US indicts 14 North Koreans in $88 million IT worker scam
A federal court in St. Louis, Missouri has charged fourteen North Korean nationals for their alleged roles in a six-year social engineering scam that netted $88 million by posing as fake IT professionals for U.S. companies. The indictment sheds light on how the scheme, allegedly orchestrated by the North Korean regime, exploited remote work opportunities to generate revenue in violation of U.S. and U.N. sanctions.
A sophisticated scheme
The accused allegedly operated under the direction of two North Korea-controlled front companies, Yanbian Silverstar and Volasys Silverstar, based in China and Russia. Using stolen or falsified identities, including U.S. citizens' personal information, the defendants secured remote IT jobs with U.S. firms. According to the Department of Justice (DoJ), some were mandated to earn at least $10,000 per month.
In addition to earning salaries, some members of the group allegedly stole sensitive data, such as proprietary source code, from their employers and extorted them to prevent its leak. Proceeds from the operation were funneled into North Korea-controlled accounts in China to support the regime’s priorities, including its weapons programs.
“To prop up its brutal regime, the North Korean government directs IT workers to gain employment through fraud, steal sensitive information from U.S. companies, and siphon money back to the DPRK,” said Deputy Attorney General Lisa Monaco.
Thousands of 'IT Warriors' at work
The indictment follows a May 2022 advisory by the U.S. State Department and FBI, which warned about North Korea’s deployment of thousands of highly skilled IT workers worldwide. These “IT Warriors,” as they refer to themselves, allegedly use their positions to generate significant revenue for the regime. The two companies named in the indictment reportedly employed at least 130 such operatives.
The scam even reached prominent firms like security awareness company KnowBe4, which unknowingly hired a North Korean IT worker posing as a U.S.-based software engineer. According to KnowBe4 CEO Stu Sjouwerman, the individual began loading malware onto the company’s systems shortly after receiving their work laptop. The activity was detected early, preventing data theft or further compromise.
The role of US laptop farms
The scheme also relied on US-based accomplices to create the illusion of domestic IT workers. These individuals allegedly procured laptops from target organizations, installed remote access tools, and shipped the devices to North Korean operatives abroad.
In August, the DoJ charged Nashville resident Matthew Isaac Knoot as part of its DPRK RevGen: Domestic Enabler initiative, launched in March 2024 to disrupt such operations. Knoot is accused of running one such “laptop farm” to support the scheme.
Implications and warnings
The charges highlight the growing sophistication of North Korea’s efforts to circumvent sanctions and exploit global reliance on remote work. The DoJ has urged companies to remain vigilant, warning that failing to detect such malicious insiders could lead to devastating consequences.
“This indictment of 14 North Korean nationals exposes their alleged sanctions evasion and should serve as a warning to companies around the globe—be on alert for this malicious activity by the DPRK regime,” Monaco added.
As the case progresses, US law enforcement has reaffirmed its commitment to dismantling North Korea’s cyber-enabled schemes. The DPRK RevGen initiative continues to prioritize the identification and closure of US-based operations that enable such fraud.
Meanwhile, companies are advised to strengthen their vetting processes, monitor remote access activity, and implement robust endpoint detection systems to protect against similar threats.
