Judge Juche: How North Korean Front Companies Sell Their Software to the World

October 4, 2019
Cameron Trainer

North Korea flag on a computer screen

Source: WikiMedia Commons

The following is an excerpt of an article published on NKnews.org.

This article is the fourth of a series produced by the James Martin Center for Nonproliferation Studies (CNS) at the Middlebury Institute of International Studies exclusively for NK News. For this series, we’ve chosen to focus on the legal (mis)adventures of North Korean entities and individuals overseas. For more, read part one, part two, and part three.

Supply-chain management isn’t exactly the hottest of topics. But it is crucial to ensuring compliance with national and international sanctions regimes on North Korea.

To avoid potential penalties for prohibited transactions with North Korea, companies must know where they source components of their products from as well as where those products may end up.

It is nonetheless worth revisiting given the designation of North Korean cyber actors by the United States Office of Foreign Asset Control (OFAC) in September 2019.

This designation is complementary to Executive Order 13810 of September 20, 2017, which—among other things—prohibited engagement with North Korea’s information technology (IT) industry.

Together, the designation and Executive Order effectively ban any engagement with North Korean cyber actors. While these are unilateral measures taken by the United States, they have international reach given the centrality of the United States financial system.


Alternatively, take e.l.f. Cosmetics—it reached a settlement agreement with OFAC in 2019 over its import of 156 shipments containing false eyelash kits with components originating in North Korea. These shipments violated the United States North Korea Sanctions Regulations (NKSR).

Once discovered by and were self-disclosed by e.l.f. Cosmetics, they were voluntarily disclosed. Under the settlement agreement, the company paid $996,080 and has taken (or took) steps to minimize the risk of recurrence of such conduct.

Both cases pertain to instances where companies cooperated with relevant authorities. In cases where companies do not cooperate or actively work to hinder investigations, penalties can be much greater.


But the fines aren’t the point. Rather, what these cases show is that products made even in the U.S. or its partner countries may find their way to North Korea and vice versa.

Since this is true for physical commodities like planes, false eyelashes, and telecommunications products, it is certainly true for digital products as well. Worse still, with digital wares, it may be more difficult to track the chain of custody for a specific piece of code.


Comments Are Closed