Full Report
Researchers map full org chart of the scam from dodgy recruiters to helpful Western collaborators Researchers at IBM X‑Force and Flare Research have uncovered data that sheds light on how North Korea's fake IT worker schemes operate and infiltrate companies in order to funnel money back to the regime and steal sensitive information.…
Analysis Summary
# Threat Actor: IT Worker Dispatch Teams (DPRK)
## Attribution & Identity
* **Actor Identification:** North Korean (DPRK) IT Workers.
* **Known Aliases:** Fake IT Worker ecosystem, "C Digital LLC" (front company name).
* **Known Associations:** Working on behalf of the North Korean regime (Pyongyang).
* **Scale:** Estimated 100,000 workers operating across approximately 40 countries.
## Activity Summary
According to recent research by IBM X-Force and Flare, North Korea operates a highly structured global network of fake IT workers who infiltrate Western companies. These workers secure legitimate full-time employment or freelance contracts using stolen or borrowed identities. The operation functions like a corporate entity with specialized roles:
* **Recruiters:** Screen candidates and record interviews.
* **Facilitators:** Act as hiring managers to approve "recruits" for the scheme.
* **IT Workers:** Conduct the actual technical work and infiltration.
* **Collaborators/Brokers:** Western individuals who provide their identities or assistance to facilitate the fraud.
## Tactics, Techniques & Procedures
* **Identity Fraud:** Use of counterfeit accounts or verified accounts belonging to real individuals (often Westerners) to bypass KYC (Know Your Customer) checks on freelancing platforms.
* **Application Mentoring:** Workers are coached on how to apply to Western companies and given fabricated US-based identities.
* **Job Seek Tactics:** Heavy activity on freelancing sites such as Upwork, LinkedIn, and Freelancer.com, tracked via internal metrics for "Bids" and "Messages."
* **Social Engineering:** Using front company names like "C Digital LLC" and claiming to be "stealth startups" to explain a lack of public corporate presence.
* **Interview Deception:** Use of AI face changers, AI voice changers, and fake backgrounds during video interviews to mask their true location and identity.
* **Language Translation:** Heavy reliance on Google Translate for job applications, communication, and interpreting technical documentation.
* **Collaborative Output:** Multiple people may work behind a single employee profile to ensure high performance, aiming for promotions to gain privileged system access.
## Targeting
* **Sectors:** Technology (General), Software Development, specifically companies employing .NET, WordPress, and full-stack web application development.
* **Geography:** Primarily Western-based companies; workers are physically located in over 40 countries.
* **Victims:** Major freelancing platforms (Upwork, Freelancer) and unsuspecting Western corporations.
## Tools & Infrastructure
* **VPNs:** OConnect and NetKey (specific North Korean VPN infrastructure used to tunnel back to Pyongyang).
* **Communication:** IP Messenger (IPMsg) – an open-source, serverless messaging app used to avoid surveillance on centralized US platforms like Discord or Google.
* **Translation:** Google Translate.
* **Identity Assets:** Counterfeit US identities and collaborator accounts.
## Implications
* **Financial:** The scheme generates an estimated $500 million annually for the North Korean regime, with individual workers earning upwards of $300,000.
* **Security:** Beyond revenue generation, the primary risk is the "insider threat." Once these workers gain senior roles or promotions, they obtain privileged access to sensitive corporate data and internal networks, which can be leveraged for state-sponsored cyberespionage or intellectual property theft.
## Mitigations
* **Interview Screening:**
* Watch for discrepancies in resumes vs. interview statements (e.g., language proficiency or residency).
* Monitor for technical artifacts of AI face/voice manipulation during video calls.
* **Identity Verification:** Implement rigorous background checks and verify the physical location of remote employees.
* **Network Monitoring:**
* Check for the presence of IPMsg or unauthorized VPNs like OConnect/NetKey on corporate assets.
* Monitor for unexpected logins from IP addresses associated with known proxy/VPN services.
* **Behavioral Indicators:** Note if an employee refuses to turn on their camera or if their spoken English/technical communication significantly differs from their written output (suggesting the use of translation tools).
* **The "Litmus Test":** (Non-traditional) The article suggests posing questions sensitive to North Korean ideology (e.g., disparaging comments about the leadership), which may cause the actor to abruptly terminate contact.