For more than a decade, North Korean hackers and digital scammers have run wild, pilfering hundreds of millions of dollars to raise funds for the Hermit Kingdom and often leaving chaos in their wake. But while the United States and other governments regularly call out North Korea’s digital espionage operations and issue indictments against their hackers, it has proved more difficult to bring charges for rogue theft and profiteering. North Korea has been under extensive sanctions by the US and other governments for years, but efforts to address the regime’s financial crimes have met with obstacles.
Last week, the US Treasury, State Department, and Federal Bureau of Investigation jointly issued a 16-page alert warning businesses to guard against a particular scam in which North Korean IT workers apply for freelance contracts—often with wealthy North American, European, and East Asian firms—to generate revenue for their country. The workers pose as IT workers of other nationalities, pretending to be remote workers from South Korea, China, Japan, Eastern Europe, or the US. The alert notes that there are thousands of North Korean IT workers taking on such contracts. Some conduct their work from North Korea itself and others work overseas, mainly out of China and Russia, with small contingents in Southeast Asia and Africa. In some cases, the North Korean scammers themselves sub-contract with other more legitimate workers to enhance their credibility.
“DPRK IT workers can individually earn more than USD 300,000 a year in some cases, and teams of IT workers can collectively earn more than USD 3 million annually,” the alert warns. “DPRK IT workers provide a critical stream of revenue that helps fund the DPRK regime’s highest economic and security priorities, such as its weapons development program.”
When US businesses unknowingly contract with North Koreans, they are violating government sanctions and face legal risk. But the scams are challenging to deal with, since workers typically complete the assignments to earn their compensation. Without vigilance, businesses could be unaware that anything shady is going on.
The alert emphasizes that while businesses need to be aware of the issue so they can comply with sanctions, North Korean IT contractors also sometimes use their access to plant malware and facilitate espionage and intellectual property theft.
“There have been a lot of cases where we’re seeing North Korean actors interviewing for jobs and using that to try to ultimately deploy malware or get into an environment,” says Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike. “The reason this is important is a lot of people don’t consider this threat or write it off as, ‘Oh, North Korea, they’re crazy. They’re not sophisticated.’ And if you’re talking to an actual person, it feels like there’s not going to be a cyber threat in that, but these are human-enabled operations that the North Koreans have gotten really good at, so bringing awareness to this issue is really important.”
North Korean IT workers have thorough training, making detection more difficult, and the alert notes that they have developed software, websites, and other platforms for a variety of sectors, including health and fitness, social networking, sports, entertainment, and lifestyle, along with cryptocurrency and decentralized finance. The workers have the expertise to do IT support and database management, build mobile and web apps, develop cryptocurrency platforms, work in artificial intelligence and virtual reality or augmented reality, and develop facial recognition and biometric authentication tools.
