North Korea’s IT operatives have shifted strategy and are recruiting freelancers to provide proxy status for remote work.
Employees connect with candidates on Upwork, Freelancer, and GitHub, where they guide them through setting up remote access software and passing identity verification, before moving the conversation to Telegram or Discord.
In an earlier incident, North Korean workers used fake identification documents to record remote work. According to Heiner García, a cyber threat intelligence expert and blockchain security researcher at Telefonica, operatives currently circumvent these barriers by working through authenticated users who hand over remote access to computers.
The real owner of the ID receives only one-fifth of the reward, with the remaining funds redirected to the operatives through cryptocurrencies or traditional bank accounts. By leveraging a real identity and local internet connection, operatives can bypass systems designed to flag high-risk areas and VPNs.
Inside North Korea’s evolving IT worker recruitment strategy
Earlier this year, Garcia set up a dummy cryptocurrency company and worked with Cointelegraph to interview suspected North Korean operatives seeking remote technology roles. The candidate claimed to be Japanese, but when asked to introduce himself in Japanese, he abruptly hung up.
Mr. Garcia continued the conversation via private message. The suspected operative asked him to purchase a computer and provide remote access.
This request matched a pattern that Garcia would later encounter. Evidence related to the suspicious profiles included onboarding presentations, recruitment scripts, and identification documents that were “reused many times.”
Related: North Korean spy makes slip-up and reveals relationship during fake job interview
Garcia told Cointelegraph:
They install AnyDesk or Chrome Remote Desktop and work from the victim’s machine, so the platform recognizes the domestic IP. ”
Those who handed over their computers “are victims,” he added. “They don’t realize it. They think they’re participating in a normal subcontract.”
According to chat logs he reviewed, new employees asked basic questions such as “How do we make money?” Also, I don’t do any technical work myself. Verify accounts, install remote access software, and keep devices online while operatives apply for jobs, talk to clients, and provide work under their own identities.
Most seem to be “victims” who are unaware of who they are dealing with, but some seem to know exactly what they are doing.
In August 2024, the U.S. Department of Justice arrested Matthew Isaac Nute of Nashville for operating a “laptop farm” that allowed North Korean IT workers to appear as U.S.-based employees using stolen identities.
Most recently, Christina Marie Chapman was sentenced to more than eight years in prison in Arizona for hosting a similar operation that funneled more than $17 million to North Korea.
A hiring model built around vulnerability
Our most highly regarded recruiters are in the United States, Europe, and parts of Asia, and a verified account provides access to high-value corporate jobs and reduces geographic restrictions. But Garcia also observed documents owned by individuals in economically unstable regions such as Ukraine and Southeast Asia.
“They’re targeting low-income people. They’re targeting vulnerable people,” Garcia said. “I even saw them trying to reach out to people with disabilities.”
North Korea has spent years infiltrating the high-tech and cryptocurrency industries to generate revenue and gain a foothold for its companies abroad. The United Nations says North Korea’s IT operations and cryptocurrency theft are suspected of funding the country’s missile and weapons programs.
Related: From Sony to Bybit: How Lazarus Group became a crypto supervillain
Garcia said this tactic goes beyond cryptocurrencies. In one case he reviewed, a North Korean worker used his stolen American identity to claim to be an architect from Illinois and bid on Upwork construction projects. Their client received the completed drafting work.
Despite the focus on crypto-related laundering, Garcia’s research found that traditional financial channels are also being exploited. The same identity proxy model allows illegal actors to receive bank payments in their legitimate names.
“It’s not just about cryptocurrencies,” Garcia said. “They do architecture, design, customer support, whatever they have access to.”
Why platforms still struggle to determine who is actually working
Recruitment teams are on high alert for the risk of North Korean operatives securing roles in remote locations, which are typically discovered only after unusual behavior raises red flags. Once an account is compromised, the attacker can switch to a new identity and continue working.
In one case, after an Upwork profile was suspended for excessive activity, an operative instructed a recruit to open a new account for a family member, according to verified chat logs.
This confusion of identity makes both accountability and belonging difficult. The people whose names and documents are on the account are often deceived, but the people who are actually doing the work are operating in another country and are not directly visible to the freelancing platform or clients.
The strength of this model is that anything that the compliance system recognizes appears to be legitimate. Your ID is real and your internet connection is local. On paper, the employee meets all the requirements, but the person behind the keyboard is a completely different person.
Garcia said requests to install remote access tools or allow someone to “work” on your verified account are the most obvious red flags. A legitimate hiring process doesn’t require you to manage devices or identities.
magazine: Bitcoin OG Kyle Chasse is one shot away from being permanently banned from YouTube