Justice Department Announces Arrest, Premises Search, and Seizures of Multiple Website Domains to Disrupt Illicit Revenue Generation Efforts of Democratic People’s Republic of Korea

The Justice Department today announced a series of coordinated and court-authorized actions to disrupt the illicit revenue generation efforts of Democratic People’s Republic of Korea (DPRK) information technology (IT) workers. As part of a Department-wide initiative – the DPRK RevGen: Domestic Enabler Initiative – the Department will continue to prioritize high-impact, strategic, and unified enforcement and disruption operations across the U.S. Government targeting U.S.-based enablers of unlawful DPRK IT workers overseas. Today’s announcement follows successful Department-led action in October 2023 which targeted similar and related conduct. 

Under the Initiative, launched in March 2024 by the National Security Division and FBI Cyber and Counterintelligence Divisions, Department prosecutors and agents are prioritizing:

• The identification and shuttering of U.S.-based “laptop farms” (i.e., locations hosting laptops provided by victim U.S. companies to individuals they believed were legitimate U.S.-based freelance IT workers);
• Investigations and prosecutions of U.S.-based witting enablers, as appropriate;
• International partnerships with like-minded countries that also host IT worker support networks;
• Improved speed, tempo, and content of notifications to victims, primarily unwitting U.S. companies; and
• Enhanced partnerships with private sector online service providers, including in terms of identifying IT worker infrastructure and personas, improving the providers’ in-house fraud detection methods, and educating compliance personnel and the public regarding the threat (see e.g., May 2022 and October 2023 advisories, as well as a new advisory released today by the FBI).

“Today’s announcement reveals the complex web of deception and facilitators that is central to the North Korean regime’s schemes to evade international sanctions to finance its weapons program,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The disruptions announced today represent a focused and continuing effort to dismantle these illicit networks and thereby prevent North Korean IT workers from victimizing unwitting U.S. companies. Through such sustained campaigns against this threat, the Department will continue to enhance our collective national security and cybersecurity.”

“The FBI and its partners are committed to leveraging everything at our disposal to disrupt North Korean IT workers from subverting the rule of law in order to fund the DPRK’s weapons of mass destruction program,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue our work of maintaining order in the cyber space and preventing bad actors from taking advantage of it for their strategic geopolitical objectives.”

As alleged in court documents, the DPRK government dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers, to generate revenue for its weapons of mass destruction (WMD) programs. The DPRK IT workers’ scheme involved the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the United States and elsewhere. As described in a May 2022 tri-seal public service advisory released by the FBI, Department of the Treasury and Department of State, such IT workers have been known individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited WMD programs.

***

Consistent with the goals of this initiative and prior to its inception, the District of Maryland led enforcement actions against Minh Phuong Vong of Bowie, Maryland, who was arrested this morning for his alleged participation in a scheme to assist overseas IT workers – posing with his identity – in working at U.S. companies in remote IT positions. Earlier this week, the FBI executed a premises search at Vong’s residence.

Separately, the Eastern District of Missouri led a seizure action against 12 website domains used by DPRK IT workers to mimic western IT services firms to support the bona fides of their attempts to secure remote work contracts for U.S. and other businesses worldwide.

“The alleged schemes likely benefitted the Democratic People’s Republic of Korea in evading U.S. sanctions and victimizing American businesses,” said Executive Assistant Director Larissa L. Knapp of the FBI’s National Security Branch. “By stealing the identities of American citizens to commit fraud, they obtained proceeds which likely helped fund the North Korean regime’s priorities including nuclear weapons programs. The FBI and our partners are committed to rooting out insidious efforts that undermine our economic and national security.”

Vong Premises Search, Complaint, and Arrest – District of Maryland

As part of an investigation pre-dating the initiative, Vong was arrested today and charged by criminal complaint with conspiracy to commit wire fraud.

According to the criminal complaint, Vong and other conspirators engaged in a scheme to fraudulently gain employment at companies located in the United States. These U.S. companies provided information technology services, including software development services, to the U.S. government. While Vong was nominally employed by these U.S. companies, he was not in fact the individual performing work for them. Remote IT workers based overseas instead posed as Vong and performed Vong’s job duties.

According to the affidavit in support of the criminal complaint, in March 2023, as part of Vong’s hiring process with a U.S. company, the Chief Executive Officer of the U.S. company conducted a video call with Vong where he verified Vong’s identity with a U.S. passport and Maryland driver’s license. A different individual, however, had appeared for an earlier interview for the position and later for work meetings during the course of Vong’s employment. That individual, charged as a John Doe defendant in the criminal complaint, is a native of North Korea and a self-described software developer who claimed to be living in Shenyang, China.

