North Korea has reportedly been enlisting freelancers to use their identities to secure IT roles, a change of strategy from their previous method of using fabricated identification to obtain remote roles. This strategy now includes direct contact with potential freelancers on recruitment platforms such as Upwork, Freelancer, and GitHub, shifting the conversation to Telegram or Discord. There, the freelancers are assisted in setting up remote access tools and verifying their identities.
Proxy Identities in IT Operations
Heiner Garcia, a cyber threat intelligence expert at Telefonica and a blockchain security researcher, revealed that North Korean operatives now evade verification hurdles by working with legit users who offer remote access to their systems. Interestingly, these users only get 20% of the earnings, the rest is rerouted to the operatives through cryptocurrencies or regular bank accounts.
By exploiting actual identities and local internet connections, these IT operatives are efficiently circumventing mechanism designed to flag certain geographies as high-risk and identify the use of VPNs. This update in tactics illustrates a significant change in the way North Korean IT operatives work and shows an increased sophistication to avoid detection.
Tricking Freelancers into Illegal Tasks
Earlier this year, Garcia set up a phony crypto company and conducted an interview with a North Korean operative purportedly looking for a remote tech job. The interviewee claimed to be Japanese but suddenly ended the call when asked to introduce himself in Japanese. All these real-life examples point to the fact that many individuals are tricked into unknowingly acting as proxies for North Korean operatives. They believe they are engaging in normal subcontracting agreements.
Victims and Perpetrators in the Scam
Records of chat logs reviewed suggests that these recruited proxies are mostly not technically savvy themselves. They ask basic business-related questions, do no technical work themselves, and let the operative work and deliver under their names. While many seem to be victims ignorant of the situation, a few show full knowledge of their involvement in the scheme.
Matthew Isaac Knoot of Nashville was arrested by the U.S. Department of Justice in August 2024 for running a laptop farm enabling North Korean IT operatives to launch their operations while appearing to be US-based employees using stolen identities. In an identical case, Christina Marie Chapman in Arizona was sentenced to more than eight years imprisonment for managing a similar operation that channeled over $17 million to North Korea.
Gaining a Corporate Footing
North Korea has reportedly been trying for years to infiltrate tech and crypto industries to generate revenue and secure corporate footholds outside its borders. This latest strategy of using freelancers’ identities is just another evidential milestone on this journey. These IT tasks, and crypto theft, according to the United Nations, provide funding for missile and weapon programs of the country.
Beyond Crypto
Garcia’s research and subsequent reports suggest that the usage of freelancers’ identities isn’t constrained to the crypto world alone. It extends to any job these operatives can access, including architecture, design, customer service, etc. Detection of these nefarious acts usually only happens after unusual behavior triggers detection mechanisms, only for the operative to switch to a new identity and continue the cycle.
Key Takeaways
Cumbersome as it may seem, this shuffling of identities complicates the attribution and prosecution of the individuals really responsible. People whose identities are used are often deceived, while the actual person behind the keyboard operates from another country and remains invisible to freelancing platforms and clients. The key variable in all these operations is the request to install remote access software or to let someone work from your verified account – a legitimate hiring process wouldn’t require control of your device or identity.
