The digital age has ushered in unprecedented opportunities for global collaboration and remote work, but it has also opened doors for a cyberthreat: fraudulent Information Technology (IT) workers. Specifically, the FBI reports that the regime in North Korea appears to be training and deploying agents to infiltrate legitimate companies as freelance or remote workers with the intention of data theft, cyber espionage, gaining access to sensitive information, and stealing intellectual property or financial assets.
The fraudulent IT workers often use fake or stolen names, falsified or stolen documents, fake websites, and misleading IP addresses to pose as U.S. citizens or citizens of other non-sanctioned countries. The IT workers also use both witting and unwitting individuals from non-sanctioned countries to gain fraudulent employment and access to U.S. company networks.
Recent Cases
The FBI uncovered a fraudulent IT worker scam which had cost the victim company over $500,000 before arrests were made. The company had incurred those costs to audit and secure the devices, systems, and networks after the IT workers were discovered. The cost does not include the hefty salaries paid the workers.
U.S. based facilitators enable fraudulent activity such as accepting shipments of company laptops, enabling remote desktop connections, reshipment of U.S. company laptops to overseas and creation of U.S.-based front businesses purporting to offer short-term technical contract workers. Per a Justice Department press release on August 8, 2024, the DOJ charged a Nashville, Tennessee resident of running a “laptop farm” at his Nashville residences between approximately July 2022 and August 2023. The victim companies shipped laptops addressed to “Andrew M.” (a stolen identity) to the Nashville residence and the suspect logged on to the laptops, downloaded and installed unauthorized remote desktop applications to allow unauthorized access for North Korean IT workers.
On October 17, 2023, the U.S. seized 17 website domains used by Democratic People’s Republic of Korea (DPRK) information technology (IT) workers in a scheme to defraud U.S. and foreign businesses and evade sanctions. (U.S. Department of Justice).
In another case, IT workers employed as developers by a U.S. company fraudulently charged the U.S. company’s payment account and stole over $50,000. The workers carried out the thefts in 30 small installments over a matter of months. The victim company was not aware the developers were North Korean or of the ongoing theft activity due to the slight amounts.
If you are a business that has fallen victim to a North Korean IT worker scheme or suspect that you or your business have been approached by a North Korean IT worker, the FBI recommends report it to the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov immediately.
The U.S. Department of State, the U.S. Department of the Treasury, and the Federal Bureau of Investigation (FBI) have issued an advisory for the international community, the private sector, and the public. IT workers target freelance contracts through various online platforms from employers located in wealthier nations, including those in North America, Europe, and East Asia. IT workers use IT industry-specific freelance contracting platforms and social media to obtain development contracts then collect payments for work through digital payment platforms and virtual currency exchanges.
IT workers present themselves as being from non-sanctioned countries (South Korean, Chinese, Japanese, Eastern Europe) or as U.S.-based teleworkers. The IT workers may initially engage in non-malicious low level IT work however they can easily use their privileged access to company information and networks to engage in malicious cyber intrusions.
Due Diligence When Selecting a Remote Freelance IT Worker
The FBI recommends that “If using third party staffing firms or outsourcing companies, request documentation of their background check processes. If this cannot be readily provided by a company, assume it did not conduct the background check and conduct your own. If using a staffing company or third-party software developers for IT work, conduct due diligence checks on the individuals the company provides to you for work.”
Fraudulent IT workers have sophisticated methods to hide their identify and geographic location. Per the FBI advisory:
- IT workers deliberately conceal their identities using non-Korean names as aliases.
- IT workers deliberately conceal their locations and nationality online using virtual private networks (VPNs), virtual private servers (VPSs), or utilized third-country IP addresses to appear as though they are connecting to the internet from inconspicuous locations.
- IT workers generally rely on the anonymity of telework arrangements and may insist on communications through text-based chat instead of video calls.
- IT workers often use stolen identify documents to setup fake online profiles and accounts or produce counterfeit documents and forged signatures. The IT worker just adds their photo to the forged document which could be a driver’s license, passport, work visa or utility statement.
- IT workers may also falsify past statements of work agreements, invoices, client communication documentation, and other documents used to screen them for freelancing platforms. These falsified documents may have minimal contact details to deter verification.
- IT workers who obtain freelance positions with an unwitting company have also been known to subsequently recommend to the company the freelance employment of additional IT workers.
- IT workers who do extensive bidding on projects, and a low number of accepted project bids.
To mitigate the risk of hiring remote freelance IT workers, companies should contact former clients listed on invoices / work agreements as shown in the worker’s past portfolio. Contact information for the former client should be derived from public business databases and not the contact information provided by the IT worker. The company can reject low-quality images submitted by the worker to provide verification of identity as this may be a sign of forgery. The company can require submission of a video verifying identity or conduct a video interview to verify identity.
Due Diligence When Interviewing a Remote Freelance IT Worker
Here are a few common warning signs to look for when hiring per an article from SHRM:
- Reluctance to appear on camera or an unwillingness to engage in video calls for project check-ins. Insist on video communication whenever possible to establish a visual connection and verify identity.
- Suspicious behavior during coding tests and interviews. Watch for excessive pauses, eye movements that suggest reading from a script which can indicate a lack of genuine expertise.
- Discrepancies between online profiles and work portfolios or a lack of an online presence.
- Be wary of repeated requests for prepayment.
- Language preferences for a country that is not where the individual claims to be from.
Due Diligence When Managing a Remote Freelance IT Worker
If the IT worker has passed due diligence and is working a project, these are some areas that should raise concern per the FBI advisory:
- Requests to communicate with clients and potential clients on a separate platform other than the original freelance platform website where the client found the IT worker.
- If the employer proposes to send documents or work-related equipment such as a laptop to a developer and the developer requests that items be sent to an unknown address.
- Requesting payment for contracts without meeting production benchmarks or check-in meetings.
- Inability to conduct business during required business hours.
- Incorrect or changing contact information, specifically phone numbers and emails.
- Inability to be reached in a timely manner, especially through “instant” communication methods.
- Threats to release proprietary source codes if additional payments are not made.