The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on a network of six individuals and two entities for their central role in a sophisticated Democratic People's Republic of Korea (DPRK) information technology (IT) worker fraud scheme. The operation, designed to systematically defraud U.S. and international businesses, generates illicit revenue intended to fund North Korea's weapons of mass destruction (WMD) and ballistic missile programs, directly contravening multiple United Nations Security Council resolutions. U.S. Treasury Secretary Scott Bessent emphasized the dual-threat nature of the scheme, stating, "The North Korean regime targets American companies through deceptive schemes carried out by its overseas IT operatives, who weaponize sensitive data and extort businesses for substantial payments." This action underscores the U.S. government's commitment to disrupting the financial pipelines that enable Pyongyang's prohibited weapons development.
The fraudulent operation, tracked by cybersecurity researchers under names like Coral Sleet, Jasper Sleet, PurpleDelta, and Wagemole, employs a multi-layered deception strategy. IT workers, acting on behalf of the North Korean regime, utilize forged documentation, stolen identities, and entirely fabricated online personas to conceal their true nationalities and locations. By posing as freelance or contract-based software developers based in other countries, they secure remote positions at legitimate companies, primarily in the United States. A significant portion of the salaries earned from these jobs is then clandestinely diverted back to government-controlled accounts in North Korea, providing a critical stream of foreign currency for its sanctioned weapons programs. The scheme represents a brazen exploitation of the global remote work ecosystem.
Beyond financial fraud, these state-sponsored IT workers frequently engage in more aggressive cyber operations to maximize value for the regime. Once embedded within a victim organization, their activities can escalate to include the deployment of malware to exfiltrate proprietary intellectual property, sensitive business data, and personally identifiable information. In a classic double-extortion model, the operatives then leverage this stolen data to demand ransom payments from the victim companies, threatening to publicly leak the information if their demands are not met. This transforms a simple payroll fraud into a compounded threat of intellectual property theft, corporate espionage, and disruptive ransomware attacks, causing significant financial and reputational damage.
The technical execution of this scheme relies heavily on sophisticated obfuscation tools. As highlighted by cybersecurity firm LevelBlue, the operatives frequently operate from third countries, notably China, rather than directly from North Korea. They exploit commercial virtual private network (VPN) services, such as Astrill VPN, which are capable of bypassing national firewalls like China's "Great Firewall." By routing their internet traffic through U.S.-based exit nodes, they can present a digital footprint consistent with a domestic American employee, effectively evading standard corporate geo-location checks. Security researcher Tue Luu noted, "These threat actors commonly operate from China rather than North Korea for two reasons: more reliable Internet infrastructure and the ability to leverage VPN services to conceal their true geographic origin." This geographical laundering is a key enabler of the fraud, making robust, identity-centric vetting processes essential for companies hiring remote IT talent.
