North Korean's 100k fake IT workers net $500M a year for Kim
Source: Hacker News
Researchers at IBM X‑Force and Flare Research have uncovered data that sheds light on how North Korea’s fake IT worker schemes operate and infiltrate companies in order to funnel money back to the regime and steal sensitive information.
In a published report, Inside the North Korean infiltrator threat, the pair detail evidence of the top‑level infrastructure used to manage the operations, how workers apply for and secure IT roles, and mitigation strategies businesses can use to avoid falling victim.
The threat of North Korean nationals operating as remote IT contractors or full‑time technology staff inside unsuspecting companies has come to light over the past several years, yet the report says security experts are only starting to realize the scale and sophistication of the operation.
Scale of the Operation
- US government data indicates these IT workers can earn more than $300,000 a year.
- Over 100,000 North Koreans are spread across 40 countries, generating approximately $500 million a year for Pyongyang.
Fake IT Worker Ecosystem
Roles
| Role | Description |
|---|---|
| Recruiters | Screen potential IT staff, record interviews, and forward candidates to facilitators. Often present the job as an “early‑stage stealth startup” (e.g., “C Digital LLC”). |
| Facilitators | Decide whether to accept or deny candidates, similar to hiring managers. |
| IT Workers | Perform the actual development work. Expected to have experience in full‑stack web app development, .NET, and WordPress. |
| Collaborators / Brokers | Western individuals who provide real identities for use in the fraud scheme and may assist in other ways. |
Process
- Mentoring & Identity Creation – Candidates receive a US‑based identity and guidance on applying to Western companies.
- Freelance Activity – Timesheets show hours logged on “Bids” (daily bids on platforms like Upwork) and “Msg” (messages or connections on Upwork, LinkedIn, Freelancer).
- Full‑time Employment – Once hired, workers may have multiple helpers to produce work, aiming for promotions and greater system access.
Tools
- Google Translate – Used for translating job descriptions, creating applications, and communicating.
- OConnect / NetKey – A known North Korean VPN, likely used to connect to internal networks in Pyongyang.
- IP Messenger (IPMsg) – Open‑source messaging app that operates without a central server, avoiding reliance on platforms like Discord or Google.
Mitigation Strategies
- Watch for warning signs: fake backgrounds, AI‑generated face or voice changes during online interviews.
- Resume vs. Interview Discrepancies: Verify claimed language skills, residence, and work history.
- Interview Question: Ask an absurd question such as “How fat is Kim Jong Un?” – a North Korean participant is likely to terminate the call immediately.
References
- Fake North Korean IT workers sneaking into healthcare, finance, and AI
- North Korea’s Lazarus Group targets healthcare orgs with Medusa ransomware
- Ukrainian gets five years for helping North Koreans secure US tech jobs
- The one interview question that will protect you from North Korean fake workers
Report source: “Inside the North Korean infiltrator threat” (Flare Research).