north Korea has produced the most fearsome
hackers crypto has ever seen but what if I told you that Kim Jong-un’s devious devs could also be
behind your favorite Salana protocol or the next killer app on Cosmos these are just two of the
very real possibilities created by the DPRK IT worker phenomenon stay tuned as we investigate
the shocking truth behind North Korea’s global tech worker program and the threat it poses
to our bags my name is Guy and you’re watching the Coin Bureau the story of Western companies
inadvertently hiring North Korean IT workers has returned to the headlines in a big way recently
after a renewed warning from the FBI and since crypto is a magnet for North Korean IT workers
you just know we had to take a closer look at this now when it comes to reporting on North Korea aka
the DPRK solid evidence is usually pretty thin on the ground so we were very pleased when we read
the latest report from Mandant a subsidiary of Google specializing in cyber threat intelligence
since 2009 Mandant has been documenting trends in cyber threats from its incident investigations
in an annual report called MTRS mandant says the 2025 edition compiles data from more than 450,000
hours of incident response engagements globally in 2024 the top trends this year see the usual
suspects like exploits malware and ransomware joined by a fresh new category DPRK IT workers
this niche cyber threat posed by Western companies unknowingly hiring North Korean IT workers has
been making headlines since 2022 but according to Mandant it has typically accounted for a
negligible proportion of its incident response investigations this though has now changed
as Mandant writes how DPRK IT workers quote emerged as a surprisingly consequential initial
infection vector in 2024 this led to insider threat representing 5% of identified initial
infection vectors according to the report DPRK IT workers were the single most frequently observed
cyber threat group in the Americas last year mandant CTO Charles Kamakal recently claimed
quote “I’ve talked to a lot of CISOs at Fortune 500 companies and nearly everyone that I’ve
spoken to about the North Korean IT worker problem has admitted they’ve hired at least one
North Korean IT worker if not a dozen or a few dozen.” Now that is an absolutely mental and
indeed terrifying statistic so just how many of these workers have Western companies hired
well Mandian estimates them to number in the thousands but putting a precise figure on it is
complicated because individuals maintain multiple online personas in order to get hired in multiple
remote positions sometimes within the same company one suspected DPRK IT worker identified by Mandant
last year was using at least 12 personas to seek employment in the US and Europe and last month
the US cyber security firm Sentinel 1 revealed that it had received around 1,000 job applications
from DPRK IT workers in 2023 Reuters spoke to an anonymous source who claimed to be a former worker
in this program he said that DPRK IT workers make 40 to 50 LinkedIn profiles per year in order to
land a job and freelance if they can’t get hired for example in one case last year a candidate for
Oregon state legislature paid a DPRK IT freelancer $2,000 to update her website by all accounts they
did a stellar job and she actually won her race for the worker though this was just a stop gap
until they got hired for at least one full-time IT job now to this end they use identities that
are stolen fabricated or both with CVs that boast a wide range of technical proficiency and
extensive employment and educational backgrounds many DPRKIT workers hinder educational background
checks by claiming to have studied abroad at international universities which may be more
difficult for the employer to approach for verification some workers have also been observed
creating a social media trail to support their claims by for example interacting with staff at
the universities they purport to have graduated from of course competition for high-paid IT jobs
is fierce but DPRK IT workers apparently make for outstanding candidates according to Mandant
DPRK IT workers have been hired in America’s financial services telecommunications media
and entertainment retail and tech industries us court documents alleged that their employers have
included quote a top five major television network a Silicon Valley technology company an aerospace
and defense company an American car manufacturer a luxury retail store and a US Hallmark media
and entertainment company in some cases Mandant found multiple suspected DPRK workers hired by
the same company with some companies hiring up to 10 of them in another case two false identities
were under consideration for a job in a US company with one DPRK IT worker winning out over the
other mandard also observed cases of companies hiring DPRK workers on the recommendation of
another already in their employee unfortunately we may never know the full extent of DPRK worker
hiring by Western organizations because of under reporting employers quite rightly fear the legal
ramifications of paying agents of a government under heavy economic sanctions knowingly or
unknowingly hiring one of these workers exposes them to major compliance risks it’s at the very
least embarrassing for the organizations doing the hiring on the flip side though it’s to the
credit of the DPRK’s heavy investments in English and STEM education that so many of their graduates
are routinely outco competing Americans near the very top of the US job market maintaining a
single cover identity in a foreign language must be a taxing endeavor but to successfully
juggle multiple identities each performing its own senior tech job is nothing short of impressive
now if it wasn’t clear already DPRKIT workers are a phenomenon of the remote work age since they
are not physically present in the countries that they claim to live in they are allegedly
based mostly in China and Russia with smaller groups supposedly operating in parts of Africa and
Southeast Asia google and OpenAI recently claimed that DPRK IT workers had been using Chat GPT and
