GoKawiilThere's a secret North Korean army out there that's infiltrated hundreds, if not thousands, of western companies, operating under shadows and aliases. This might sound like the start of a Tom Clancy novel, but it actually refers to a long-running scheme in which North Korean IT workers use fake identities to get hired and paid, sending the money back to uncle Kim-Jong Un.
The detailed investigation, conducted by IBM X-Force and Flare Research, goes over how the 100,000-strong army brings in an approximate $500 million a year for Pyongyang's coffers — with some "workers" finagling themselves into income brackets of $300,000 a year. Interestingly enough, the main purpose of this initiative is revenue generation for the embattled country, rather than data exfiltration or other hacking.
Most prospective faux-workers are selected by the NK government at a young age if they display scientific and mathematical aptitude, and generally go through top-tier NK universities. The report specifically states it's unclear whether the candidates themselves are even aware that they'll be working for the NK government in this capacity. The preferred expertise set includes but isn't limited to .NET development, blockchain technology, Wordpress and CMSes, and full-stack development.
The DKPR-aligned recruiters — who also might not be fully aware of the extent of their fraud — often tell candidates that they'll be working for a tech startup called "C Digital LLC" and they reportedly often express some confusion when asked to adopt a westernized name. Using an easy-to-understand first-name alias for better interacting with western companies is nothing new (I've witnessed it myself), but creating an entirely new persona is another ballgame entirely.
To sell the illusion of their persona, the candidates generate AI photos with AI home backgrounds, with the desired characteristics and ethnicity of the market they'll be targeting. They even go as far as making fresh GitHub identities, and copy dozens of repositories (instead of forking) so that their activity graph on the platform looks full and convincing. Letters of recommendation are also adeptly faked by investigating how the companies "making" the recommendation compose their e-mail addresses, and which software languages and products they use.
After this, the candidate enters a loop of sorts. While some of them might land full-time positions, most will be picking up temporary or freelance work — often multiple contracts at once. Then they start their "work," which will mostly consist of grabbing Jira tickets and small tasks, carefully translating them, running them through AI bots such as ChatGPT or Claude, and posting their solutions in whichever required form.
... continue reading