In a recent investigation, Secureworks Counter Threat Unit (CTU) researchers have uncovered a link between North Korean IT worker schemes and a 2016 crowdfunding scam. The CTU research team attributes these activities to the NICKEL TAPESTRY threat group.
In September 2018, the U.S. Department of Treasury’s Office of Foreign Asset Control (OFAC) designated two information technology companies—China-based Yanbian Silverstar Network Technology Co., Ltd (“Yanbian Silverstar”) and Russia-based Volasys Silver Star—as violating sanctions. These entities were accused of operating as front companies to facilitate employment of North Korean IT workers and channeling illicit revenue to North Korea (officially the Democratic People’s Republic of Korea (DPRK)) from overseas IT workers. The CEO of both companies, a North Korean national named Jong Song Hwa, was also designated in the affidavit.
CTU researchers discovered that one of the domain names associated with the Silver Star front companies (silverstarchina.com) was used as a reference to help North Korean IT workers surreptitiously obtain freelance jobs. After the domain was seized in 2024, the registrant email address (jinmaolin0628@hotmail.com) became publicly visible in the historical WHOIS record data. This same registrant email and street address were also listed in the registration data of several other domain names.
One such domain, kratosmemory.com, was linked to a 2016 IndieGoGo crowdfunding campaign that advertised a Kratos portable wireless memory device. However, buyer comments indicate that the campaign was a scam, with backers never receiving a product or refund from the seller. The campaign garnered roughly $20,000 USD. CTU researchers note that this 2016 campaign was a low-effort, small monetary-return endeavor compared to the more elaborate North Korean IT worker schemes active as of this publication. However, it showcases an earlier example of North Korean threat actors experimenting with various money-making schemes.
“The network infrastructure overlap between the crowdfunding and IT worker campaigns indicates an association between the IndieGoGo scam operators and the NICKEL TAPESTRY threat group, ” the researchers conclude.
Related Posts:
- Researchers Uncovers Sophisticated Phishing Campaigns Leveraging Cloudflare Workers
- North Korean IT Worker Schemes Evolve: From Salary Scams to Cyber Extortion
