Freelance Market Flooded With North Korean IT Actors

US organizations that hire freelance and temporary IT workers should be sure they are not signing up individuals working on behalf of the North Korean government.

In recent years, the Democratic People's Republic of Korea has flooded the freelance market with thousands of skilled IT workers who are quietly directing their earnings to the sanctions-ridden nation's nuclear weapons program. The workers primarily reside in Russia and China and use a medley of pseudonymous email and social media accounts, false websites, proxy computers, and other mechanisms to hide their true identities and locations when applying to work on a freelance basis for US and other firms worldwide.

Seizure of Web Domains and Cash

Last week, the US Department of Justice released details of the massive scam in announcing court-authorized seizures of 17 domains and some $1.7 million in revenues associated with the operation.

"The Democratic People's Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program," Special Agent in Charge Jay Greenberg of the FBI St. Louis Division said in a statement last week. "This scheme is so prevalent that companies must be vigilant to verify whom they're hiring."

The DOJ described the 17 domains it seized as being used by some North Korean IT workers to apply for remote work in the US and elsewhere. The websites appeared to be the domains of legitimate US-based IT services companies. In reality, however, the people behind it were North Korean IT workers with a China-based company called Yanbian Silverstar Network Technology Co. Ltd and another Russian company identified as Volasys Silver Star.

The North Korean IT workers at these companies used various online payment services and Chinese bank accounts to funnel earnings from their work as freelance IT workers back to North Korea. Each year, the workers have been generating millions of dollars for entities like North Korea's Ministry of Defense and other agencies tied to the country's WMD programs, the DoJ said.

Previous Warning

This is not the first time that the DoJ has warned US organizations of the scam. In a May 2022 advisory, the US government issued a similar warning about North Korean IT workers using VPNs, virtual private servers, purchased third-party IP addresses, proxy accounts, and stolen ID documents to pass themselves off as IT workers from other countries.

The advisory also provided specific guidance that hiring managers and other decision-makers could use when contracting for work with a freelancer. Some red flags: multiple logins into one account from various IP addresses in a short period; IP addresses associated with different countries; frequent money transfers through payment platforms, especially in China; and requests for payment in cryptocurrencies, the DoJ had noted.

The DoJ also urged US organizations to be on the lookout for other potential signs including inconsistencies in name spellings, claimed work location, contact information, and details about their education and work history across social media profiles, professional websites, and payment profiles. An inability by a freelancer to work during required business hours or any difficulty reaching the worker in a timely fashion are also factors to consider, the DoJ said.

Camera Shy

Last week's advisory provided updated advice for US organizations on how to spot a potential North Korean IT worker. Red flags include an unwillingness or inability by the freelance worker to come on camera or do video interviews and conferences, inconsistencies such as time of day and location, when they do appear on camera. Other giveaways include signs of cheating on coding tests or interviews — such as excessive pausing, stalling and eye scanning movements; repeated requests for prepayment and threats to release source code if payment is not made.

The advisory provided organizations with a list of things they can do to minimize risk including requesting documentation of background checks when using a third-party staffing firm; conducting due-diligence checks on individuals that a third-party firm might provide for freelance work; and not accepting background checks from unknown firms.

"These kinds of threats are incredibly challenging and costly to manage at a corporate level," said Andrew Barrett, vice president at Coalfire, in a statement. "Freelancers and contractors are an integral part of many businesses and entire companies have spun up, such as Fiverr, to help create a marketplace for them."

Detecting fake identities can be hugely challenging using typical background checks when dealing with state-sponsored fake identities, Barrett said.