As North Korea sends thousands of troops to Russia, to aid with Russia’s full-on war on Ukraine, there is a concerning development in relations between Russia, North Korea, and China—Russia and China’s role in North Korean operations against Western tech firms.
CoinDesk published a story on October 2 identifying more than a dozen blockchain companies that had unwittingly hired technology workers from North Korea, or the Democratic People’s Republic of Korea (DPRK). The companies in question, ranging from Injective and ZeroLend to Fantom and Sushi, thought they were hiring remote workers—and uncovered, through inconsistent worker statements and other oddities, that something was amiss.
These are not isolated incidents. The US State Department, Treasury Department, and FBI warned in May 2022 that North Korean IT workers, many of whom Pyongyang subjects to human trafficking and forced labor, were trying to get hired as IT workers “while posing as non-North Korean nationals.” Some of these workers have used their privileged access to corporate systems to “enable the DPRK’s malicious cyber intrusions.” For instance, they have provided logistical support to North Korean-based malicious cyber actors, shared access to virtual infrastructure, facilitated sales of data stolen by North Korean cyber actors, assisted with North Korea’s money laundering and virtual currency transfers, and procured “WMD and ballistic missile-related items” for the DPRK.
The DPRK has raked in millions from these operations. North Korean IT workers and their conspirators (including, in one case, two people based in the United States) have infiltrated not just cryptocurrency firms but at least 300+ US companies, including a “top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a US-hallmark media and entertainment company.” The Justice Department indicted another 14 DPRK nationals for such activity in December 2024.
All these background points are interesting and important. But there’s an overlooked component of this growing problem for the US and its allies as well as Western companies: many of the North Korean IT workers are located in Russia and China. This requires decisionmakers to better understand Moscow and Beijing’s degrees of involvement in the DPRK operations and to identify points of leverage with Russia and China to raise these issues in conversation.
The Details: North Korean IT Workers in Russia and China
The UN Security Council’s 1718 Sanctions Committee on the DPRK has an expert panel that issues biannual reports. In 2019, one report said that a UN member state informed the panel that North Korea’s Munitions Industry Department (MID)—which oversees the country’s nuclear program and is involved with ballistic missile research, development, and production—was using subordinate companies to station IT workers abroad to earn money. That member state said hundreds of IT workers hide their identities, deploy to Europe, Asia, Africa, and the Middle East, and earn $3,000-5,000 a month, most of which they are forced to give to the DPRK. North Korean operatives, the report specified, “use an operational model whereby a local citizen serves as a nominal head of a company that, in fact, is run by [DPRK] developers who, in turn, pay the company for their cover.” In a 2020 report, the UN panel said a member state estimated that North Korea’s MID had dispatched at least 1,000 IT workers abroad by November 2019.
In that same 2020 report, the UN panel named several companies it had investigated as these North Korean-run, outside-of-North-Korea fronts.
- Dandong Haotong Commercial Trade Co. Ltd.: set up by the Korea Computer Center—per one member state, part of the MID’s 313 General Bureau, and which procures computers for the DPRK
- Yanbian Silverstar Network Technology Co., Ltd.: nominally a Chinese IT company set up by North Koreans (and US-sanctioned in 2018); the UN panel report said its CEO was also the Korea Computer Center’s representative in Yanbian, China
- Volasys Silver Star: opened in Vladivostok, Russia, as a sister company office of Yabian Silverstar; nominally run by a Russian but reportedly run in practice by North Koreans
Other findings have underscored the DPRK’s (often, forceful) placement of these workers outside of North Korea. For example, Google’s Mandiant said in September 2024 that IT workers in the group it calls UNC5267 are based mainly in China and Russia, with smaller numbers in Africa and Southeast Asia. From those countries, Mandiant wrote, the individuals make illicit salary withdrawals from compromised companies, maintain long-term access to victim networks for possible future exploitation, and could use their access for espionage or disruptive activity (“could” as it hadn’t yet observed as much directly). But workers have already attempted espionage or disruptive activity elsewhere: for example, a North Korean IT worker set off internal system alarms at a US company when he tried to install malware on his first day.
