The Workers Who Aren't There: Mapping DPRK IT Fraud Infrastructure | Intercept Cell
North Korea has deployed thousands of IT workers into Western companies under stolen identities. They pass interviews with AI-spoofed faces, ship laptops to facilitator-run farms in Nashville and elsewhere, then VPN in from Pyongyang. The DOJ indicted 14 operatives in December 2024 for generating $88 million through this scheme alone. We mapped their front company network \u2014 five seized domains all sharing InterServer and Asia Web Services infrastructure, registered through NameCheap, each cloning a legitimate software firm's website pixel-for-pixel. The same operatives run a parallel campaign called Contagious Interview: fake recruiters on LinkedIn lure developers into running trojanized video-call apps that deploy BeaverTail and InvisibleFerret malware targeting 13 cryptocurrency wallet browser extensions. We are tracking every persona, selector, and front company in our DPRK IT Worker Database.
North Korea's most profitable cyber operation isn't a hack. It's a job application. The DPRK has placed thousands of IT workers inside Western companies using stolen identities, AI-generated photographs, and facilitator-run laptop farms on American soil. They earn up to $300,000 per year per worker. The government keeps 90%. The total take from just one indicted cell: **$88 million**. When they're caught \u2014 or sometimes before \u2014 they pivot to extortion, threatening to leak proprietary source code unless paid. We've been mapping this infrastructure. Here's what it looks like from the inside. Five domains seized by the DOJ in October 2024 reveal the operational pattern. Each front company cloned a legitimate software firm's website, replacing logos and contact details while keeping the portfolio, testimonials, and service descriptions intact: Three of the five domains sat on the same InterServer IP. All were registered through **NameCheap**. The corporate filings trace back to suites 1006-23 and 1006-25 at **Building A1, No. 11, Tawan Street, Huanggu District, Shenyang City, Liaoning, China** \u2014 a single office floor running multiple shell companies. A central figure, operating as **"Tony Wang" (Wang Kejia)**, links HopanaTech, Tony WKJ LLC, and Shenyang Tonywang Technology through shared email addresses and registration data. A second registrant, **Tong Yuze**, registered the Beijing entity behind HopanaTech and controls at least 25 additional Chinese companies including a restaurant franchise \u2014 possible cover businesses for laundering IT worker revenue.