The US is indicting yet another five suspects it believes were involved in North Korea’s long-running, fraudulent remote IT worker scheme – including one who changed their last name to “Bane” and scored a gig at a tech biz in San Francisco.

Two North Korean nationals residing in China, Jin Sung-Il and Pak Jin-Song, are among the indicted, accused of carrying out various jobs for numerous US companies, all facilitated by three others running so-called laptop farms.

Mexican national Pedro Ernesto Alonso De Los Reyes, who lives in Sweden, and US nationals Erick Ntekereze Prince and Emanuel Ashtor, of New York and North Carolina respectively, were also charged for facilitating the scheme.

Alonso is accused of willfully allowing the North Korean devs to use his genuine identity to create fake US worker visa documents, while Prince and Ashtor are alleged to have registered and run Taggcar and Vali Tech respectively – two US staffing companies used to secure employment for remote contractors.

Prosecutors claim the scheme ran for quite some time. The indictment [PDF] alleges that all five individuals, along with others not included in the charges, started the scheme as early as April 2018 and ran it until around August 2024.

The US claims Prince and Ashtor set up the laptops issued by the victimized US companies and unlawfully downloaded remote access software like AnyDesk and Teamviewer, allegedly allowing the likes of Jin, Pak, and others to remotely connect to and work for the US companies in IT roles. These were mainly mobile app developer gigs, but also involved what the indictment describes as “specialist engineer positions.”

Unspecified members of the scheme also established US bank accounts to receive payments from salaries, which in some cases were well in excess of six figures, as well as accounts at other payment platforms used to launder the funds, minus the share allegedly taken by Alonso and Prince, the DoJ claims.

At least 64 US companies were successfully fooled by the scheme over the six-year period, the indictment states. Payments made by just ten of these orgs totaled approximately $866,255.

Only nine of the victim companies were described in any detail:

• One is a multinational retail corporation based in the US

• Another was a financial institution based in Stamford, CT

• A Miami-based international cruise line

• A San Francisco tech biz

• Two IT companies based in Palo Alto and Milpitas, CA

• Three staffing companies based in Illinois, California, and Florida

These companies were victimized in different ways, sometimes simultaneously. In one example shared in the indictment, Jin allegedly secured employment at the Illinois staffing company and signed documents with the Palo Alto IT company regarding confidentiality and care for the company-issued device.

Another saw Jin allegedly secure employment at the Stamford financial institution and, months later, a second job at the San Francisco tech company. After securing the job in Stamford, Jin informed the company he changed his family name to “Bane,” the persona he then used to secure a job in San Francisco, according to the indictment.

“The Department of Justice remains committed to disrupting North Korea’s cyber-enabled sanctions-evading schemes, which seek to trick US companies into funding the North Korean regime’s priorities, including its weapons programs,” said Devin DeBacker, supervisory official at the Justice Department’s National Security Division. 

“Our commitment includes the vigorous pursuit of both the North Korean actors and those providing them with material support. It also includes standing side-by-side with US companies to not only disrupt ongoing victimization, but also to help them independently detect and prevent such schemes in the future.”

Prince and Ashtor were both arrested by the FBI at an unspecified time. Ashtor’s residence in North Carolina was searched and law enforcement officials said it was previously used to host the laptop farm.

Alonso was also arrested earlier this month, on January 10 in the Netherlands, following an arrest warrant issued by the US. There was no word mentioned of whether he had yet been extradited.

All five individuals are charged and face counts related to conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents.

Additionally, Jin and Pak are charged with conspiracy to violate the International Emergency Economic Powers Act. Being based in China, the likelihood of them being seen in a US courthouse is slim, although if by chance that does happen, they’ll face a maximum sentence of 20 years.

FBI hunts better, North Korea gets nastier

Coinciding with the Thursday indictment, the FBI updated its previous guidance on North Korean IT worker tradecraft, saying the fraudsters’ tactics have become more aggressive of late.

After securing employment, the FBI said these workers were caught stealing proprietary data, including code, and extorting the employer for a ransom payment. Some cases have led to this data being published online, it added.

While it’s not uncommon for software developers to copy company code to their personal GitHub accounts, the practice is seen as a major risk in the case of the North Korean schemes.

There are growing fears that these workers could take their tradecraft further, stealing genuine credentials and session cookies to facilitate additional types of compromise.

Commenting on the news, Michael Barnhart, principal analyst at Mandiant, said: “The increased pressure from law enforcement and media coverage on North Korea’s elaborate IT worker scheme is impacting the success of their operations. However, an unfortunate byproduct of law enforcement action is these threat actors are becoming noticeably more aggressive in their tactics.

“We are increasingly seeing North Korean IT workers infiltrating larger organizations to steal sensitive data and follow through on their extortion threats against these enterprises. It’s also unsurprising to see them expanding their operations into Europe to replicate their success, as it’s easier to entrap citizens who aren’t familiar with their ploy.”

Barnhart also said Mandiant, which previously shared its top tips on catching North Korean IT miscreants, is seeing a rise in them specifically targeting companies that rely on virtual desktop infrastructure instead of providing their remote employees with physical hardware.

While it’s more cost-effective for companies, and eliminates the need for laptop farms, “it’s easier for the threat actors to hide their malicious activity,” he said.

“As a result, North Korean IT workers are turning a company’s short-term savings into long-term security risks and financial losses, so it’s imperative for more businesses to pay attention to these operations.”

Cybercriminal tradecraft is always evolving as defenders latch on to and stymie tactics relatively quickly. Security researchers at the likes of Microsoft and Sophos have both issued warnings about Russia’s activity, for example. Microsoft warned that state-sponsored crews are now targeting WhatsApp accounts to rummage for secrets, while the country’s lowly ransomware scumbags are now impersonating helpdesk staff on Teams, video-calling victims and tricking them into installing malware, Sophos said this week. ®