For years, the Federal Bureau of Investigation has been unraveling what it asserts is a scam perpetrated by agents of North Korea, which used fake companies employing real IT workers to funnel money back to the regime’s military.
An American company played a key role in creating shell companies used as part of the scheme, a WIRED review of public records shows. Elected officials are now contemplating addressing loopholes in business-registration law that the scheme exposed.
In May, Wyoming secretary of state Chuck Gray revoked the business licenses of three companies linked to the North Korean scam: Culture Box LLC, Next Nets LLC, and Blackish Tech LLC. Gray said his office made the decision after receiving information from the FBI and conducting an investigation.
“The communist, authoritarian Kim Jong Un regime has no place in Wyoming,” Gray said in a May press release.
The companies posed as legitimate operations where businesses could hire contract workers to perform IT solutions, complete with fake websites featuring smiling photos of apparent employees. The companies all had one thing in common: Their incorporation documents were filed by a company called Registered Agents Inc., which says its global headquarters is in Sheridan, Wyoming.
Registered Agents, which provides incorporation services in every US state, takes the practice of business privacy to the extreme, and regularly uses fake personae to file formation documents with state agencies, a WIRED investigation previously found.
Culture Box LLC, one of the companies that Gray and the FBI linked to North Korea, listed “Riley Park” as the name of a Registered Agents employee on documents submitted to the Wyoming secretary of state. Park, according to several former employees of Registered Agents, is a fake persona that the company regularly used to file incorporation documents.
In a statement provided to WIRED, Registered Agents wrote, “The Wyoming Secretary of State dissolved the entities and we initiated the 30-day process to resign as their agent in mid-May. Ours and Wyoming's processes to identify bad actors works. It strikes the best balance of individual privacy and business transparency supported by an entire ecosystem that cares about supporting entrepreneurs while rooting out the small percent of scammers.” The FBI’s St. Louis office, which led the investigation, did not respond to a request for comment.
The North Korean operation worked like this: Agents of the regime created fake companies purporting to be legitimate firms offering freelance IT services. Workers hired by North Koreans, or North Koreans themselves, would then perform legitimate contractor work, often using assumed identities.
In some instances, Americans would set up low-cost laptops with remote-access software, allowing North Korean workers to perform freelance IT work while appearing to use American IP addresses. The FBI referred to these Americans as “virtual assistants.”
The payments for the IT work were eventually funneled back to North Korea—where, the Department of Justice asserts, it was directed to the country’s Ministry of Defense and other agencies involved in WMD work. The scheme was so expansive that any company that hired freelance IT workers “more than likely” hired someone involved in the operation, according to FBI agent Jay Greenberg.
The shell companies created in Wyoming were used to hire virtual assistants and receive payments.
“I discovered that North Korean IT workers create and use domain names and limited liability companies (LLCs) in furtherance of their fraudulent activity and to mask their true identities as North Koreans. The LLCs are used to recruit ‘Virtual Assistants’ who can receive and ship devices needed for the North Korean IT workers as well as recruit and employ software developers from countries such as Pakistan, India, and China,” an FBI agent wrote in a May affidavit. “These LLCs are often registered in the United States through business registry services and sometimes use the identities of individuals who had a previous relationship with North Korean IT workers.”
The affidavit alleges that money from North Korean workers was used to purchase domain names for the IT front companies, in violation of sanctions laws. The domains were purchased using “payment service providers” with accounts belonging to the Wyoming companies.
In response to a request for comment from WIRED, the Wyoming secretary of state’s office said that it has “increased the number of complete, in-person audits of commercial registered agents, resulting in several ongoing investigations, as well as the issuance of findings and orders.”
The secretary of state has offered proposals to the Wyoming state legislature “aimed at preventing fraud and abuse of corporate filings by commercial registered agents, as ways to strengthen the Wyoming secretary of state's administrative authority to dissolve business entities controlled by foreign adversaries,” said Joe Rubino, the chief policy officer and general counsel at the Wyoming Secretary of State's Office.