As alleged in the complaint, throughout the course of Vong’s employment with U.S. company, remote IT workers based overseas performed Vong’s job duties by accessing protected victim computer systems via remote internet connections and posing as Vong on work-related videoconferences. Vong also shipped one or more laptops to an address in China. Vong also received payment from U.S. Company and other employers, which he then transmitted to individuals located overseas, keeping a percentage for himself.

The FBI Baltimore Field Office is investigating the case.

Assistant U.S. Attorney Kathleen O. Gavin for the District of Maryland is prosecuting the case with valuable assistance provided by Trial Attorney Alexandra Cooper-Ponte of the National Security Division’s National Security Cyber Section.

Fraudulent DPRK IT Work Website Seizures – Eastern District of Missouri

On May 15, pursuant to a court order issued in the Eastern District of Missouri, the Department seized 12 website domains used by DPRK IT workers to hide their true identities and locations when applying to do remote work for U.S. and other businesses worldwide. The specific group of DPRK IT workers who created these domains work for the PRC-based Yanbian Silverstar Network Technology Co. Ltd. and the Russia-based Volasys Silver Star, both of which were sanctioned in 2018 by the Department of the Treasury. These IT workers funneled income from their fraudulent IT work back to North Korea using online payment services and Chinese bank accounts.

“Shutting down these websites is just one of the ways we are working to disrupt the flow of money to the North Korean weapons program,” said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. “The business community can do their part by carefully vetting their online hires.”

The 12 website domains seized yesterday, partial images of which are included in the unsealed affidavit, were designed to appear as domains of legitimate, U.S.-based IT services companies located in Portland, Oregon; Houston; Lancaster, Pennsylvania; Oklahoma City; Indianapolis; New York; and Richmond, Virginia. Three of the entities that claimed to own these domains were officially registered in Wyoming. The website contents included a variety of designed to entice potential victims, such as claims that the firms assisted hundreds of “happy clients” including Fortune 500 companies (potentially a fictitious claim) and completed hundreds of projects over thousands of work hours. Other websites included claims of having helped clients benefit from new technologies, such as artificial intelligence and machine learning, “blockchain solutions,” cloud computing skills, and internet of things knowledge.

However, the website domains also included indicia that should have aroused suspicion about their bona fides.  For example:

• The phone numbers used to register these domains, or advertised as belonging to these businesses, did not have area codes that corresponded with the locations where these businesses claimed to have offices;
• Some of the addresses listed were homes, versus office buildings;

• The content included disjointed phrases that appeared to be attempts at inspirational quotes – e.g., “Nor, moreover, is there anyone who loves pain because it is pain, pursues it, wants to gain it, but;” and
• Awkward promotional phrases such as “here are our main features & many more features.”

The National Security Division’s National Security Cyber Section and the U.S. Attorney’s Office for the Eastern District of Missouri are investigating this case. The FBI St. Louis Field Office conducted the investigation, with the assistance of the FBI Cyber Division.

***

The FBI, along with the Departments of State and Treasury, issued a May 2022 advisory to alert the international community, private sector and public about the North Korea IT worker threat. Updated guidance was issued in October 2023 by the United States and the Republic of Korea (South Korea), which includes indicators to watch for that are consistent with North Korea IT worker fraud.

Concurrent with today’s announcement and consistent with the initiative’s goals, two additional criminal prosecutions in the District of Columbia were unsealed today, resulting in two arrests and the execution of related seizures and search warrants in multiple jurisdictions. Both prosecutions reflect investigations that predate the initiative’s inception. Arizona woman Christina Marie Chapman was arrested on May 15 and three foreign nationals were charged on May 8 in connection with a similar IT worker scheme associated with North Korea. As part of this case, the U.S. Attorney’s Office seized wages earned by more than 19 overseas IT workers and will seek their forfeiture. Additionally, the District of Columbia charged Ukrainian national Oleksandr Didenko for similar conduct. As alleged, Didenko created fake accounts at U.S. IT job search platforms and with money service transmitters. Didenko was arrested in Poland on May 6 pursuant to an arrest warrant from the United States.

The U.S. Department of State has offered potential rewards for up to $5 million in support of international efforts to disrupt North Korea’s illicit financial activities, including for certain information related to individuals who are sent outside of North Korea to work to generate money for the North Korean government or who facilitate the activities of such North Korean nationals.

An indictment and a criminal complaint are merely allegations. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.