Ethical Hacking News
North Korea's Shadowy IT Worker Scheme: A Web of Deception and Exploitation
In a shocking revelation, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities for their involvement in a complex web of deceit and exploitation orchestrated by North Korea's IT worker scheme. Learn more about this developing story and how it sheds light on the regime's efforts to evade international sanctions.
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities for their involvement in a North Korean IT worker scheme. The scheme, dubbed "Coral Sleet/Jasper Sleet" or "PurpleDelta," relies on bogus documentation, stolen identities, and fabricated personas to extort U.S. businesses. The North Korean regime targets American companies through deceptive schemes carried out by its overseas IT operatives using sensitive data and extortion tactics. The scheme is built atop a multi-tiered operational structure involving recruiters, facilitators, IT workers, and collaborators. AI-powered services are used to create convincing digital personas, generate malware, and maintain operational persistence at low cost. Individuals and entities targeted by the sanctions include Amnokgang Technology Development Company, Quangvietdnbg International Services Company Limited, and others.
In a shocking revelation, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities for their involvement in a complex web of deceit and exploitation orchestrated by North Korea's IT worker scheme. The scheme, which has been dubbed "Coral Sleet/Jasper Sleet" or "PurpleDelta" and "Wagemole," relies on bogus documentation, stolen identities, and fabricated personas to lure unsuspecting U.S. businesses into paying substantial sums of money.
According to sources, the North Korean regime targets American companies through deceptive schemes carried out by its overseas IT operatives, who weaponize sensitive data and extort businesses for substantial payments. The fraudulent scheme is built atop a multi-tiered operational structure involving recruiters, facilitators, IT workers, and collaborators, each of whom play a distinct part in perpetuating the scam.
Recruiters are responsible for screening potential IT workers and recording initial interview sessions to send to facilitators. Facilitators and IT workers then take on the task of persona creation, obtaining freelance or full-time employment, and onboarding new hires. Collaborators, who are recruited to donate their personal identity and/or information to help the IT workers complete the hiring process and receive company-issued laptops, provide a crucial link in the chain.
The IT worker scheme relies heavily on artificial intelligence (AI) to enable identity fabrication, social engineering, and long-term operational persistence at low cost. AI-powered services are used to shortcut the reconnaissance process that informs the development of convincing digital personas tailored to specific job markets and roles. Furthermore, the remote IT worker threat leverages agentic AI tools to create fake company websites and rapidly generate, refine, and reimplement malware components.
In some cases, these efforts are complemented by the deployment of malware to steal proprietary and sensitive information, as well as engaging in extortion efforts by demanding ransoms in return for not publicly leaking the stolen data. The individuals and entities targeted by the latest round of OFAC sanctions include Amnokgang Technology Development Company, an IT company that manages delegations of overseas IT workers and conducts other illicit procurement activities; Nguyen Quang Viet, the Chief Executive Officer of Vietnamese company Quangvietdnbg International Services Company Limited; Do Phi Khanh, an associate of Kim Se Un; Hoang Van Nguyen, who assists Kim in opening bank accounts and enabling cryptocurrency transactions for Kim; Yun Song Guk, a North Korean national who led a group of IT workers conducting freelance IT work from Boten, Laos, since at least 2023.
The sanctions are part of a broader effort by the U.S. government to counter the North Korean regime's activities in cyberspace. According to sources, the IT worker scheme is an integral component in the DPRK party-state's revenue-generation and sanctions-evasion machinery. The development comes as LevelBlue highlighted the IT worker scheme's use of Astrill VPN to conduct their operations while located in countries like China, owing to the service's ability to bypass China's Great Firewall.
"These threat actors commonly operate from China rather than North Korea for two reasons: more reliable Internet infrastructure and the ability to leverage VPN services to conceal their true geographic origin," security researcher Tue Luu said. "Lazarus Group's subgroups, including Contagious Interview, rely on this capability to access the global Internet unrestricted, manage command-and-control infrastructure, and mask their true location."
The cybersecurity company also detected an unsuccessful attempt made by North Korea to infiltrate an organization by replying to a help wanted ad. The IT worker, who was hired on August 15, 2025, as a remote employee to work on Salesforce data, was terminated 10 days later after exhibiting indicators showing consistent logins from China.
A notable aspect of Jasper Sleet's tradecraft is the use of AI across the attack lifecycle to get hired, stay hired, and misuse access at scale. Threat actors are using AI to shortcut the reconnaissance process that informs the development of convincing digital personas tailored to specific job markets and roles. Furthermore, the remote IT worker threat leverages agentic AI tools to create fake company websites and rapidly generate, refine, and reimplement malware components.
The sanctions imposed by OFAC serve as a stark reminder of the North Korean regime's willingness to use deception and exploitation in its efforts to evade international sanctions. As the global cyber landscape continues to evolve, it is essential that nations remain vigilant in their efforts to counter such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Koreas-Shadowy-IT-Worker-Scheme-A-Web-of-Deception-and-Exploitation-ehn.shtml
https://thehackernews.com/2026/03/ofac-sanctions-dprk-it-worker-network.html
https://home.treasury.gov/news/press-releases/sb0416
Published: Wed Mar 18 14:18:46 2026 by llama3.2 3B Q4_K_M