Gemini to research job opportunities and prepare applications including generating cover letters
and interview question responses researching salaries for specific jobs asking about jobs on
LinkedIn and obtaining information about overseas employee exchanges but for the job seekers the
most precarious part of the hiring process is a video interview dprk workers have been known
to avoid appearing on camera and on occasion they’ve been recorded using face swapping filters
in one case the company immediately spotted their very strange looking interviewe using a filter
and asked them to put their hand in front of their face when the interviewe failed to do
so the interview was quickly terminated now this technology will only improve and become more
difficult to detect in the future but for the time being face swapping is crude and easily foiled
however face swapping filters seem to be an edge case and many candidates successfully pass video
interviews without them one candidate who landed a face-to-face video interview with Kraken was
exposed after the suspicious interviewer started asking prying questions about the restaurants in
the part of Texas he claimed to live in in this case Kraken had already suspected that something
was a miss prior to the interview and this may be thanks to the crypto industry’s long experience
with DPRK cyber threats however other industries less accustomed to being targeted by the DPRK
tend to be less vigilant and when employers are met with a candidate offering exactly what they
need they often don’t suspect a thing leading to many DPRK workers getting hired now for the
workers themselves the ideal job allows them to use their own devices to connect to the corporate
environment in such cases all they need is a VPN terminating in a western country and they can
simply adjust their working hours to match those of the country they’re supposed to be living in
the astral VPN seems to be a particular popular choice showing up in almost 3/4 of Mandant’s
investigations however in the era of remote work it’s become common for organizations to provide
newly hired remote workers with a corporate laptop to gain greater control and visibility over
the systems that connect back to the corporate environment now this might sound like a fatal
gotcha moment for DPRK workers because shipping a laptop to their real location would ring alarm
bells for the employer but this is in fact easily solved by paying so-called facilitators overseas
to receive the laptops at a more agreeable address facilitators have been identified in the
US UK and mainland Europe where they can also help with receiving and cashing paychecks
and showing up to in-person drugs tests after receiving a corporate laptop facilitators either
ship it to the DPRK workers’s real location or to a remote laptop farm in the country in which the
employer is headquartered these farms are run by facilitators who ensure the laptop remains active
and install remote access software providing a stable location from which network connections
will be sourced and after a DPRK IT worker aces their interview dazzles HR and is on boarded to a
western organization their risk of detection drops sharply with a VPN or laptop farm providing
a network connection from within a western country their footprint becomes indistinguishable
from that of an IT worker that isn’t working for one of the world’s most sinister regimes late
last year a US grand jury indictment against a suspected facilitator estimated that their laptop
farm affected more than 300 US companies using around 70 stolen identities and this facilitator
has since been identified as Christina Chapman an American citizen who pleaded guilty in February
to conspiracy to commit wire fraud aggravated identity theft and conspiracy to launder monetary
instruments the scheme reportedly made around $17 million for Chapman and the DPRK now the report
points out that quote “Many of the suspected DPRK IT worker cases Mandant investigated in 2024
stemmed from notifications provided to impacted organizations by law enforcement organizations
in other words in many cases the DPRK IT workers employers don’t suspect a thing until they get a
call from the FBI and these calls can be pretty disheartening for the employers who are told they
need to let go of their star employee back in April FBI special agent Elizabeth Pelka told an IT
security conference in San Francisco quote I think more often than not I get the comment of “Oh but
Johnny is our best performer do we actually need to fire him?” And this leads me to the question of
what exactly DPRK workers do when they’re employed by Western companies as Mandant observes remote
workers often gain elevated access to modify code and administer network systems and this makes
them very well positioned to perform a variety of malicious activities including corporate
espionage intelligence gathering and intellectual property theft but funnily enough there is limited
evidence of them doing any such thing and this is emphasized throughout Mandant’s report quote “In
incident response engagements to date North Korean IT workers have primarily functioned within the
scope of their job responsibilities the actions taken rarely if ever step into the category
of malicious activity commonly associated with threat actors instead their activity blends
into legitimate network traffic almost entirely dprk IT workers enjoy a substantially reduced
detection footprint as their day-to-day workflows are often indistinguishable from those of
legitimate employees the report concludes that quote the organizations DPRKIT workers target
appear to align more with opportunistic targeting than with a given targeting objective additionally
the limited instances of direct malicious cyber activity point more towards targeting of
highpaying job roles in case after case the strategy appears to be doing a hard day’s work and
collecting a monthly paycheck like everyone else it turns out that IT jobs in the US pay so well
