U.S. law enforcement agencies have seized four websites used by North Korean operatives as part of the country’s ongoing efforts to plant IT workers in companies around the world to evade sanctions and generate money for its weapons programs.

The fraudulent companies were identified by threat researchers at SentinelOne and their websites seized last month by U.S. agencies, including the Justice Department (DOJ), FBI, and Department of Homeland Security (DOH). The sites now have a message in both English and Korean saying that they’d been seized through a federal court in Massachusetts.

The fake businesses posed as legitimate U.S.-based technology and software consultancy firms offering contractors and other IT workers to companies, according to SentinelOne researchers Tom Hegel and Dakota Cary. They also traced the four fake businesses to a larger network of front companies based in China, which they wrote in a report “emphasizes the scale and complexity of North Korea’s financial schemes and the importance of vigilance across industries. … Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the workers’ true origins and managing payments.”

The Biden Administration has been aggressive in pushing back against North Korean IT worker scams, seizing sites and shutting down laptop farms in the United States that are used to facilitate the fraud. In the scams, skilled North Korean operatives posing as IT workers from other countries try to get hired by IT companies in the United States and elsewhere for remote IT work.

Funding Weapon Programs

Once in, the money they earn is sent back to the North Korea regime to help fund its nuclear and ballistic weapons program. In addition, some of the scammers deploy malware in their employers’ systems to steal information and money.

In one case, KnowBe4 CEO founder and CEO Stu Sjouwerman wrote about how his company was duped into hiring one of these workers, noting that the operative was able to navigate through a background check, reference verifications, and four video conferenced-based interviews before being hired. Immediately after being hired, the person used his company-issued Apple Mac to start downloading malware onto KnowBe4’s systems.

“These workers are highly skilled in areas like software development, mobile applications, blockchain, and cryptocurrency technologies,” Hegel and Cary wrote. “By posing as professionals from other countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with businesses worldwide.”

The front companies in countries like China and Russia help the North Korean workers launder their wages through online payment services and bank accounts in China, with payments many times routed through cryptocurrencies or “shadow banking systems,” they wrote.

Four Websites Seized

SentinelOne identified four fraudulent companies, including Independent Lab LLC, which has been active since at least February and possibly acquired and operating using web and cloud hosting service InterServer. The domain was registered via Namecheap.

“The content of the website is in line with what you would expect of a legitimate software development outsourcing business, with no obvious major indicators associated with the DPRK, or even illegitimate in any way,” Hegel and Cary wrote. “In the case of Independent Lab LLC, the website format and content was copied from Kitrum, a legitimate custom software firm headquartered in the United States.”

Another website, Shenyang Tonywang Technology, became active in November 2023 on the InterServer hosting infrastructure and registered with NameCheap. Like Independent Lab, Shenyang Tonywang Technology advertises itself as a software consulting company with bespoke solutions like DevOps and cloud consulting. The website’s format and content was copied from Urolime, a legitimate U.S.-based DevOps consulting company.

Tony WKJ LLC IT Services website promotes itself as a software development company specializing in Agile development. Active since May, it also copies the format and content from a legitimate business, this time from software and web development ArohaTech IT Services, which is headquartered in India.

“However, a comparison to the legitimate website reveals that the DPRK [Democratic People’s Republic of Korea] actors have not only placed their own name, and removed original ArohaTech logos, they have also modified the content to clearly attempt to brand Tony WKJ LLC as a US based company,” the researchers wrote.

A Unique – but Still Fake – Company

They wrote that the HopanaTech website was unique from the others. It was first registered in November 2020 and began hosting publicly through Asia Web Services a month later. Like the others, it describes itself as a custom software development company, though the version of the content was significantly modified.

“It continued to make use of customer reviews and marketing content from legitimate public websites,” the researchers wrote. “However, in some cases, content that would have required more than a simple text edit remains unchanged, showing the original sources name, such as the legitimate ITechArt firm’s website.”

Hegel and Cary said they followed multiple leads to link them to front companies in China, including an address for a site called “Building A1” in Shenyang, the capital city of Liaoning in China.

They warned companies about falling for the North Korean IT worker scams.

“These schemes present significant risks to employers, including potential legal violations, reputational damage, and insider threats such as intellectual property theft or malware implantation,” they wrote. “Addressing these risks requires heightened awareness and stringent vetting processes to limit North Korea’s ability to exploit global tech markets.”