The US. State Department and Federal Bureau of Investigation, in coordination with partners from the Republic of Korea Ministry of Foreign Affairs, National Police Agency, and National Intelligence Service are releasing a joint public service announcement (PSA) with updated guidance on red flag indicators and due diligence measures to help companies avoid hiring Democratic People’s Republic of Korea (DPRK) information technology (IT) workers posing as non-DPRK nationals.
The PSA updates guidance in the DPRK IT Worker Advisories released in 2022 by the United States and the Republic of Korea in May and December, respectively.
The October 17 announcement of FBI and DOJ action against DPRK IT workers reinforces the importance of tackling this issue. DPRK IT workers continue to take advantage of demand for specific IT skills such as software and mobile application development while fraudulently obtaining employment contracts around the world, including in the United States. This action leads to companies unwittingly hiring DPRK IT workers.
Hiring or supporting DPRK IT workers – knowingly or unknowingly – poses many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including under U.S., ROK, and UN sanctions. Illicit DPRK revenue-generating activities support the regime’s priorities like development of its unlawful weapons of mass destruction (WMD) and ballistic missile programs, which threaten international peace and security and violate multiple UN Security Council resolutions.
This update identifies new tradecraft used by DPRK IT workers since the release of the 2022 advisories, including new indicators of potential DPRK IT worker activity and additional due diligence measures the international community, private sector, and public can take to prevent the hiring of DPRK IT workers. The hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including sanctions under U.S., ROK, and United Nations (UN) authorities.
Additional Red Flag Indicators of Potential DPRK IT Worker Activity:
- Unwillingness or inability to appear on camera, conduct video interviews or video meetings; inconsistencies when they do appear on camera, such as time, location, or appearance.
- Undue concern about requirements of a drug test or in person meetings and having the inability to do so.
- Indications of cheating on coding tests or when answering employment questionnaires and interview questions. These can include excessive pausing, stalling, and eye scanning movements indicating reading, and giving incorrect yet plausible-sounding answers.
- Social media and other online profiles that do not match the hired individual's provided resume, multiple online profiles for the same identity with different pictures, or online profiles with no picture.
- Home address for provision of laptops or other company materials is a freight forwarding address or rapidly changes upon hiring.
- Education on resume is listed as universities in China, Japan, Singapore, Malaysia, or other Asian countries with employment almost exclusively in the United States, the Republic of Korea, and Canada.
- Repeated requests for prepayment; anger or aggression when the request is denied.
- Threats to release proprietary source codes if additional payments are not made.
- Account issues at various providers, change of accounts, and requests to use other freelancer companies or different payment methods
- Language preferences are in Korean but the individual claims to be from a non-Korean speaking country or region.
Additional Due Diligence Measures Clients Seeking Freelance Workers Can Consider to Prevent Inadvertent or Unwitting Hiring of DPRK IT Workers:
- If using third party staffing firms or outsourcing companies, request documentation of their background check processes. If this cannot be readily provided by a company, assume it did not conduct the background check and conduct your own.
- If using a staffing company or third-party software developers for IT work, conduct due diligence checks on the individuals the company provides to you for work. Even if you conduct a background on a company, you may not fully understand their background check process.
- Do not accept background check documentation provided by untrusted or unknown authorities. Provide them a release form that allows you to conduct the background check on their behalf instead of having a background check completed by their local authorities.
- Request voided checks or certified documentation from their financial institution with their account information.
- Verify check numbers and routing numbers match an actual bank and do not belong to a money service business. Money service businesses use receiving depository financial institutions (RDFIs), which provide checking and routing information mirroring that of actual banking information.
- Keep records, including recordings of video interviews, of all interactions with potential employees.
- Prevent remote desktop protocol from being used on all company devices and prohibit using remote desktop applications for work.
- Lock down all administrative permissions and install insider threat monitoring software on company devices.
- Require signature delivery for company devices and ensure devices are not mailed to addresses other than designated work locations.
- Require notarized proofs of identity.
- During video verification, require individuals to physically hold driver's licenses, passports, or identification documents up to camera. Consider having them show their location by having the camera directed outside.
- Regularly geo-locate company laptops to verify they match the logins of employees' addresses.
- Require freelancers to shut off commercial VPNs when accessing company networks.
- Use Zero Trust and Need-to-Know policies. Avoid granting access to proprietary information, if possible.
- Use only reputable online freelance platforms that offer robust measures to verify identities and qualifications of freelance workers.
- Avoid recruiting freelance workers directly through online IT competitions and apply reinforced measures to verify their identities.
Recent Enforcement Actions:
October 17 the U.S. seized 17 domains linked to North Korean IT workers engaged in fraudulent activities aimed at funding North Korea's weapons program. This action extends previous court-approved seizures of $1.5 million in revenue generated by this group and follows the establishment of public-private partnerships to restrict their online activities.
According to court documents, North Korea has dispatched IT workers, primarily to China and Russia, to deceive global businesses into employing them, thereby financing its weapons programs. The scheme involves pseudonymous accounts, false websites, and proxy computers.
The seized domains were designed to mimic legitimate U.S.-based IT services. These workers, previously sanctioned and affiliated with PRC and Russia-based companies, funneled money back to North Korea through online payment and Chinese bank accounts.
Since 2022, the U.S. and Republic of Korea have shared threat indicators with U.S.-based online platforms. This led to enhanced fraud detection and the shutting down of thousands of fraudulent accounts.
The investigation is being led by the National Security Cyber Section and the U.S. Attorney’s Office for the Eastern District of Missouri, with support from the FBI’s St. Louis Field Office.
The United States and Republic of Korea advisories on DPRK IT workers offer guidance and information to help governments and private sector minimize risk.