NetworkTigers explores the growing North Korean IT workers scam, where North Korean agents infiltrate global companies to fund the regime’s military activities.
Anyone paying attention to cybersecurity is likely familiar with North Korea’s role in the global threat landscape. Lazarus Group, the country’s most notorious state-sponsored hacker group, and its affiliates are responsible for several high-profile cyberattacks, including the 2014 Sony Pictures breach and the recent Axie Infinity hack.
While state-affiliated hacker groups from countries such as China and Russia often focus on cyber espionage and influence campaigns, those linked to Pyongyang are primarily motivated by financial gain. The sanctions placed on North Korea severely limit the resources the country can legally obtain, making these financial operations a key avenue for funding the regime’s military and nuclear ambitions.
As a result, North Korean hackers frequently target cryptocurrency platforms or use phishing and social engineering tactics to steal from individuals’ digital wallets.
A New Tactic: The Fraudulent Hiring Scheme
In recent years, a new method has emerged: North Korean agents are infiltrating global workplaces by posing as legitimate employees. By tricking employers into hiring them for well-paying IT roles, these agents funnel their salaries directly to Pyongyang and, in some cases, access sensitive company information.
Setting the trap
The scam begins with North Korean IT workers posing as freelancers or contract workers on job-seeking platforms such as LinkedIn, Fiverr, and UpWork, where they advertise their skills as app and software developers.
Naturally, they do not make their true identity public; instead, they create fake user profiles, including phony resumes, references, and job histories. These profiles are usually built with stolen identities, including driver’s licenses, Social Security cards, and other official identification documents. Profile photos are often created with the help of AI and, to avoid giving up the ruse, location and IP address information is passed through a VPN to make it appear as though the person is living in a location that does not arouse any suspicion.
Some even go so far as to pay others to pass drug tests, appear in calls and interviews, and pass background checks.
Thanks to the prevalence of remote work in technology fields, these workers never have to show up in person and can successfully hide behind layers of false information.
Getting the job
Once the interview and vetting process has been completed, these fraudulent workers usually request that any work-related devices, such as laptops or tablets, be shipped to a location where another accomplice will prepare them for shipment to a U.S.-based laptop farm.
Technicians at the laptop farm connect the computer to a network that North Korea-based workers can access to operate the device remotely.
At this point in the scheme, one might expect the workers to immediately begin wreaking havoc or attempting to steal from the company that hired them, but that is not the case. Instead, the workers operate discreetly, perform the tasks they were hired for, and collect their payment without incident. The goal is to remain employed for as long as possible to maintain a flow of income that helps to support North Korea’s weapons programs.
Followup scams and extortions
If a North Korean IT worker’s true identity is discovered, they tend not to go down without a fight, using any tools at their disposal to threaten and extort the employer into paying more money to avoid having their data leaked or their business damaged.
Any stolen information may also be sold on the black market. North Korean IT scammers leave no stone unturned in their quest for funding.
A prevalent, successful, and dangerous campaign
According to a press release from the U.S. Department of Justice, “the DPRK has dispatched thousands of skilled IT workers around the world… such IT workers can individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited weapons of mass destruction programs.”
North Korea’s IT workers are highly skilled, and many work multiple jobs concurrently. A 2022 joint report from the U.S. Treasury states that Kim Jong Un’s regime had “placed increased focus on education and training in IT-related subjects and has developed strong IT degree programs at several premier DPRK educational institutions—particularly Kim Il Sung University, Kim Chaek University of Technology, and Pyongyang University of Science and Technology.”
With overseas IT workers earning many times more than the salary of a manual laborer, it’s little wonder that Pyongyang has been diligently working to create an army of IT professionals to deploy globally.
An additional growing concern is the threat that these workers, already embedded within multiple industries worldwide, will receive an order from Pyongyang to launch ransomware attacks or malware against their employers, thereby creating a global security crisis.
North Korean IT workers: a human toll
Given North Korea’s penchant for insidious labor camps, “kin punishment,” and the threat of prison hanging over the head of every citizen for offenses that may or may not even exist, it is almost without question that North Korea’s IT workers are unwilling participants.
As with other online scams, such as those that see kidnapped individuals endure beatings, torture, and horrific conditions in camps where they are forced to engage in romance and pig butchering schemes, one can safely concur that the individuals undertaking IT worker scams are also doing so under pressure to perform adequately or endure unspeakable punishment that may also be inflicted against their families.
How to stay safe from the North Korean IT workers scam
Detecting North Korean IT workers is challenging, as the many layers of obfuscation and the talent of those involved combine to put the onus on the employer to be extremely thorough with their vetting processes.
Here are some basic steps employers should follow to keep North Korean imposters out of the workforce:
- Verify references. Contact each reference directly to confirm the applicant’s work history.
- Look for Resume Inconsistencies. Pay attention to gaps, discrepancies, or unusual patterns in the resume.
- Conduct video interviews: Ensure that all interviews are held via video. Ask detailed questions about the applicant’s work history and experience.
- Watch for excuses. Avoid candidates who are unable or unwilling to participate in video interviews.
- AI-generated photos: Use reverse image searches to identify stock or AI-generated profile pictures.
- Monitor equipment for remote access. Be cautious of devices that show signs of being remotely accessed or pre-configured.
- Examine social media activity. Be wary of applicants with new or inactive profiles on social media or job platforms.
- Ask natural questions. Pose questions that are simple to answer but difficult for an imposter to respond to naturally.
- Conduct surprise check-ins. Periodically check in with remote workers through video calls to confirm their work is legitimate.
By following these steps, employers can help protect themselves from the risks posed by North Korean hackers embedded in the workforce.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
