FBI Atlanta is warning the public about the threat of hiring Remote IT workers who use false identifications to conceal their true North Korean identities.

Today, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Koreans, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주) and Chang Nam Il (창남일), with a scheme to steal from two companies virtual currency, valued at over $900,000 at the time of the thefts, and to launder proceeds of those thefts. The defendants concealed their North Korean identities from their employers by providing the employers with false identification documents that contained stolen and fake identity information.

In approximately December 2020 and May 2021, respectively, Kim Kwang Jin (using victim P.S.’s stolen identity) and Jong Pong Ju (using the alias “Bryan Cho”) were hired by a blockchain research and development company headquartered in Atlanta, Georgia, and a virtual token company based in Serbia. Both defendants concealed their North Korean identities from their employers by providing false identification documents containing a mix of stolen and fraudulent identity information. Later, on a recommendation from Jong Pong Ju, the Serbian company hired “Peter Xiao,” who in fact was Chang Nam Il.

After gaining their employers’ trust, Kim Kwang Jin and Jong Pong Ju were assigned projects that provided them access to their employers’ virtual currency assets. In February 2022, Jong Pong Ju used that access to steal virtual currency worth approximately $175,000 at the time of the theft, sending it to a virtual currency address he controlled. In March 2022, Kim Kwang Jin stole virtual currency worth approximately $740,000 at the time of theft by modifying the source code of two of his employer’s smart contracts, then sending it to a virtual currency address he controlled.

To launder the funds after the thefts, Kim Kwang Jin and Jong Pong Ju “mixed” the stolen funds, using the virtual currency mixer Tornado Cash, and then transferred the funds to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il but held in the names of aliases. These accounts were opened using fraudulent Malaysian identification documents.

According to the indictment, the defendants traveled to the United Arab Emirates on North Korean travel documents, along with other individuals, and worked together as a co-located team.

Neither of the victim companies in this investigation would have hired the individuals had they known they were North Korean citizens. FBI Atlanta is warning the public about the threat of North Korean citizens who often apply for Remote IT roles as blockchain developers. These individuals often use multiple fake names, identity cards, and social media accounts to gain employment at numerous companies. Companies looking to hire Remote IT workers, especially for blockchain development, are encouraged to apply additional layers of scrutiny to their interview and hiring processes.

Recommendations for Strengthening Remote-Hiring Processes

• Implement identity-verification processes during interviewing, onboarding, and throughout the employment of any remote worker. Cross-check HR systems for other applicants with the same resume content and/or contact information. The FBI has observed in other instances that North Korean IT workers use artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.
• Educate HR staff, hiring managers, and development teams regarding the North Korean IT worker threat, specifically focusing on changes in address or payment platforms during the onboarding process.
• Review each applicant’s communication accounts as North Korean IT workers have reused phone numbers (particularly voice-over-IP numbers) and email addresses on multiple resumes purportedly belonging to different applicants.
• Verify third-party staffing firms conduct robust hiring practices and routinely audit those practices.
• Use “soft” interview questions to ask applicants for specific details about their location or educational background. North Korean IT workers often claim to have attended non-US educational institutions.
• Check applicant resumes for typos and unusual terminology.
• Complete as much of the hiring and onboarding process as possible in person.

Reporting: If you suspect you have been approached or victimized by a North Korean IT worker, the FBI recommends taking the following actions:

• Report the suspicious activity to the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov as quickly as possible.
• Evaluate network activity from the suspected employee and their assigned device(s), and use internal intrusion-detection software to capture activity on the suspected device(s).

Reference

In 2022 and 2023, the United States, along with foreign partners, issued public advisories regarding how North Korean IT workers operate and provided red-flag indicators and due diligence measures for businesses to avoid hiring North Korean freelance developers. In May 2024, the FBI provided further guidance regarding North Korean IT workers and their use of witting and unwitting US-based individuals.