Full Report
New research shows that North Koreans appear to be trying to trick US companies into hiring them to develop architectural designs using fake profiles, résumés, and Social Security numbers.
Analysis Summary
# Threat Actor: Unnamed North Korean Digital Labor Network (DPRK Digital Laborers)
## Attribution & Identity
Attributed to the Democratic People's Republic of Korea (DPRK) regime. This actor cluster is part of a broader network of thousands of North Korean IT workers generating billions in revenue for the regime, often directed toward nuclear weapons programs. The analysis provided by Kela focuses on one specific network linked to these fraudulent activities.
## Activity Summary
This network has historically been involved in fraudulent remote employment schemes targeting Western tech firms, developing apps, and working on cryptocurrency projects. The new significant activity detailed is the expansion into architectural design and civil engineering services. These operatives are securing freelance jobs using fabricated identities, providing 2D and 3D CAD files, and even offering architectural stamps/seals to imply licensure for US projects.
## Tactics, Techniques & Procedures
- **Identity Spoofing/Fabrication:** Using fake profiles, résumés, and Social Security numbers (SSNs) to secure employment.
- **Digital Infrastructure Misuse:** Utilizing GitHub accounts to host sensitive information, including fake CVs and persona details.
- **Service Fraud:** Advertising architectural services, claiming to be licensed across multiple US states.
- **Document Production:** Creating or claiming to provide construction documents, including site plans and structural analysis reports, potentially using fraudulent professional seals.
- **Platform Exploitation:** Primarily using freelance work websites to solicit jobs.
## Targeting
- **Sectors:** Technology, Cybersecurity, Industrial Design, Architecture, and Civil Engineering.
- **Geography:** United States companies and property projects (e.g., floor plans for US-based decks, farmhouses, swimming pools).
- **Victims:** Western tech firms (historically), and clients seeking freelance architectural/engineering design services in the US.
## Tools & Infrastructure
- **Malware families used:** Not specified in the context of this specific architectural campaign, but historically linked to app development and crypto projects.
- **Infrastructure (C2, domains, IPs):**
- GitHub accounts used for staging information (e.g., CVs, work samples).
- Google Drive files used to distribute data related to the scam network.
- Spreadsheets detailing hundreds of potentially used email addresses.
*Note: No specific public IP addresses or C2 domains were provided in the text.*
## Implications
This activity demonstrates a sophisticated and adaptive expansion of North Korea's illicit revenue-generating schemes beyond IT and crypto, deepening their infiltration into sensitive sectors like infrastructure design. The creation and alleged use of architectural stamps are particularly concerning as they attempt to lend false legitimacy to their work, potentially enabling flawed or malicious designs to influence real-world construction projects within the US. The scale, evidenced by spreadsheets listing hundreds of email addresses, suggests a highly organized operation managed by the DPRK regime.
## Mitigations
- Implement rigorous third-party vetting and background checks for technical and professional service contractors, specifically verifying professional licenses and certifications (e.g., architectural stamps).
- Analyze developer/designer provenance, paying close attention to consistent work patterns, inconsistencies in identity documentation (CVs/SSNs), and unusual hosting practices (e.g., sensitive project files linked publicly from platforms like GitHub).
- Enhance monitoring of freelance platforms for providers claiming broad, multi-state professional licensure without verifiable credentials or office presence.