initiative," launched in March 2024 to crack down on such schemes. The FBI has warned of North Korean IT workers infiltrating U.S. companies using stolen identities and AI-generated profiles, as even cybersecurity firm KnowBe4 unknowingly hired one such actor.
KnowBe4 Falls Victim to North Korean Laptop Farm Scheme
KnowBe4, a cybersecurity company, unwittingly hired a North Korean state actor as a Principal Software Engineer for its AI team, who passed video interviews, and background checks, and used an AI-modified photo to match their application.4 After receiving a Mac workstation, the individual attempted to install information-stealing malware, which was quickly detected and neutralized by KnowBe4’s security software. An investigation revealed the hire had used a stolen U.S. identity, and the laptop was likely linked to a North Korean "laptop farm" used to disguise workers’ locations and funnel earnings to fund illegal programs. Although no data was compromised, the incident highlights North Korea’s organized efforts to infiltrate companies through fake IT workers. KnowBe4’s transparency and swift action were praised, serving as a reminder that even cybersecurity firms can fall victim to sophisticated scams.
Recommendations
To prevent falling victim to this type of attack campaign, CTIX analysts advise firms to:
- Use a sandbox environment for new hires
- Isolate critical network parts
- Ensure that external devices are not used remotely and treat shipping address inconsistencies as potential red flags.
Conclusion
The U.S. State Department's Rewards for Justice (RFJ) program5 is offering up to $5 million for information that disrupts financial schemes supporting North Korea. It seeks details on North Korean IT workers, using aliases like Jiho Han, Chunji Jin, Haoran Xu, and their manager Zhonghua, who used stolen U.S. identities to secure remote jobs with American companies, generating at least $6.8 million for the North Korean regime. U.S. national Christina Chapman assisted in laundering the proceeds. These workers are linked to North Korea’s Munitions Industry Department, which is responsible for ballistic missile development. Information can be submitted via the RFJ website, social media, or a Tor-based channel. Since 1984, the RFJ program has paid over $250 million to more than 125 informants aiding U.S. national security efforts.
1. https://www.theregister.com/2024/05/17/three_arrested_for_helping_north_korea/
2. https://www.bleepingcomputer.com/news/security/us-dismantles-laptop-farm-used-by-undercover-north-korean-it-workers/
3. https://www.theregister.com/2024/08/08/north_korea_laptop_farm_arrest/?td=keepreading
4. https://www.theregister.com/2024/07/24/knowbe4_north_korean/
5. https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-north-korean-it-workers/