North Korean Elite’s Secret Path to Western Paychecks: Uncovering the Illicit Flow of Money
North Korean Nationals Infiltrate Western Companies by Posing as Remote IT Contractors
A growing trend has emerged in which North Korean nationals are securing employment as remote IT contractors and full-time staff within organizations in North America and Western Europe. These individuals are using standard hiring channels to gain access to corporate environments, where they engage in various activities, including the theft of proprietary information, extortion, and support for other North Korean groups.
Scale of the Operation
Research by IBM X-Force and Flare has shed light on the scale of this operation, which is estimated to involve between 3,000 and 10,000 overseas workers, generating approximately $500 million in annual revenue. Individual IT workers can earn up to $300,000 per year, making them elite members of North Korean society.
Employment Process
To gain employment, these workers undergo specialized training and are deployed through multiple government bodies and affiliated organizations. They use fabricated identities, often tied to specific regions, including U.S.-based profiles, to apply for remote roles. The recruitment process typically involves brief, structured interviews, with English proficiency and technical capability being key selection criteria.
Work Environment and Routine
Once hired, workers operate within standard corporate environments, gaining access to tools such as Slack, Jira, and development platforms. They follow a consistent routine, translating tasks, researching, and using tools like ChatGPT and Google Translate to communicate with colleagues. Internal documentation shows detailed tracking of activity, with workers logging time and recording output.
Collaborators and Brokers
The operation relies on collaborators or brokers to handle tasks that require a real, verifiable identity, such as passing background checks and providing identification. In return, workers offer a share of their earnings, and successful partnerships can lead to additional collaborators through referrals.
Cycle of Employment
The cycle of employment is typically short-lived, with roles lasting only weeks or months. Performance issues or communication gaps often lead to termination, at which point workers return equipment, abandon their identity, and start over with a new profile and applications.
Defending Against Infiltration
Defending against this type of infiltration requires a joint effort between human resources, security operations, hiring managers, and interviewers. Unlike traditional threat actors, this operation highlights the need for a more comprehensive approach to security, one that goes beyond the domain of security teams alone.
About Author
English