North Korea's army of fake IT workers

A secretive group of North Koreans have been securing IT jobs across the US and UK, using AI tools and local accomplices to obscure their true identities.

"Their goal? Cashing in on top tech salaries to funnel millions of dollars back to Pyongyang for its weapons programme," said Politico.

North Korean infiltration of tech firms has been a known issue for years, but "the scam is more widespread than previously understood". Tech leaders are opening up about their encounters with it while "law enforcement continues to crack down" and expose "how the expert operation is covertly conducted".

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

How do they get hired?

First, the North Korean nationals set up fake LinkedIn profiles, from which they can network with recruiters and apply for jobs using their false identities. Applicants "claim to be from countries including Italy, Japan, Malaysia, Singapore, Ukraine, the US and Vietnam", said Bloomberg.

Most are actually based in Russia and China, said the US Department of Justice. Their fake identities are carefully crafted, including "pseudonymous email, social media, payment platform and online job site accounts as well as false websites, proxy computers, and witting and unwitting third parties located in the United States and elsewhere".

Once hired, the North Korean workers are onboarded with their false credentials, sometimes including a US "front" address, where American accomplices can receive company laptops and keep them running.

What's the goal?

To earn money for the North Korean regime. IT worker teams "are set 'earnings quotas' by Kim Jong Un's regime", Michael Barnhart, from risk management firm DTEX, told Wired. The workers operate on behalf of several North Korean military and intelligence organisations, with the money they earn channelled back into them.

In one operation, shut down by US authorities in February, North Korean IT workers had infiltrated more than 300 US companies, and collectively earned more than $17 million (£12.7 million). They are often paid in cryptocurrency, or via digital payment platforms, with traditional bank payments laundered through third countries like China before making their way back to North Korea.

What's being done about it?

North Korea has historically targeted US-based tech companies, but in response to increasing awareness of the problem among American employers, they are now expanding their operations to European firms.

John Hultquist, chief analyst at Google's Threat Intelligence group, said UK companies should insist on video or face-to-face interviews to help expose potentially fraudulent applicants. The "scheme usually breaks down when the actor is asked to go on camera or come into the office for an interview", he told The Guardian. However, it is reportedly becoming increasingly common for applicants to use real-time AI deepfake technology to change their appearance on video interviews.

Given the difficulty of targeting suspects based in North Korea or allied countries like Russia and China, US law enforcement agencies are increasingly turning their attention to the accomplices who help pull off the scams. In January, the Department of Justice issued indictments for two North Korean nationals and arrested three "facilitators". Two are US citizens accused of running so-called "laptop farms", which receive and operate company devices on behalf of North Korean operatives, while a Mexican national is accused of allowing fraudulent workers to use his identity.

Bryan Vorndran, assistant director of the FBI's cyber division, said that the indictments "should highlight to all American companies the risk posed by the North Korean government".