Back to News
Cyber Attack

OFAC Sanctions DPRK IT Worker Network Funding WMD Programs via Fake Jobs

CyberSecurityWaala 1 week ago Mar 18, 2026
OFAC Sanctions DPRK IT Worker Network Funding WMD Programs via Fake Jobs

The U.S. Treasury’s Office of Foreign Assets Control said it has sanctioned people and companies tied to a North Korean remote IT worker scheme. OFAC says the network used fake job applications and stolen identities to place operatives at legitimate firms and funnel pay back to Pyongyang to fund weapons programs.

“The North Korean regime targets American companies through deceptive schemes carried out by its overseas IT operatives,” Secretary of the Treasury Scott Bessent said in the OFAC notice. He added that the operators weaponize data and extort victims for large payments.

OFAC named Amnokgang Technology Development Company and flagged facilitators and recruiters it said helped convert and move funds. The agency identified Vietnamese-linked currency services and individuals who opened bank accounts and enabled cryptocurrency transactions for North Korean actors, OFAC said.

How the scheme worked

Security firms and incident reports show a clear pattern. Operators create polished fake résumés and use stolen identities to win remote roles. They then siphon wages, deploy malware, or extort employers after stealing data.

Microsoft and researchers call this cluster of activity Jasper Sleet or Coral Sleet. Microsoft said, “Jasper Sleet leverages AI across the attack lifecycle to get hired, stay hired, and misuse access at scale.” The company warned that AI lowers the cost of building believable digital personas.

LevelBlue researchers highlighted the operational trick of running these workers from third countries, often using VPNs. Security researcher Tue Luu told LevelBlue that actors choose China for better internet and the ability to route traffic through U.S. exit nodes. “They can masquerade as domestic employees by tunneling traffic,” Luu said.

Tools and tradecraft

Technical reports from Flare and IBM X-Force detailed the toolkit. The researchers found timesheets and IP Messenger used for internal coordination and Google Translate for crafting applications. They also noted use of AI services and face swap tools to create fraudulent ID photos and refined headshots, the report said.

Those reports described a layered operation: recruiters screen candidates, facilitators build personas and handle onboarding, collaborators donate identities and receive company-issued laptops. Flare and IBM X-Force said western collaborators recruited from LinkedIn and GitHub helped the scheme gain trust inside target firms.

Bigger context and response

The FBI linked a massive February attack on the crypto platform Bybit to North Korean actors, according to public statements. The FBI used the label TraderTraitor for that operation. The Department of Justice has also pursued criminal cases. DOJ filings include indictments of DPRK nationals accused of using remote jobs to steal intellectual property and launder proceeds.

Experts say the work feeds two goals. First, it raises illicit revenue that the regime can use for missile and WMD programs. Second, it gives persistent insider access for espionage against defense and tech firms. Public reporting notes large crypto theft totals in 2024 and 2025, attributing a major share to DPRK-linked groups.

With the UN Panel of Experts no longer operating after a 2024 veto, multilateral monitoring has weakened, independent analysts say. An 11-nation Multilateral Sanctions Monitoring Team formed in 2025 to try to fill the gap, but experts warn enforcement is still uneven without broader cooperation.

What companies should do

Security firms and researchers recommend practical steps. Microsoft, Flare, and IBM X-Force all urge stronger hiring vetting and continuous monitoring. That includes multi-factor authentication, endpoint detection, real-time logging, and checks for abnormal access patterns. They also recommend AI and deepfake detection for identity screening and tighter controls on company-issued devices.

The headline is simple. North Korean IT worker networks use modern tools and online platforms to hide in plain sight. OFAC sanctions aim to disrupt the money flows and facilitators. Companies must harden hiring and access practices to stop this form of insider risk.

#NorthKorea #CyberCrime #Sanctions #AIsecurity #Infosec