There's a secret North Korean army out there that's infiltrated hundreds, if not thousands, of western companies, operating under shadows and aliases. This might sound like the start of a Tom Clancy novel, but it actually refers to a long-running scheme in which North Korean IT workers use fake identities to get hired and paid, sending the money back to uncle Kim-Jong Un.
The detailed investigation, conducted by IBM X-Force and Flare Research, goes over how the 100,000-strong army brings in an approximate $500 million a year for Pyongyang's coffers — with some "workers" finagling themselves into income brackets of $300,000 a year. Interestingly enough, the main purpose of this initiative is revenue generation for the embattled country, rather than data exfiltration or other hacking.
Most prospective faux-workers are selected by the NK government at a young age if they display scientific and mathematical aptitude, and generally go through top-tier NK universities. The report specifically states it's unclear whether the candidates themselves are even aware that they'll be working for the NK government in this capacity. The preferred expertise set includes but isn't limited to .NET development, blockchain technology, Wordpress and CMSes, and full-stack development.
The DKPR-aligned recruiters — who also might not be fully aware of the extent of their fraud — often tell candidates that they'll be working for a tech startup called "C Digital LLC" and they reportedly often express some confusion when asked to adopt a westernized name. Using an easy-to-understand first-name alias for better interacting with western companies is nothing new (I've witnessed it myself), but creating an entirely new persona is another ballgame entirely.
To sell the illusion of their persona, the candidates generate AI photos with AI home backgrounds, with the desired characteristics and ethnicity of the market they'll be targeting. They even go as far as making fresh GitHub identities, and copy dozens of repositories (instead of forking) so that their activity graph on the platform looks full and convincing. Letters of recommendation are also adeptly faked by investigating how the companies "making" the recommendation compose their e-mail addresses, and which software languages and products they use.
After this, the candidate enters a loop of sorts. While some of them might land full-time positions, most will be picking up temporary or freelance work — often multiple contracts at once. Then they start their "work," which will mostly consist of grabbing Jira tickets and small tasks, carefully translating them, running them through AI bots such as ChatGPT or Claude, and posting their solutions in whichever required form.
The workers also take good care to keep good English and maintain appearances for as long as possible. They don't always perform work, though, and can be in a revolving door of contracts. As for logistics, they generally use virtual machines and hired laptops in the target or nearby countries. The report talks about some cases in which westerners are roped into the scheme in a profit-sharing arrangement, for financial gain.
There are a handful of ironies and lessons in this story. First of all, the slide deck for candidates actually contains very solid resumé-building guidelines, as well as solid general job-hunting advice. Then there's dark humor considering that an educated, highly-motivated North Korean IT professional invested in maintaining his appearance of competence may well turn out to be a better employee that your average worker.
