He Thought an Employee Stole Crypto. The FBI Says It Was a North Korean Scammer. — WSJ

By Robert McMillan | Photographs by David Walter Banks for WSJAt first, Pemba Sherpa seemed like a great employee. Eager to work, he began as a $35-an-hour coder who sharpened up an app for his boss, Marlon Williams. But a few years later, Williams fired him, thinking he was probably a crook.On Monday, federal authorities accused him of being something even more nefarious. According to court filings and cyber investigators, the man claiming to be Sherpa was actually Kim Kwang Jin, a North Korean cybercriminal using a stolen identity. He was part of a group of men who traveled the world looking for ways to make money for their heavily sanctioned government. Their methods of choice were drawing paychecks and stealing from their employers."This was not a simple scam; it was a long con," said Daniel Polk, a special agent with the Federal Bureau of Investigation.In a federal indictment that was unsealed Monday, Jin and three accomplices — all North Koreans — were charged with five counts of wire fraud and money laundering. Also charged were Kang Tae Bok, Jong Pong Ju and Chang Nam Il.The men remain at large, but FBI and Justice Department officials said Monday that they are looking for opportunities to arrest them. They also announced charges against people who allegedly helped the North Koreans and searches at 29 "laptop farms," operated in 16 states, places that allegedly helped the North Koreans log into their U.S. jobs. A request for comment to North Korea's United Nations mission in New York went unanswered Monday.Williams estimates that he paid Sherpa and his associates close to $400,000 in wages over 20 months. The workers also used their positions of trust to steal more than $1 million in cryptocurrency, he said."I had no clue why it had happened," Williams said. "I really thought it was a disgruntled employee."In many ways, Williams was the perfect target for the Sherpa scam. As a cryptocurrency true believer, remote work and anonymity were commonplace in Williams's world, and he had no problem hiring a coder he had never met who lived half a world away.Over the past five years, North Koreans have built a small army of several thousand illegal workers who have spanned out across the globe and earned hundreds of millions of dollars in paychecks from unsuspecting Western companies while causing further damage through theft and extortion. Their primary goal is to raise money. But because the workers also download intellectual property while working their jobs, their work makes for a strange blend of both spy and scammer, the FBI says.In recent years they have scored jobs at technology companies, a major television network, an "iconic American car manufacturer," and a major entertainment company, among other places, according to court filings.'Hi everyone'Williams first heard from Sherpa in August 2020, during the height of the pandemic. Sherpa reached out on a Telegram discussion list. He was looking for work."Hi everyone. Hope all of you are doing well and staying safe," he wrote. "This is Pemba, a senior full-stack engineer with over 7 years of professional experience."Sherpa's message was ignored, but he was persistent. He began sending direct messages to Williams. "He had a very well put-together LinkedIn, and a GitHub account," Williams said.A month later, Williams needed a software developer. He thought of Pemba and dropped him a line."Hey, I may have a project that I need your help on," he wrote. Sherpa did good work, quickly rewriting and improving the user interface for a crypto project. By October, when Williams was looking for a developer to help him with his next big idea, he hired him.Williams was a longtime crypto enthusiast, who had been active in the Atlanta cryptocurrency community since 2018. By 2020 he had spotted a way to cut down on a kind of fraud that was becoming a big problem in the crypto world. It is called a " rug pull," and it occurs when unscrupulous software developers cook up interesting-sounding projects and then take seed investment money — sometimes hundreds of thousands of dollars — to get them off the ground. But instead of delivering code, the scammers simply take the money and run.Crypto contractsWilliams started a company, known today as Starter Labs, that would use smart contracts to ensure that software developers wouldn't get their investment money until they shipped code. To date, the project has been entrusted with more than $45 million in investments.In Williams's world, developers often work using pseudonyms. "It's not an anomaly to meet someone and they're called Johnny Rocket," he said.In online chats, Sherpa opened up a little about his personal life. He was a graduate of the University of Sharjah in the United Arab Emirates. He was in his late 30s, with a girlfriend, whom he liked to take to the mall. "His dad was from Nepal; his mom was Korean; he was raised in Korea, but then moved to Dubai," Williams said.At first, Sherpa didn't know much about the arcane world of cryptocurrency smart contracts, so Williams did the coding himself, using a programming language called Solidity.But then one day in March 2021, Sherpa said he was stepping up his game. "Hey," he told Williams, surprising him. "I spent the past month or so learning Solidity and I think I'm really good at it now."Williams had Sherpa develop a locker — a way to secure tokens in a smart contract. The code was bug free and efficiently written, and it saved Williams a lot of time. "He really kicked butt," Williams said.Pastry BakerBy the summer of 2021, Williams made Sherpa chief technology officer of his 12-person company. Now Sherpa was management, and he started to bring in coders of his own.One of them went by the name Pastry Baker. Sherpa said he was a cousin. Based on information in the indictment and provided by Williams, he was actually Jong Pong Ju.Some North Korean information-technology workers operate under rough conditions, working 17-hour days under constant surveillance, said Evan Gordenker, a consulting director with the security firm Palo Alto Networks.But Sherpa's group seemed to have more autonomy.Starting last year, anonymous researchers started posting information about Sherpa and other alleged North Korean IT workers, tracing them to a 14-room Airbnb in Laos, and posting photographs of them at restaurants and sporting events in Vladivostok, Russia. This team has been generating at least $10 million a year for North Korea, according to the blockchain analytics company TRM Labs."They still, to this day, maintain employment at a good number of crypto firms," Gordenker said.In retrospect, Williams thinks that Sherpa may have actually been an amalgamation of his team members. Sometimes he seemed to have no memory of conversations they had in the past. "I felt something in my gut," Williams remembered. "Dude, we were just talking about this."As CTO, Sherpa was able to insert himself into Starter Labs' money flow. When investors contributed funds to projects, Sherpa would have access to them, Williams said. By the fall of 2021, he had transferred more than $500,000 of funds from his wallet without incident. "I trusted him more and more," he said. "In my mind, we had become friends."Losing trustIn October 2021, Williams began to lose trust in Sherpa after $30,000 went missing from a project. But because Sherpa's wallet was linked to so many projects, he couldn't cut him loose. It would take months for Sherpa and Williams to unwind their relationship.In March, everything blew up.Sherpa withdrew hundreds of thousands of dollars and "started trying to launder the money," Williams said. At first, Sherpa said the hack was due to a technical glitch and argued vociferously that he was innocent. Then he blamed it on Pastry Baker, but Williams didn't believe him. "Not too long after that, he deleted all of our chats," Williams said. Then he deleted his LinkedIn profile and disappeared.Williams reported the scam to the FBI. He hired a private investigator in Dubai to try to find information on Sherpa, whose attitude had turned "extremely defensive," after the $30,000 went missing. "I really thought it was a disgruntled employee kind of thing.Nearly three years after the hack, the FBI reached out to Williams with an update. "We may not be able to recover any funds here, but we do know who did this and it's a group," they said, according to Williams. "They said it was North Korean IT workers."These days Williams isn't a fan of the cryptocurrency community's culture of anonymity. "I would never ever work with another developer that I do not know," he said. "I have to see your wife, your family, your kids. We have to have lunch together."Write to Robert McMillan at [email protected]