US issues sanctions against companies in Laos, China tied to North Korean IT worker scheme

The U.S. sanctioned two North Korean nationals and several companies based in Laos and China on Thursday for helping facilitate a wide-ranging scheme that duped American firms into hiring North Korean IT workers who funneled their earnings back home.

The U.S. Treasury Department said there are “thousands” of North Korean IT workers hired across the globe as part of the campaign and they use a variety of technology to hide their identities and locations while often using stolen identities of U.S. citizens. Their earnings are used to help fund the Democratic People's Republic of Korea’s (DPRK) weapons programs, officials said.

The Office of Foreign Assets Control (OFAC) sanctioned a DPRK government weapons-trading department, two of its front companies that employ DPRK IT workers in Laos, two DPRK leaders of those front companies and a Chinese company supplying the DPRK government with electronics equipment. 

“The DPRK continues to rely on its thousands of overseas IT workers to generate revenue for the regime, to finance its illegal weapons programs, and to enable its support of Russia’s war in Ukraine,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley Smith. 

Smith added that the U.S. is “resolved to disrupt these networks, wherever they operate.”

The sanctions name Department 53 within the DPRK’s Ministry of The People’s Armed Forces. The organization sells weapons and generates revenue through front companies, including several involved in IT and software. 

One of the front companies, Korea Osong Shipping, allegedly housed DPRK IT workers in Laos since 2022 and allowed them to work from the country. They used aliases to communicate with those outside of Laos and generated revenue for North Korea through “IT projects such as cryptocurrency exchanges, website and mobile applications.” 

Another front company based in Laos, Chonsurim Trading Corporation, now faces sanctions for similarly housing North Korean IT workers. 

Chonsurim Trading president Jong In Chol was sanctioned alongside Son Kyong Sik, the chief representative of Korea Osong Shipping who is based in China. 

The U.S. also targeted Liaoning China Trade Industry – a company based in China that works with Department 53 on facilitating DPRK IT worker activities internationally. The company provided the workers with notebooks, desktop computers, graphics cards and network equipment. 

U.S. officials said North Korea’s government “withholds up to 90 percent of the wages earned by these overseas workers, thereby generating annual revenues of hundreds of millions of dollars for the Kim regime’s weapons programs to include weapons of mass destruction (WMD) and ballistic missile programs.”

Earlier this week, the U.S. joined South Korea and Japan in releasing a statement warning the cryptocurrency industry about North Korean cyberattacks as well as the continued effort to place illegal IT workers within their companies. 

As U.S. law enforcement efforts have stepped up to stop the IT worker campaign, experts from Mandiant told Recorded Future News that the workers have increasingly attempted to extort the companies they worked for — threatening to leak sensitive corporate data stolen during their time working. 

U.S. officials previously said at least one faction of the IT worker campaign earned more than $88 million through salaries earned and stolen data extortion.