North Koreans use fake names and scripts to land remote IT work for cash. IT workers in North Korea looking for jobs in Western IT businesses are resorting to elaborate deception to land those jobs. This deception includes using fake names, creating phony LinkedIn profiles, forging work documents, and creating bogus interview scripts.
According to papers examined by Reuters, an interview with a former North Korean IT worker, and the findings of cybersecurity researchers, obtaining a job outside of North Korea to clandestinely generate hard currency for the hermit nation requires highly refined techniques to deceive Western recruiting managers.
According to the United States, South Korea, and the United Nations, North Korea has sent thousands of IT workers abroad, a practice that has picked up speed for the past four years, to bring in millions of dollars to support Pyongyang’s nuclear missile program. This information comes from the North Korean government.
The phrase “People are free to express ideas and opinions” appears in one of the interview scripts used by North Korean software developers. The script includes options for how to characterize a “good corporate culture” when questioned. “People are free to express ideas and opinions.” In North Korea, individuals run the risk of being imprisoned if they freely express their ideas.
Researchers at Palo Alto Networks (PANW.O), a U.S. cybersecurity firm, discovered a cache of internal papers online that reveal the operations of North Korea’s remote IT workers. These researchers discovered the scripts, which are 30 pages long.
The records include many fake identities and resumes, as well as online profiles, interview notes, and other materials used to apply for positions in software development by North Korean personnel.
Reuters discovered additional proof in data that had been stolen from the dark web that highlighted some of the tools and strategies that North Korean laborers used to convince companies to engage them in jobs as far away as Chile, New Zealand, the United States of America, and the United Arab Emirates.
The documents and data demonstrate the intense effort and deceit performed by North Korean authorities to assure the success of a plan that has become a critical lifeline of foreign money for the cash-strapped dictatorship. The documents and data also reveal the trickery used by North Korean authorities to secure the success of the operation. A request for a response from the United Nations delegation representing North Korea was not answered.
According to the United States Department of Justice (DOJ) report from 2022, remote information technology workers can make more than ten times what a regular North Korean laborer earns overseas in construction or other manual jobs, and teams of these workers can together earn more than $3 million per year. Reuters did not successfully calculate how much money the plan has generated throughout its existence.
Some scripts, which are meant to prepare the workers for questions that may be asked during interviews, include justifications for working remotely.
Richard, a senior embedded software developer, said, “I flew to Singapore a few weeks ago. My parents made the decision to spend some time with other family members for Covid and me. In the next three months, I intend to travel back to Los Angeles. I am mulling over possibly beginning my work from home as soon as possible to hit the ground running once I return to Los Angeles.
According to Reuters, a North Korean IT worker who just escaped inspected the credentials and confirmed their authenticity. “We would create 20 to 50 fake profiles a year until we were hired,” the North Korean worker said.
After reviewing the scripts, data, and documentation, he stated that what was being done was identical to what he had been doing because he was familiar with the strategies and procedures that were being applied.
“Once I was hired, I would create another fake profile to get a second job,” said the employee, who spoke on the condition of anonymity because they were concerned about their safety.
The Federal Bureau of Investigation (FBI) and the Department of Justice seized 17 website domains in October after suspecting that North Korean government IT personnel were using them to defraud businesses and steal $1.5 million in money.
According to the Department of Justice (DOJ), North Korean software developers whom American corporations employed masked their identities behind fictitious email and social media accounts and used a scheme to produce millions of dollars annually on behalf of sanctioned North Korean entities.
“There is a risk to the North Korean government, as these privileged workers are exposed to dangerous realities about the world and their country’s enforced backwardness,” said Sokeel Park of Liberty in North Korea (LINK), an organization that works with defectors. “These privileged workers are exposed to dangerous realities about the world and their country’s enforced backwardness.”
CASH IN HAND
According to information the United States government provided from the previous year, North Koreans working in information technology are primarily situated in China and Russia, with some also present in Africa and Southeast Asia. They can make up to $300,000 per year individually.
The former IT worker added that everyone is expected to earn at least $100,000, and of that amount, 30–40% is sent back to Pyongyang, 30–60% is spent on overhead expenses, and the workers themselves keep 10–30%.
He estimated that there were perhaps 3,000 people like him living in other countries and another 1,000 living in North Korea.
“I worked to earn foreign currency,” he told Reuters. “I worked to earn foreign currency.” “It differs between people but, basically, once you get a remote job you can work for as little as six months, or as long as three to four years.”
“When you can’t find a job, you freelance.”
When investigating a hacking campaign that North Korean hackers were carrying out and targeting software developers, researchers from Palo Alto’s Unit 42 cyber research branch made the discovery.
Although the defector claimed that only a small number of people were involved in espionage campaigns, Unit 42 claims that one of the hackers left the papers exposed on a server, indicating that there are connections between North Korea’s hackers and its IT professionals: “Hackers receive their training separately. He explained that ordinary individuals like us are not assigned tasks of that nature.
Nevertheless, there is some overlap. The Department of Justice and the FBI have issued a warning that North Korean IT professionals may use their access to attack their employers. Some of the leaked resumes suggested that the individuals had expertise working at cryptocurrency firms, a sector that North Korean hackers have long targeted.
IMITATIONS OF IDENTITY
According to the findings of an identity investigation company called Constella Intelligence, one of the workers had accounts on over 20 different freelancing websites across the globe, including those located in the United States of America, the United Kingdom, Japan, Uzbekistan, Spain, Australia, and New Zealand.
The worker did not react to a comment request sent to them via email.
Reuters discovered that the data, which had been leaked on the dark web, revealed an account on a website that sold digital templates that could be used to make realistic-looking phony identification documents. These templates could be used to construct fraudulent U.S. driving licenses, visas, and passports.
Interview scripts resumed for 14 different identities, and a fake United States green card was among the materials that Unit 42 discovered. Additionally, there was evidence that some employees had purchased access to legitimate web profiles to appear more authentic.
It appears that the “Richard” in Singapore who was looking for remote IT employment referred to a fake profile with the name “Richard Lee” — the identical name on the green card. The United States Department of Homeland Security did not respond in response to a request for comment.
Reuters discovered a Richard Lee with the same name and profile photo with a LinkedIn account and cited experience working at Jumio, a company that verifies digital identities.
A spokeswoman for Jumio stated that the company has no records indicating that Richard Lee was ever an employee of Jumio, either in the past or the present. “Jumio does not possess any evidence to suggest that the company has ever had an employee who was a citizen of North Korea within its workforce.”
Reuters sent a message to the LinkedIn account asking for a comment, but the company did not receive a reply. After receiving multiple requests for comment from Reuters, LinkedIn deleted the account. “Our team uses information from a variety of sources to detect and remove fake accounts, as we did in this case,” according to a representative.
Comment Template