North Korean Elite's Secret Path to Western Paychecks: Uncovering the Illicit Flow of Money

Post Views: 7

North Korean Nationals Infiltrate Western Companies by Posing as Remote IT Contractors

A growing trend has emerged in which North Korean nationals are securing employment as remote IT contractors and full-time staff within organizations in North America and Western Europe. These individuals are using standard hiring channels to gain access to corporate environments, where they engage in various activities, including the theft of proprietary information, extortion, and support for other North Korean groups.

Scale of the Operation

Research by IBM X-Force and Flare has shed light on the scale of this operation, which is estimated to involve between 3,000 and 10,000 overseas workers, generating approximately $500 million in annual revenue. Individual IT workers can earn up to $300,000 per year, making them elite members of North Korean society.

Employment Process

To gain employment, these workers undergo specialized training and are deployed through multiple government bodies and affiliated organizations. They use fabricated identities, often tied to specific regions, including U.S.-based profiles, to apply for remote roles. The recruitment process typically involves brief, structured interviews, with English proficiency and technical capability being key selection criteria.

Work Environment and Routine

Once hired, workers operate within standard corporate environments, gaining access to tools such as Slack, Jira, and development platforms. They follow a consistent routine, translating tasks, researching, and using tools like ChatGPT and Google Translate to communicate with colleagues. Internal documentation shows detailed tracking of activity, with workers logging time and recording output.

Collaborators and Brokers

The operation relies on collaborators or brokers to handle tasks that require a real, verifiable identity, such as passing background checks and providing identification. In return, workers offer a share of their earnings, and successful partnerships can lead to additional collaborators through referrals.

Cycle of Employment

The cycle of employment is typically short-lived, with roles lasting only weeks or months. Performance issues or communication gaps often lead to termination, at which point workers return equipment, abandon their identity, and start over with a new profile and applications.

Defending Against Infiltration

Defending against this type of infiltration requires a joint effort between human resources, security operations, hiring managers, and interviewers. Unlike traditional threat actors, this operation highlights the need for a more comprehensive approach to security, one that goes beyond the domain of security teams alone.