The Department of Treasury (Treasury) and the Republic of Korea (ROK) have imposed sanctions against entities and individuals associated with North Korea's overseas IT workers.
U.S. Sec. of State announced the actions May 23. The coordinated measures were taken against "four entities and one individual involved in illicit revenue generation and malicious cyber activities" on behalf of the Democratic People’s Republic of Korea’s (DPRK) government, according to the news release.
"The DPRK conducts malicious cyber activities and deploys information technology (IT) workers abroad who fraudulently obtain employment to generate revenue that supports the Kim [Jong Un] regime," Blinken stated in the announcement.
The DPRK is alleged to use at least one of its universities to train IT workers to be "malicious cyber actors" who go to work for the DPRK's Reconnaissance General Bureau (RGB), "the DPRK’s primary intelligence bureau and main entity responsible for the country’s malicious cyber activities," Treasury reports in its May 23 sanctions announcement.
The malign IT workers steal funds from individuals and companies around the world, according to Treasury's news release. The stolen monies support the DPRK's illegal ballistic-missiles and weapons of mass production (WMD) programs, among other priorities. Treasury, in its news release, cites a March report by U.N.'s Panel of Experts that found DPRK cyber actors stole more virtual currency in 2022 than ever before; from $630 million to over $1 billion, allegedly twice Pyongyang’s 2021 cyber-theft proceeds.
“The DPRK's illicit cyber and IT worker operations threaten international security by financing the regime's unlawful WMD and ballistic missile programs. We are taking sanctions action today in coordination with our ROK partner,” Blinken said in a tweet on May 23.
He said in his DOS statement that this action reflects the commitment to hold the DPRK regime accountable for its actions, with the ROK simultaneously imposing sanctions on one entity and one individual linked to these workers.
Designated entities include Pyongyang University of Automation for its role in training malicious cyber actors, according to the Treasury news release. The Technical Reconnaissance Bureau (TRB), controlled by the RGB, and its subordinate cyber unit, the 110th Research Center, have also been designated, the release reports. TRB leads the development of malignant cyber tactics and tools; the 110th Research Center has been involved in cyber operations targeting networks worldwide, including in the U.S. and the ROK, the release states.
The DPRK also generates substantial revenue through its highly skilled IT workers being fraudulently employed globally, particularly in China and Russia, according to the release. These workers employ various tactics to conceal their identities and locations, using false personas, proxy accounts, stolen identities, and forged documentation to secure employment. They primarily target employers in wealthier countries, including the technology and virtual currency sectors, often engaging in projects related to virtual currency. Virtual currency exchanges and trading platforms are utilized to manage digital payments and launder illicitly obtained funds back to the DPRK.
One of the designated entities, Chinyong Information Technology Cooperation Company (also known as Jinyong IT Cooperation Company), operates in North Korea and is associated with the Ministry of Peoples’ Armed Forces, the release reported. Chinyong employs delegations of DPRK IT workers operating in Russia and Laos. The designated individual, Kim Sang Man, affiliated with Chinyong, has been involved in payment activities and the sale and transfer of IT equipment for the DPRK. Notably, he received substantial cryptocurrency transfers valued at more than $2 million USD from IT teams in China and Russia.
