IT Worker Scheme, Laptop Farm Siphon Funds Back to North Korea
A U.S. federal judge sentenced a now-former Army soldier to one year in prison Friday for renting his identity to North Korean IT workers who used it to collect more than $193,000 in salaries from American companies.
See Also: Free Your IT Program of Tech Debt With an Enterprise Browser (eBook)
Alexander Paul Travis, 35, was stationed at Fort Gordon, Georgia, when he enlisted into the scam by allowing North Korea to use his identity to fraudulently obtain work. He also admitted to running a laptop farm from his residence – a place where fraudulent remote IT workers would remotely logon to company-provided laptops to appear as if they were in the United States.
According to his plea agreement, filed in the U.S. District Court for the Southern District of Georgia, Travis acted as a North Korean front for roughly three years starting in September 2019. He lent his identity so the fraudulent remote workers could pass employer vetting procedures, including drug testing and fingerprinting. He also opened financial accounts in his name to receive the workers’ salaries. For his work, Travis received $51,397 – but must forfeit the entire $193,265 that the scam funneled through salaries back to North Korea.
Also sentenced in the same district court for furthering the North Korean remote worker scam were Jason Salazar, 30, of Clovis, California, and Audricus Phagnasay, 25, of Fresno, California. All three pleaded guilty last November to one count of wire fraud conspiracy. Phagnasay and Salazar earned $3,450 and $4,500, respectively, while facilitating the payment of $1.28 million in salaries to North Korea. They each received three years of probation and must forfeit their share of the funneled salaries – $681,926 and $409,876, respectively.
“These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government – all in return for what to them seemed like easy money,” said Margaret Heap, U.S. Attorney for the Southern District of Georgia.
Obtaining remote IT work for its subjects and retaining most of the salary is one way the Pyongyang regime evades sanctions to funnel hard currency into the totalitarian country – cryptocurrency theft, oil smuggling, forced labor and illegal drug manufacturing being among the others. The United Nations in 2024 estimated that remote IT workers earn the regime between $250 million to $600 million annually. The workers “are considered elite members of North Korean society and have become an indispensable part of the overall North Korean government’s strategic objectives,” Flare Research and IBM X-Force wrote in a Wednesday report.
The report, based on a “cache of intelligence” detailing the organization and tactics of the scam, shows that its workers can submit more than 300 bids a day for freelance work. The acceptance rate is much lower, perhaps just 10 bids. “Extensive overbidding likely happens because they charge below the market value for their work but receive a low bid acceptance rate,” the companies wrote.
The report also found that not every remote IT worker participating in the scam is North Korean. In addition to cultivating native talent, Pyongyang now also deploys recruiters. “It is unclear whether these candidates realize that the job they applied for or are being recruited for is to ultimately work for the DPRK,” the report said, referring to North Korean by its official name, the Democratic People’s Republic of Korea. Internal evidence showed some workers approached by recruiters expressed confusion when asked if they would adopt a “more ‘U.S. American name,'” the report said, “a reaction inconsistent with knowing they’d be working for the DPRK under false American identities.”
With reporting by Information Security Media Group’s Greg Sirico in New Jersey.