FEDs Seize 17 Domains Suspected of Being Used for Fraud in U.S. by North Korea

Message shown on some of the websites seized.

WASHINGTON, D.C. – On Wednesday, the United States Justice Department announced it has seized 17 website domains utilized by North Korean information technology (IT) workers to purportedly evade government sanctions, conduct cyberattacks and defraud U.S. businesses, with the millions of dollars in illicit proceeds generated from such activities being used to fund North Korea’s weapon development program. 

The Justice Department confirmed in a statement that the website domains in question were seized on Tuesday via a federal court order issued in Missouri. 

The reason the Justice Department cited for seizing the 17 domains stems from an allegation that the Democratic People’s Republic of Korea has a network of thousands of IT workers across the globe, many of them situated in China and Russia. Their goal, the Justice Department alleges, was to fraudulently present themselves as legitimate freelance IT workers to businesses in the United States and elsewhere by using false identities. Once hired, those workers’ revenue would end up contributing millions of dollars to directly fund North Korea’s weapons of mass destruction and ballistic missiles programs. 

It is alleged that these workers, once firmly entrenched in their new jobs, would engage in intellectual property theft and cyberattacks upon the systems of the companies they worked for; in addition, many would also create fake websites for phishing campaigns and other illicit cyber activities. 

An affidavit to support the seizure listed the domains as TWELVE (12) “.COM”; ONE (1) “.CLOUD”; ONE (1) “.INFO”; ONE (1) “.ASIA”; ONE (1) “.SERVICES”; and ONE (1) “.TECH”

Companies listed in the affidavit are: Yanbian Silverstar, Eden Programming, Xinlu Science and Technology Co. Ltd and FoxySun Studios.

The .com domains involved are: silverstarchina.com, edenprogram.com, xinlusoft.com, softdevsun.com, foxysun.com, foxysunstudios.com, foxysunstudio.com, thefoxesgroup.com, thefoxcloud.com, cloudfoxhub.com, mycloudfox.com, and cloudbluefox.com

The alternative domains are danielliu.info, jinyang.asia, jinyang.services, ktsolution.tech, cloudfox.cloud.

The use of false identities, according to Assistant Attorney General Matthew Olsen of the DOJ’s National Security Division, was a way to work around sanctions that had been put into place against known North Korean operatives. 

The seizures announced today protect U.S. companies from being infiltrated with North Korean computer code and help ensure that American businesses are not used to finance that regime’s weapons program,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The Department of Justice is committed to working with private sector partners to protect U.S. business from this kind of fraud, to enhance our collective cybersecurity and to disrupt the funds fueling North Korean missiles.”

Today’s seizures exemplify our commitment to working with our federal and international partners to recognize and disrupt the threat from illicit actors working on behalf of the Democratic People’s Republic of Korea,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “These takedowns also serve as reminders to ensure that our private sector partners are equipped and prepared with due diligence measures to prevent the inadvertent hiring of these bad actors across American businesses. The FBI encourages U.S. companies to report suspicious activities, including any suspected DPRK IT worker activities, to your local FBI field office.”

Employers need to be cautious about who they are hiring and who they are allowing to access their IT systems,” said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. “You may be helping to fund North Korea’s weapons program or allowing hackers to steal your data or extort you down the line.”

The Democratic People’s Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program. The seizing of these fraudulent domains helps protect companies from unknowingly hiring these bad actors and potentially damaging their business,” said Special Agent in Charge Jay Greenberg of the FBI St. Louis Division. “This scheme is so prevalent that companies must be vigilant to verify whom they’re hiring. At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities. Without due diligence, companies risk losing money or being compromised by insider threats they unknowingly invited inside their systems.”

Justice Department Announces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic People’s Republic of Korea Information Technology Workershttps://t.co/E713WQI26k

— National Security Division, U.S. Dept of Justice (@DOJNatSec) October 18, 2023

The seized domains contained advertisements for internet and mobile development services and other IT services; many would list false locations in other countries like the U.S. and featured fake photos of employees. 

The post FEDs Seize 17 Domains Suspected of Being Used for Fraud in U.S. by North Korea first appeared on Strategic Revenue - Domain and Internet News.