Democratic People's Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and Generate Revenue

The Federal Bureau of Investigation (FBI) is warning the public and private sector of the threat posed to U.S. businesses by Information Technology (IT) workers from the Democratic People's Republic of Korea (North Korea). North Korea is evading U.S. and U.N. sanctions by targeting private companies to illicitly generate substantial revenue for the regime. North Korean IT workers use a variety of techniques to obfuscate their identities, including leveraging U.S.-based individuals, both witting and unwitting, to gain fraudulent employment and access to U.S. company networks to generate this revenue.

These witting and unwitting U.S.-based individuals provide a U.S.-based location for companies to send devices, enabling North Korean IT workers to circumvent controls companies may have in place to prevent the hiring of illicit, overseas workers as well as controls intended to prevent unauthorized access to company networks by North Korean IT workers, including through the unauthorized installation of remote access software. North Korean IT workers' activities illegally violate U.S. and U.N. sanctions and threaten the security of the targeted companies. Companies that outsource IT work support to third-party vendors can face additional vulnerabilities since these companies are removed from the direct hiring process.

Specifically, U.S.-based facilitators have provided the following services to North Korean IT workers:

A U.S.-based internet connection enabled through U.S. company laptops received on their behalf by facilitators in the United States.
Setup of U.S.-based infrastructure, including by enabling remote desktop connections to U.S. company laptops through protocols or remote desktop connection software download and installation.
Reshipment of U.S. company laptops to North Korean IT workers overseas.
Setup of financial accounts for North Korean IT workers. Some U.S.-based facilitators receive shares of the proceeds earned through North Korean IT worker employment schemes.
Creation of accounts on popular job search sites for use by North Korean IT workers.
Assistance purchasing and funding web services, such as artificial intelligence models and background check programs for use by North Korean IT workers.
Attendance at virtual interviews and meetings on behalf of North Korean IT workers; and
Creation of U.S.-based front businesses, including businesses purporting to offer short-term technical contract workers.

Tips to Protect Yourself

Implement identity verification processes during hiring, onboarding, and throughout the employment of any remote worker.
Educate HR staff, hiring managers, and development teams regarding this threat.
Monitor applicants for changes in addresses, particularly after being hired but before laptops are delivered to the applicant-provided address.
Note unusual network traffic, to include remote connections to devices, and monitor environments for presence of remote desktop protocols or software that is prohibited.
Note inconsistencies in interviews, especially applicants being unable to field questions about where they are located or key details about their past.
Note increased noise during interviews or sounds as if an applicant is surrounded by others doing similar work.
Verify all remote workers' identification information at E-Verify.gov.
Note errors derived in the hiring process from the E-Verify check and request in-person or other reliable means of verification.
Ensure that third-party staffing firms conduct robust hiring practices to fill jobs, routinely audit hiring practices, and flag changes in address or payment platforms.

Tips to Protect Yourself

Remain cautious regarding seemingly random outreach on job-seeking sites and social media platforms for remote positions, account sharing, and virtual assistant-type positions.
Remain alert regarding outreach for job positions involving the receipt of packages in return for portions of proceeds derived from jobs affiliated with delivered equipment.
If you receive a W-4, 1099-NEC, or other IRS form for a job that you did not hold, you should contact the business who provided it as well as the FBI.
Consider placing a Self-Lock through E-Verify.gov to protect your identity from being used in employment-related identity fraud.

Reporting

If you are a business that has fallen victim to a North Korean IT worker scheme or suspect that you or your business have been approached by a North Korean IT worker, the FBI recommends taking the following actions:

Report to the FBI's Internet Crime Complaint Center (IC3) at www.IC3.gov immediately.
Evaluate network activity from the suspected employee and their assigned device and use internal intrusion detection software to capture activity on the suspected device.

Reference

In 2022 and 2023 the United States, along with foreign partners, issued public advisories involving North Korean IT workers that described how they operate and provided red flag indicators along with due diligence measures for businesses to avoid hiring North Korean IT workers. The Republic of Korea and the Government of Japan have also alerted the public regarding North Korean IT workers.