How North Korean Hackers Conned Their Way Into Remote Jobs… in 5 Simple Steps!

Have you ever felt someone wasn’t who they said they were?

Small-time con men often use trickery to make a quick buck. However, international spies can take deception to another level, going to great lengths to assume a secret identity to hide their true motives… and their paydays can be huge.

But real spies aren’t necessarily glamorous like James Bond. Many do their deceptive deeds using a regular computer, trading secret spy gadgets for a keyboard and Zoom. But that doesn’t make these high-stakes tales of international espionage any less interesting.

How North Korean Spies Defrauded Hundreds of US Companies

Remote work has been a boon to millions of workers worldwide. Ubiquitous internet connectivity, cloud-based apps, and communications tools have allowed employees to work from almost anywhere. But recently, organizations have been learning firsthand of the dangers that come with this flexibility.

In a 2024 press release, the US Department of Justice announced that more than 300 US-based companies were defrauded of millions of dollars by (often technically skilled) individuals posing as domestic IT workers when they were, in fact, agents of North Korea living abroad.

How did North Korean spies slip past unwitting HR teams and interviewers at these companies? They created a convincing rouse through an elaborate scheme involving a web of shady characters working together on a large scale to reap big rewards. Former CIA Analyst Jung Pak estimates that these North Korean agents can generate at least $300 million per year, much of it going directly to fund North Korea’s nuclear program, according to a recent NPR report.Opens a new window

Infiltration in 5 Easy Steps

Here’s how the North Korean hackers pulled off their remote work scam, per a press release from the Department of Justice (DOJ):Opens a new window

• Step 1: Obtain stolen identities of real US citizens
  • The North Koreans didn’t work alone. They got help from other shady individuals who enabled them. The DOJ recently brought charges against five individuals who “participated in schemes to place overseas information technology (IT) workers—posing as US citizens and residents—in remote positions at US companies.” At least one of these individuals spent years on a scheme to “create fake accounts at US-based freelance IT job search platforms and with US money service transmitters in the names of false identities, including identities of US persons, and sold these accounts to overseas IT workers.” Some individuals even offered “a full array of services to allow an individual to pose under a false identity and market themselves for remote IT work with unsuspecting companies.”

• Step 2: Interview with legitimate companies using illegitimate profiles
  • In KnowBe4’s article, “How a North Korean Fake IT Worker Tried to Infiltrate Us,”Opens a new window they recounted how a North Korean national was about to pass security checks they had in place, and how this individual was hired as a Principal Software Engineer: “Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity.” The individual even used AI to put their face on a professional headshot from a stock photography website.
    

• Step 3: Use a fake physical address at a “laptop farm” to mask physical location
  • According to the DOJ, North Korean hackers will have companies mail corporate devices to a “laptop farm.” In at least one case, the “farm” had dozens of machines set up for “hosting the overseas IT workers’ computers… so it appeared that the computers were located in the United States.” North Korean hackers would then VPN into these machines. These farms can be hosted in non-descript homes in any neighborhood, like the one below, which was in East Tennessee.

• Step 4: Fraudulently collect paychecks from companies and launder the money
  
  • The fake IT workers who obtain their jobs fraudulently collectively earn significant salaries. The DOJ estimates that workers using the services of one laptop farm “were paid millions for their work, much of which has been falsely reported to the IRS and the Social Security Administration in the name of the actual US persons whose identities were stolen or borrowed.” Additionally, operators of one laptop farm allegedly conspired to “commit money laundering by conducting financial transactions under aliases to receive money generated by the scheme and transfer those funds outside of the United States, in an attempt to hide that these were proceeds of the IT workers’ fraud.”

• Step 5: (Optional) Infiltrate corporate networks to steal valuable secrets or hold it for ransom
  • In addition to collecting salaries through trickery, hackers sometimes revert to familiar tricks once they are behind the firewall. In the case of KnowBe4, as soon as the corporate laptop was received, they noticed someone “immediately started to load malware.” Additionally, according to NPR, some hackers also try to extort information they obtain or threaten to release intellectual property.

How well do you really know your remote colleagues? Could one of them be a North Korean hacker in disguise?
Join the Conversation

MORE ON GLOBAL CYBERCRIME

• Cybersecurity in the Time of Remote Threats
• 5 Ways Your Security Team Can Protect Your Infrastructure
• Why Transnational Cooperation Is Key in the Battle Against Cross-Border Cybercrime