DoJ Shakes Up North Korea's Widespread IT Freelance Scam Operation

The North Korean government has dispatched thousands of tech-savvy workers to China, Russia, and other countries in Eastern Europe, Southeast Asia, and Africa to infiltrate freelance networks and find jobs where they have access to sensitive data and systems, according to new warnings from the FBI, the US Department of State, and the US Treasury Department.

The North Korean information technology workers live in non-sanctioned countries, misrepresent themselves as non-North Korean workers, find remote-work opportunities using falsified documents or by purchasing accounts on freelance services, and in some cases, use their privileged access to insert vulnerabilities, cause misconfigurations, or launch cyberattacks, the agencies stated.

On May 16, the US Department of Justice announced the indictment of five people in the operation and released more details of the massive fraud scheme. Among those indicted is an Arizona woman who helped North Korean IT workers validate their stolen identities to pose as US citizens. The woman received and hosted laptops issued by US companies to spoof the workers' location and make it appear as though they lived in the United States, the US Department of Justice stated in the indictment. The DoJ charged the woman and four other individuals — a Ukrainian and three John Does — with allegedly taking part in schemes which netted millions of dollars in wages under dozens of different identities and affecting more than 300 different companies.

"The alleged schemes likely benefitted the Democratic People's Republic of Korea in evading U.S. sanctions and victimizing American businesses," Larissa Knapp, executive assistant director of the FBI's National Security Branch, said in a statement announcing the indictments. "By stealing the identities of American citizens to commit fraud, they obtained proceeds which likely helped fund the North Korean regime's priorities including nuclear weapons programs."

The Democratic People's Republic of Korea (DPRK) — North Korea — is more motivated than most nation-states to pursue profits because the regime is heavily sanctioned, according to experts. The DPRK government is widely blamed for the attack on the SWIFT banking system that resulted in $81 million stolen from the Bangladesh Bank in February 2016. Three members of North Korea's intelligence agency were indicted in 2021 for their role in stealing more than $1.3 billion for the country over three years. Other schemes involve cryptojacking — stealing access to servers and using them to mine cryptocurrency — and targeting security researchers.

Unlike nearly every other country, where the government finances the intelligence groups that are doing the hacking, North Korea flips the model on its head, says Michael Barnhart, lead for DPRK operations and threat research at Google Mandiant.

"One thing I like to tell people ... is stop looking at North Korea as if it's a government and start looking at them as a criminal enterprise," he says. "They are a single family — a mafia family — where all the money comes in at the bottom and goes up to the top."

North Korea's IT Freelance Army

The goal of the scheme is for North Korea to have its IT workers generate revenue through freelance contracts with companies in wealthier nations, including those in North America, Europe, and East Asia. By moving internationally, North Korean workers can represent themselves as citizens of other nations, or through collaborators, and take on the guise of a citizen of another country, such as South Korea or China, but also Eastern European or US-based teleworkers.

One "facilitator," as they are called, managed around 870 different proxy identities on three different freelance IT hiring platforms based in the US and simultaneously hosted nearly 80 computers at the scheme's peak. The facilitator, a Ukrainian, took in more than $900,000 over nearly six years, according to the DoJ indictment.

The approach continues to be used with the facilitators acting in the same role as a "mule" for ATM-fraud gangs and drug cartels — essentially boots on the ground to handle the most high-risk work, says Mandiant's Barnhart.

"We've got facilitators right now that are standing in doing video interviews with their ID cards, to pass verification attempts," he says. "And then once they get the job, once they do the drug tests, once they do everything — then they hand all the credentials over to the IT workers so that they can do the actual job."

The operations have a long time horizon to build up trust with the facilitators as well as the eventual victims — companies in the US and Europe, says Sarah Kern, a security researcher focused on North Korean and state-sponsored emerging threats at Secureworks' Counter Threat Unit.

"The actors carry out extensive reconnaissance before and during campaigns to deceive individuals and companies, and to build rapport with victims to remain stealthy," she says.

North Korea's Captive Workers

The North Korean government is well known for its efforts in circumventing sanctions, using activities such as forced overseas labor, arms trafficking, drug manufacture and smuggling, and counterfeit pharmaceuticals, Kern says.

"Like other communist countries, North Korea has placed a focus on science and mathematics in its education system with students showing aptitude, being selected for additional training, and [receiving] more specialized technical employment options," she says. "This provides a pool of talent that can make significantly more money abroad than it can within the North Korean economy but is constrained by sanctions and poor diplomatic relations, prompting schemes like the one disclosed by the US DoJ."

The DPRK government also keeps close tabs on its workers, who are generally not allowed much freedom. Usually, the IT workers have little choice in the matter, are subjected to long working hours, and have tight restrictions on their movements, Kern says.