Physically (and forcibly) stationing North Korean IT workers in Russia and China facilitates the creation of more deniable front companies. It also adds another layer of potential technical obfuscation, as internet traffic originates from cities in Russia and China.
The Strategic View: Pyongyang, Moscow, and Beijing in Cyber
These on-the-ground details raise bigger strategic questions. Because North Korea is physically stationing workers within Russian and Chinese borders, Western decisionmakers need to ask important analytical questions about exactly how involved Russian and Chinese authorities, respectively, may be in facilitating these operations. Then, they need to consider whether Russia and China could be vectors through which to potentially put pressure on the DPRK, because of the operations’ role in funding the DPRK’s WMD and ballistic missile programs.
If individuals already in the respective countries were setting up a cybercriminal outfit in Shanghai, China or St. Petersburg, Russia, it would likely be a different analytical conversation—weighing factors such as the state’s technical and investigative ability to detect the activity, the cybercriminals’ technical targeting and visibility, and the state’s willingness to turn a blind eye. For example, this kind of cybercriminal outfit-creation happens routinely within Russia. Officials at various Russian security agencies, such as the Federal Security Service (FSB) or military intelligence agency (GRU), will take a cut from cybercriminals to look the other way, part of the krysha, or “roof,” of protection the state affords criminals. But this can happen locally, or with just one state officer, without catching attention farther up the Russian government food chain.
But this DPRK situation is very different. Given their surveillance of their own border areas, domestic surveillance operations focused broadly on citizens and the internet, and careful attention to North Korean security issues, it is more than reasonable to assess that the Chinese and Russian governments are well aware that the North Korean government is forcibly sending workers to China and Russia. It is more than reasonable to assess that they are aware that the DPRK is creating front companies within their borders. And it’s more than reasonable to assume they know those DPRK fronts are carrying out government-managed, WMD-funding remote worker operations against Western businesses—even more so that the details are now public.
Such knowledge would suggest, at minimum, a tacit condoning of the operations if not some larger, strategic reason for providing North Korea with safe harbor. The Chinese government has long had a complicated relationship with North Korea, yet it has been reported over and over again that most North Korean internet connectivity transits through China (e.g., via China Unicom) and that the Chinese government has even provided North Korea with office space for thousands of hackers. Russia, for its part, has also provided internet connectivity to North Korea and just signed a major strategic treaty with North Korea covering mutual military assistance—which Russia’s Deputy Foreign Minister describes as a direct response to US and US-allied activity in Ukraine and Northeast Asia. North Korea has also used trade with Russia and China to acquire foreign technology such as smartphones, laptops, and tablets that it could not otherwise purchase due to sanctions and nonexistent trade relationships (and, reportedly, to buy secondhand Huawei equipment to upgrade DPRK telecom networks).
All of this suggests the needle sits farther towards condoning and enablement than it does turning a blind eye. When US policymakers talk about DPRK cybersecurity threats or brainstorm about how to combat adversary collaboration on cyber issues, they cannot overlook the cyber actor visibly operating, physically, in both Russia and China: North Korea. Looking forward, policymakers and decisionmakers should:
- Better understand the degrees of Russian and Chinese involvement. Seek to better understand, including using open-source intelligence, the extent of Russian-North Korean and Chinese-North Korean cooperation and engagement on these specific DPRK operations, as well as cyber and technology issues generally. Knowing the level of active facilitation, tacit condonement, or other types of engagement or sponsorship could provide more useful details and enable Western decisionmakers to better evaluate whether Moscow and Beijing, respectively, might have an interest in curbing this DPRK activity in their borders.
- Identify potential points of leverage to raise with China and Russia. Even if the Russian and Chinese governments are not involved in actively approving these DPRK operations, they have the ability to crack down on activity physically occurring within their borders, including the establishment of DPRK-run front companies and the rental or purchasing of office space for the DPRK workers to operate. But the capability to do so is not enough—hence why the US and its allies and partners (such as South Korea) should consider points of leverage with Beijing and Moscow, likely in separate channels, to discuss incentives for or create incentives to crack down on this activity. An obvious incentive for Beijing may be the operations’ role in funding the DPRK’s WMD program, an issue which worries the government—inherently, with WMD development and testing, and secondarily, with what further regional tension or chaos could mean for China.
