Threat Analysis
Investigation: Probable DPRK Online Personas Used To Fraudulently Obtain Remote Employment at U.S. Companies
Executive Summary
Nisos investigators identified a number of online personas probably used by the Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) information technology (IT) workers to fraudulently obtain remote employment from unwitting companies in the United States. IT workers, like the ones identified, provide a critical stream of revenue that helps fund the DPRK regime’s highest economic and security priorities, such as its weapons development program, and may also leak intellectual property (IP) and other sensitive information to the DPRK. Hiring DPRK employees is a violation of U.S. and United Nations (UN) sanctions.
The identified personas claim to have highly sought after technical skills and experience and often represent themselves as U.S.-based teleworkers, but Nisos investigators found indications that they are based abroad. Boasting expert level skills in mobile and web-based applications as well as a number of programming languages, the personas also list significant remote work experience which can be difficult to verify. The personas further obfuscate their identities by impersonating U.S. based individuals’ identities and/or copying resume content from publicly visible profiles of unassociated individuals, further increasing the difficulty of identifying the personas.
- Investigators found the following commonalities in the personas’ profiles and resumes:
Personas claim to have experience developing web and mobile applications, knowledge of multiple programming languages, and an understanding of blockchain technology. - Personas have accounts on employment and people information websites as well as IT industry-specific freelance contracting platforms, software development tools and platforms, and common messaging applications, but typically lack social media accounts, suggesting that the personas are created solely for the purpose of acquiring employment.
- Photos of the same individual are used to create multiple personas.
- Personas have several accounts with the same name and photo that are sometimes associated with different locations, some of which are abroad.
- Personas’ accounts contain only minimal information, and some of the resume content on the accounts is likely copied from real individuals in the IT industry.
Background
On 16 May 2022, the U.S. Department of State, the U.S. Department of the Treasury, and the Federal Bureau of Investigation (FBI) issued an advisory for the international community, the private sector, and the public, which warned of attempts by DPRK IT workers to obtain employment while posing as non-North Korean nationals.
According to the advisory, all DPRK IT workers earn money to support North Korean leader Kim Jong Un’s regime. The vast majority of them are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited Weapons of Mass Destruction (WMD) and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, in violation of U.S. and UN sanctions. Many of these entities have been designated for sanctions by the UN and United States. (See source 1 in appendix)
Skills and Interests
Investigators found that the personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions. Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment.
Online Presence
Nisos investigators found that although the personas are often active on professional networking sites, IT industry-specific freelance contracting platforms, software development platforms, and common messaging applications, they are usually not active on social media platforms. Nisos assesses that the accounts were created solely for the purpose of acquiring employment. Investigators found instances of several accounts, associated with a persona, using the same picture but different names; other accounts lacked profile photos. Investigators also found that many of the accounts are only active for a short period of time before they are disabled. Nisos assesses the accounts remained active only for a short period of time because they were created in support of an application for a specific position or were flagged for fraudulent behavior and removed by the platform provider.
The reporting contained herein from the Nisos research organization consists of analysis reflecting assessments of probability and levels of confidence and should not necessarily be construed as fact. All content is provided on an as-is basis and does not constitute professional advice, and its accuracy reflects the reliability, timeliness, authority, and relevancy of the sourcing underlying those analytic assessments.
About Nisos®
Nisos is The Managed Intelligence Company®. Our analyst-led intel investigations, assessments, and monitoring services empower your security, intelligence and trust and safety teams. We provide accurate, customized intelligence that guides your security and risk decisions – protecting your organization, assets, and people. Learn more at nisos.com.