North Koreans use fake names and scripts to get remote IT work for money

LONDON, Nov 21 (Reuters) – Using fake names, fake LinkedIn profiles, counterfeit job documents and simulated interview scenarios, North Korean IT workers seeking jobs at Western tech companies are deploying sophisticated subterfuges to get hired.

Landing a job outside North Korea to secretly earn hard currency for the isolated country requires highly developed strategies to convince Western hiring managers, according to documents reviewed by Reuters, an interview with a former North Korean computer scientist and cybersecurity researchers.

North Korea has sent thousands of computer scientists abroad, an effort that has accelerated over the past four years, to raise millions of dollars to finance Pyongyang’s nuclear missile program, according to the United States. United States, South Korea and the United Nations.

“People are free to express their ideas and opinions,” reads an interview script used by North Korean software developers that offers suggestions on how to describe a “good company culture” when asked. Expressing one’s thoughts freely can be punishable by imprisonment in North Korea.

The scripts, totaling 30 pages, were discovered by researchers at Palo Alto Networks (PANW.O), a US cybersecurity company who discovered a cache of internal documents online detailing the operation of South Korea’s remote IT staff. North.

The documents contain dozens of fraudulent resumes, online profiles, interview notes and fake identities that North Korean workers used to apply for software development jobs.

Reuters found further evidence in leaked darkweb data that revealed some of the tools and techniques used by North Korean workers to convince companies to employ them in jobs as far away as Chile, New Zealand, the United States, Uzbekistan and the United Arab Emirates.

The documents and data reveal the intense efforts and subterfuge undertaken by North Korean authorities to ensure the success of a project that has become a foreign currency lifeline for the cash-strapped regime.

North Korea’s U.N. mission did not respond to a request for comment.

Remote IT workers can earn more than ten times what a conventional North Korean worker working overseas in construction or other manual labor jobs, the U.S. Department of Justice (DOJ) said in 2022, and their teams can collectively earn more than $3 million per year.

Reuters was unable to determine how much this project has generated over the years.

Some scripts, designed to prepare workers for interview questions, contain excuses for why they need to work remotely.

“Richard”, a senior embedded software developer, said: “I (flew) to Singapore several weeks ago. My parents got Covid and I (decided) to be with members of my family for a while. Now I’m planning to move back to LA. Angeles in three months. I think I might start working remotely right now and then I’ll be on board when I get back to LA.

A North Korean IT worker who recently defected also reviewed the documents and confirmed their authenticity to Reuters: “We were creating 20 to 50 fake profiles a year until we were hired,” he said.

He looked at the scripts, data and documents and said it was the exact same thing he was doing because he recognized the tactics and techniques used.

“Once hired, I would create another fake profile to get a second job,” said the employee, who spoke on condition of anonymity, citing security concerns.

In October, the DOJ and Federal Bureau of Investigation (FBI) seized 17 website domains allegedly used by North Korean computer scientists to defraud companies and $1.5 million in funds.

North Korean developers working at U.S. companies hid behind pseudonymous email and social media accounts and generated millions of dollars a year on behalf of sanctioned North Korean entities through the system, the ministry said of Justice.

“There is a risk for the North Korean government as these privileged workers are exposed to dangerous realities of the world and the imposed backwardness of their country,” said Sokeel Park of Liberty in North Korea (LINK), an organization that works with the defectors.

hard cash

Last year, the U.S. government said North Korean IT workers were primarily based in China and Russia, with some in Africa and Southeast Asia, and could each earn up to $300,000 a year .

Based on his experience, the former IT worker said everyone should earn at least $100,000, of which 30 to 40 percent is repatriated to Pyongyang, 30 to 60 percent is spent on overhead and 10 to 30 percent is pocketed by workers.

He estimates there were about 3,000 others like him overseas and another 1,000 based in North Korea.

“I worked to earn foreign currency,” he told Reuters. “It differs from person to person, but basically, once you get a remote job, you can work for as little as six months or even three to four years.”

“When you can’t find work, you’re self-employed.”

The researchers, part of Palo Alto’s Unit 42 cyber research division, made the discovery while examining a campaign by North Korean hackers targeting software developers.

One of the hackers left the documents exposed on a server, Unit 42 said, indicating there are ties between the North Korean hackers and its IT workers, although the defector said the spying campaigns were reserved for a privileged few: “Pirates are trained separately. These missions are not given to people like us,” he said.

Yet there is a crossover. The DOJ and FBI have warned that North Korean IT workers could use this access to hack their employers, and some of the leaked resumes included experience at cryptocurrency companies, an industry long targeted by North Korean hackers .

Fake identities

Data from Constella Intelligence, an identity investigation company, showed that one of the workers had accounts on more than 20 independent websites in the United States, Britain, Japan, Uzbekistan, in Spain, Australia and New Zealand.

The worker did not respond to an emailed request for comment.

The data, gathered from darkweb leaks, also revealed an account on a website selling digital templates to create realistic-looking fake identity documents, including driver’s licenses, visas and US passports , Reuters discovered.

Documents discovered by Unit 42 included resumes for 14 identities, a fake U.S. green card, interview scripts and evidence that some workers purchased access to legitimate online profiles in order to appear more authentic.

The “Richard” from Singapore who was looking for a remote IT job appeared to be referring to a fake profile called “Richard Lee” – the same name on the green card. The U.S. Department of Homeland Security did not respond to a request for comment.

Reuters found a LinkedIn account for one Richard Lee with the same profile photo that mentioned his experience at Jumio, a digital identity verification company.

“We have no record of Richard Lee having been a current or former employee of Jumio,” a Jumio spokesperson said. “Jumio has no evidence to suggest that the company ever had a North Korean employee on its staff.”

Reuters sent a message to the LinkedIn account seeking comment but received no response. LinkedIn removed the account after receiving requests for comment from Reuters.

“Our team uses information from a variety of sources to detect and remove fake accounts, as we did in this case,” a spokesperson said.

Our Standards: The Thomson Reuters Trust Principles.