Freelance Market Flooded With North Korean IT Actors

Organizations should be careful that the workers they hire on a freelance and temporary basis are not operatives working to funnel money to North Koreas WMD program, US DOJ says.

US organizations that hire freelance and temporary IT workers should be sure they are not signing up individuals working on behalf of the North Korean government.
In recent years, the Democratic Peoples Republic of Korea has flooded the freelance market with
thousands of skilled IT workers
who are quietly directing their earnings to the sanctions-ridden nations nuclear weapons program. The workers primarily reside in Russia and China and use a medley of pseudonymous email and social media accounts, false websites, proxy computers, and other mechanisms to hide their true identities and locations when applying to work on a freelance basis for US and other firms worldwide.
Last week, the US Department of Justice
released details
of the massive scam in announcing court-authorized seizures of 17 domains and some $1.7 million in revenues associated with the operation.
The Democratic Peoples Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program, Special Agent in Charge Jay Greenberg of the FBI St. Louis Division said in a statement last week. This scheme is so prevalent that companies must be vigilant to verify whom theyre hiring.
The DOJ described the 17 domains it seized as being used by some North Korean IT workers to apply for remote work in the US and elsewhere. The websites appeared to be the
domains
of legitimate US-based IT services companies. In reality, however, the people behind it were North Korean IT workers with a China-based company called Yanbian Silverstar Network Technology Co. Ltd and another Russian company identified as Volasys Silver Star.
The North Korean IT workers at these companies used various online payment services and Chinese bank accounts to funnel earnings from their work as freelance IT workers back to North Korea. Each year, the workers have been generating millions of dollars for entities like North Koreas Ministry of Defense and other agencies tied to the countrys WMD programs, the DoJ said.
This is not the first time that the DoJ has warned US organizations of the scam. In a May 2022 advisory, the US government issued a
similar warning
about North Korean IT workers using VPNs, virtual private servers, purchased third-party IP addresses, proxy accounts, and stolen ID documents to pass themselves off as IT workers from other countries.
The advisory also provided specific guidance that hiring managers and other decision-makers could use when contracting for work with a freelancer. Some red flags: multiple logins into one account from various IP addresses in a short period; IP addresses associated with different countries; frequent money transfers through payment platforms, especially in China; and requests for payment in cryptocurrencies, the DoJ had noted.
The DoJ
also urged US organizations to be on the lookout for other potential signs including inconsistencies in name spellings, claimed work location, contact information, and details about their education and work history across social media profiles, professional websites, and payment profiles. An inability by a freelancer to work during required business hours or any difficulty reaching the worker in a timely fashion are also factors to consider, the DoJ said.
Last weeks advisory
provided updated advice
for US organizations on how to spot a potential North Korean IT worker. Red flags include an unwillingness or inability by the freelance worker to come on camera or do video interviews and conferences, inconsistencies such as time of day and location, when they do appear on camera. Other giveaways include signs of cheating on coding tests or interviews — such as excessive pausing, stalling and eye scanning movements; repeated requests for prepayment and threats to release source code if payment is not made.
The advisory provided organizations with a list of things they can do to minimize risk including requesting
documentation of background checks
when using a third-party staffing firm; conducting due-diligence checks on individuals that a third-party firm might provide for freelance work; and not accepting background checks from unknown firms.
These kinds of threats are incredibly challenging and costly to manage at a corporate level, said Andrew Barrett, vice president at Coalfire, in a statement. Freelancers and contractors are an integral part of many businesses and entire companies have spun up, such as Fiverr, to help create a marketplace for them.
Detecting fake identities
can be hugely challenging using typical background checks when dealing with state-sponsored fake identities, Barrett said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Freelance Market Flooded With North Korean IT Actors