that simply applying for and performing as many roles as possible can provide a meaningful source
of revenue for the government of the DPRK so if it wasn’t already clear the reason the DPRK is
doing this is because it needs money to continue functioning but is shut off from all legitimate
means of generating revenue by a global regime of UN and unilateral sanctions the sanctions
amount to a total ban on DPRK related trade investment and financial transactions strangling
the North Korean economy cracks have those started appearing in the global sanctions regime this
decade mostly as a side effect of the worsening of relations between Western powers and Russia and
China however this has not come anywhere near to undoing the damage done by the brutal sanctions
imposed after 2016 which caused the DPRK’s international trade to fall 90% by 2019 according
to last year’s sanctions impact assessment from South Korea’s Institute for National Security
Strategy the DPRK’s international trade is still a fraction of 2016 levels the sanctions have led
to persistent negative growth and worsening energy instability with manufacturing and mining output
hobbled by electricity and raw material shortages private loans for business financing have been
falling while those designated for living expenses are on the rise consistent with diminished supply
and demand attributed to the impact of sanctions in other words the DPRK’s economy is in desperate
trouble and naturally desperate times call for desperate measures and this is how the DPRK
ended up going underground so to speak to look for alternative sources of revenue in the 1990s it
was counterfeit cigarettes and pharmaceuticals and today it’s patriotic STEM graduates living
the American dream on behalf of Pyongyang and if individual IT professionals juggling
multiple tech jobs are able to generate a few hundred,000 per year for the government
through this program well it’s a worthwhile public enterprise for the DPRK but if you’re
wondering how much money this program brings in in total you’re not alone because the data is
pretty thin here last year a report for the UN Security Council Committee assessed the revenue
generated by the estimated 100,000 overseas DPRK workers for DPRK IT workers the report relied on
two main sources US government estimates and the anonymous defector cited in that 2023 Reuters
article the defector and former IT worker told Reuters that all IT workers are expected to earn
at least $100,000 annually of which 30 to 40% is repatriated to Pyongyang he also estimated there
were around 3,000 others like him overseas and another 1,000 based within the DPRK so if we
generously assume that all 4,000 are employed and earning $100,000 per year that makes $400
million and if 40% of earnings are repatriated by the overseas cohort that leaves Pyongyang
with $120 million from them and if we also assume that 100% of the earnings of the cohort
within the DPRK goes straight to the national treasury well that’s another $100 million so we
can roughly estimate a net annual income of about $220 million based on this source’s information
this contrasts with the US government’s estimate of $250 million to $600 million per year so let’s
call it a $200 to $600 million ballpark to put this in perspective the same UN report pegs
the amount of revenue generated by DPRK run restaurants in foreign countries at $700 million
so on the hierarchy of economic significance the IT worker program apparently sits somewhere below
North Korean cuisine and both of these enterprises combined pale in comparison to the Adventures
of the Lazarus Group they were allegedly behind February’s blockbuster buybit hack which rad in
almost $1.5 billion worth of crypto in a matter of hours that’s almost five times greater than the
DPRK’s total export volume for 2023 but if this IT worker program is primarily a revenue generating
scheme for the DPRK for the countries on the other end of the employment contract it’s a matter of
national security although malicious activity to date has been rare this could change quite easily
last year Mandant observed two cases of malicious activity both of which took place after a DPRK IT
worker was exposed with the game up they resorted to extortion as an exit strategy demanding
money in exchange for promises not to publish confidential corporate data we may see more cases
like this in the future as more Western companies catch on and start exposing their DPRK sleeper
agents the FBI and the media have been loudly raising the alarm in recent months and their
concerns are being heeded in Pyongyang which appears to be diversifying its tactics however
there’s not much evidence to support recent claims that extortion cases are increasing as a
result rather than switching to attack mode the DPRK IT worker program seems to be broadening
its geographical horizons as US employers become more vigilant the IT worker program has
been increasing its presence in Europe google alleges that it now operates in 40 countries and
we were interested to learn that facilitators in the UK have been helping the country become
a hub of DPRK crypto developer activity google’s threat intelligence group recently
reported that DPRK IT workers have been building projects on Salana Cosmos and an unspecified
blockchain AI web app unsurprisingly many of them also seem to be getting paid in crypto come
to think of it they’re probably on crypto Twitter too hm I wonder if they’re following us anyway
for the time being we don’t know the true extent of non-hacking DPRK activity in crypto but it’s
probably quite bearish if your dev is a North Korean no offense it’s just a compliance thing i
know crime is legal nowadays but well even Trump’s SEC might not let that one slide so there’s much
to think about here and doubtless a lot more to come from this story i’ll leave it there for now
but if you want to learn more about the DPRK’s crypto escapades then do check out our full
breakdown of the Bybit hack which you can find right over here as always thank you for watching
and I’ll see you next time this is guy over and
Add A Comment