The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities for their involvement in the Democratic People’s Republic of Korea (DPRK) Information Technology (IT) Worker Program, which was designed to defraud U.S. companies and generate illicit proceeds to fund North Korea’s weapons of mass destruction (WMD) program.
“The North Korean regime targets U.S. companies through deceptive schemes run by foreign IT operatives, weaponizing sensitive data and extorting large payments from companies,” said Treasury Secretary Scott Bessent.
The fraud scheme, also known as Coral Sleet/Jasper Sleet, PurpleDelta, and Wagemole, uses fake documents, stolen identities, and fabricated personas to help IT workers obscure their true origins and obtain jobs at legitimate companies in the United States and elsewhere. A disproportionate portion of their salaries are then funneled to North Korea, promoting the country’s missile program in violation of international sanctions.
In some cases, these efforts are supplemented by the deployment of malware to steal sensitive information or engage in extortion campaigns that demand ransom in exchange for not divulging the stolen data publicly.
The individuals and entities targeted by the latest OFAC sanctions are:
Amnokgan Technology Development Company is an IT company that manages delegations of overseas IT workers and conducts other illegal procurement activities to acquire and sell military and commercial technology through overseas networks. Nguyen Quang Viet, CEO of Quangvietdnbg International Services Company Limited, a Vietnamese company that provides currency exchange services for North Koreans. The company is estimated to have converted approximately $2.5 million into cryptocurrencies from mid-2023 to mid-2025. Do Pi Khan, a colleague of Kim Se-un, who was sanctioned by the United States in July 2025. Mr. Do allegedly acted as Mr. Kim’s agent and allowed him to use his identity to open bank accounts and launder proceeds from IT workers. Hoang Van Nguyen helped Kim open a bank account, allowing him to trade in cryptocurrencies. Yun Song-kook, a North Korean national, has been leading a group of IT workers doing freelance IT work in Boten, Laos since at least 2023. Mr. Yun coordinated dozens of financial transactions in excess of $70,000 related to IT services with Mr. Huang Minh Quang, and worked with Mr. York Luis Celestino Herrera to enter into freelance IT services contracts.
The development comes as LevelBlue highlights how IT worker schemes are using Astrill VPN to conduct their work while based in countries like China due to the service’s ability to bypass China’s Great Firewall. The idea is to tunnel traffic through exit nodes in the United States, effectively allowing them to impersonate legitimate domestic employees.
“These threat actors typically operate from China rather than North Korea for two reasons: more reliable internet infrastructure and the ability to leverage VPN services to hide their true geographic origins,” security researcher Tu Lu said. “Subgroups of the Lazarus Group, including Contagious Interview, are leveraging this capability to gain unrestricted access to the internet around the world, control command and control infrastructure, and hide their true location.”
The cybersecurity firm also said it detected North Korea’s failed attempt to infiltrate the organization by replying to help-wanted advertisements. This IT employee was hired as a remote employee working with Salesforce data on August 15, 2025, but was terminated 10 days later due to indicators of consistent logins from China.
A notable aspect of Jasper Sleet’s trade craft is the use of artificial intelligence to enable identity forgery, social engineering, and long-term operational continuity at low cost, highlighting how AI-powered services can lower technological barriers and enhance the capabilities of threat actors.
“Jasper Sleet leverages AI across the attack lifecycle to get jobs, keep jobs, and exploit access at scale,” Microsoft said. “Threat actors are using AI to shorten the reconnaissance process that informs the development of compelling digital personas tailored to specific job markets and roles.”
Another key component involves using an AI application called Faceswap to insert the face of a North Korean IT employee onto a stolen identity card, generating a polished mugshot for a resume. In doing so, these efforts aim not only to improve campaign accuracy but also to increase credibility by creating a compelling digital identity.
Additionally, remote IT worker threats have been assessed to leverage agent AI tools to rapidly generate, refine, and reimplement malware components by creating fake corporate websites and, in some cases, jailbreaking large-scale language models (LLMs).
“Threat actors such as North Korea’s remote IT workers rely on long-term, reliable access,” Microsoft said. “Due to this fact, defenders should treat fraudulent hiring and misuse of access as insider risk scenarios and focus on detecting misuse of legitimate credentials, anomalous access patterns, and persistent slow and slow activity.”
A detailed report published by Flare and IBM X-Force examining the tactics and techniques of IT personnel reveals that threat actors are using timesheets to track job applications and work progress, IP Messenger (also known as IPMsg) for decentralized internal communications, and Google Translate to translate job descriptions, create applications, and even interpret responses from tools like ChatGPT.
The IT Worker Scheme is built on a multi-layered operational structure involving recruiters, facilitators, IT workers and collaborators, each of whom plays a different role.
The recruiter is responsible for screening potential IT talent and recording and sending the initial interview session to the facilitator. Facilitators and IT workers. Responsible for creating personas, acquiring freelance or full-time employment, and onboarding new employees. Contributors are recruited to donate their personal IDs and information to help IT employees complete the hiring process and receive company-issued laptops.
“With the help of Western collaborators, primarily recruited from LinkedIn and GitHub, who willingly or unwillingly provide their identities for use in IT worker fraud schemes, NKITW is able to penetrate deeper and more reliably into organizations over time,” the companies said in a report shared with Hacker News.
“The work of North Korean IT workers is extensive and deeply embedded within the North Korean party-state. It is an essential element of North Korea’s income generation and sanctions evasion machinery.”
Source link
