The US Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned six individuals and two entities for their involvement in a Democratic People’s Republic of Korea (DPRK) information technology (IT) worker scheme intended to defraud US businesses and generate illicit revenue for the regime to finance weapons of mass destruction (WMD) programs.
Treasury Secretary Scott Besant said, “The North Korean regime targets American companies through deceptive schemes run by its foreign IT operators, which weaponize sensitive data and extort substantial payments from businesses.”
The fraud scheme, also known as Coral Sleet/Jasper Sleet, PurpleDelta and Vejamole, relies on fraudulent documents, stolen identities and fabricated personas to help IT employees obscure their true origins and get jobs at legitimate companies in the US and elsewhere. A disproportionate share of the salaries are sent back to North Korea to facilitate the country’s missile programs in violation of international sanctions.
In some cases, these efforts include the deployment of malware to steal proprietary and sensitive information as well as extortion attempts by demanding ransom in exchange for not leaking the stolen data publicly.
The individuals and entities targeted by the latest round of OFAC sanctions are listed below –
- Amnokgang Technology Development CompanyAn IT company that manages delegations of foreign IT staff and conducts other illicit procurement activities to obtain and sell military and commercial technology through its overseas networks.
- nguyen quang vietnamChief Executive Officer of Vietnamese Company Kwangwietdnbg International Services Co., Ltd. Which provides currency conversion services for North Koreans. The company is estimated to have converted approximately $2.5 million into cryptocurrency between mid-2023 and mid-2025.
- Do Fee KhanAn associate of Kim Se-un, who was sanctioned by the US in July 2025. Do is accused of acting as Kim’s proxy and allowing Kim to use his identity to open bank accounts and launder money obtained from IT workers.
- Hoang Van NguyenWhich also helps Kim open bank accounts and enables cryptocurrency transactions for Kim.
- Yoon Song GukA North Korean national who has led a group of IT workers performing freelance IT work from Bouten, Laos since at least 2023. Yun coordinated several dozen financial transactions amounting to more than $70,000 Hoang Minh Quang related to IT services, and have worked with York Louis Celestino Herrera Developing freelance IT service contracts.
The development comes as LevelBlue highlighted the IT worker plan’s use of Astrill VPN to conduct its operations while based in countries like China, due to the service’s ability to bypass the Great Firewall of China. The idea is to tunnel traffic through US exit nodes, effectively allowing them to disguise themselves as legitimate domestic workers.
Security researcher Tuy Luu said, “These threat actors typically operate from China rather than North Korea for two reasons: more reliable Internet infrastructure and the ability to leverage VPN services to hide their true geographic origin.” “Subgroups of the Lazarus Group, including Contagious Interview, rely on this ability to gain unrestricted access to the global Internet, manage command-and-control infrastructure, and hide their true location.”
The cybersecurity company also said it detected a failed attempt by North Korea to infiltrate an organization by responding to a help-seeking ad. The IT worker, who was hired as a remote employee on August 15, 2025 to work on Salesforce data, was terminated after 10 days after displaying indicators showing persistent logins from China.
A notable aspect of Jasper Sleet’s tradecraft is the use of artificial intelligence to enable identity creation, social engineering and long-term operational persistence at low cost, underscoring how AI-powered services can reduce technical barriers and enhance the capabilities of threat actors.
“Jasper Sleet leverages AI across the entire attack lifecycle to detect, exploit, and abuse access at scale,” Microsoft said. “Threat actors are using AI to shortcut the reconnaissance process that informs the development of digital personas tailored to specific job markets and roles.”
Another key component involved using an AI application called FaceSwap to insert the faces of North Korean IT workers into stolen identity documents and produce polished headshots for resumes. In doing so, these efforts aim to not only improve the accuracy of their campaigns but also increase credibility by building solid digital identities.
Additionally, remote IT workers are using threat assessments to leverage agentic AI tools to rapidly generate, refine, and reimplement malware components by creating fake company websites and in some cases jailbreaking large language models (LLMs).
“Threat actors like North Korea’s remote IT workers rely on long-term, reliable access,” Microsoft said. “Due to this fact, defenders should treat fraudulent employment and access abuse as an insider risk scenario, focusing on detecting misuse of legitimate credentials, unusual access patterns and persistent low and slow activity.”
flare and ibm
IT worker planning is built on top of a multi-tier operational structure that includes recruiters, facilitators, IT workers and associates, each of whom play a different role –
- Recruiters, who are responsible for screening potential IT employees and recording initial interview sessions to send to facilitators.
- Facilitators and IT workers, who are tasked with building personas, securing freelance or full-time employment, and onboarding new employees.
- Associates, who are recruited to donate their personal identification and/or information to help IT staff complete the recruitment process and obtain a company-issued laptop.
“With the help of Western affiliates recruited primarily from LinkedIn and GitHub who, willingly or unwillingly, provided their identities for use in the IT worker fraud scheme, NKITW is able to more deeply and credibly penetrate an organization for a longer period of time,” the companies said in a report shared with The Hacker News.
“North Korea’s IT activist operations are widespread and deeply integrated within the DPRK party-state. It is an integral part of the DPRK’s revenue-generation and sanctions-evasion machinery.”
