The documents contain dozens of fraudulent resumes, online profiles, interview notes, and forged identities that North Korean workers used to apply for jobs in software development.
The documents and data reveal the intense effort and subterfuge undertaken by North Korean authorities to ensure the success of a scheme that has become a vital lifeline of foreign currency for the cash-strapped regime.
North Korea’s UN mission did not respond to a request for comment.
North Korea claims success in launching 1st spy satellite after 3 attempts
North Korea claims success in launching 1st spy satellite after 3 attempts
Remote tech workers can earn more than 10 times what a conventional North Korean labourer working overseas in construction or other manual jobs earns, the US Justice Department (DOJ) said in 2022, and teams of them can collectively earn more than US$3 million a year.
Reuters was not able to determine how much the scheme has generated over the years.
Some of the scripts, designed to prepare the workers for interview questions, contain excuses for the need to work remotely.
“Richard”, a senior embedded software developer, said: “I [flew] to Singapore several weeks ago. My parents got Covid and I [decided] to be with family members for a while. Now, I am planning to go back to Los Angeles in three months. I am thinking that I could start work remotely right now, then I will be on board when I go back to LA.”
A North Korean tech worker who recently defected also examined the documents and confirmed their authenticity to Reuters: “We would create 20 to 50 fake profiles a year until we were hired.”
He viewed the scripts, data and documents and said it was exactly the same thing he had been doing because he recognised the tactics and techniques used.
“Once I was hired, I would create another fake profile to get a second job,” said the worker, who spoke on condition of anonymity, citing security concerns.
In October, the DOJ and Federal Bureau of Investigation seized 17 website domains they said were used by North Korean IT workers to defraud businesses and US$1.5 million in funds.
North Korean developers working at US firms had hidden behind pseudonymous email and social media accounts and generated millions of dollars a year on behalf of sanctioned North Korean entities through the scheme, the DOJ said.
“There is a risk to the North Korea government, as these privileged workers are exposed to dangerous realities about the world and their country’s enforced backwardness,” said Sokeel Park of Liberty in North Korea, an organisation that works with defectors.
Hard cash
According to his experience, the former IT worker said all are expected to earn at least US$100,000, of which 30-40 per cent is repatriated to Pyongyang, 30-60 per cent spent on overhead expenses, and 10-30 per cent pocketed by workers.
He estimated there were around 3,000 others like him overseas, and another 1,000 based within North Korea.
“I worked to earn foreign currency,” he said. “It differs between people but, basically, once you get a remote job you can work for as little as six months, or as long as three to four years.
“When you can’t find a job, you freelance.”
The researchers, part of Palo Alto’s Unit 42 cyber research division, made the discovery when examining a campaign by North Korean hackers that targeted software developers.
One of the hackers left the documents exposed on a server, Unit 42 said, indicating there are links between North Korea’s hackers and its IT workers, although the defector said espionage campaigns were for a select few: “Hackers are trained separately. Those missions are not given to people like us,” he said.
Still, there is crossover. The DOJ and FBI have warned that North Korean IT workers may use access to hack their employers, and some of the leaked resumes indicated experience at cryptocurrency firms, an industry that has long been targeted by North Korean hackers.
Fake identities
The worker did not respond to an emailed request for comment.
The data, collated from leaks on the darkweb, also revealed an account on a website selling digital templates to create realistic-looking fake identification documents, including US driving licences, visas and passports, Reuters found.
The documents unearthed by Unit 42 included resumes for 14 identities, a forged US green card, interview scripts, and evidence that some workers had bought access to legitimate online profiles in order to appear more genuine.
North Korea warns ‘no guarantee’ war won’t break out as South lifts leaflets ban
North Korea warns ‘no guarantee’ war won’t break out as South lifts leaflets ban
The “Richard” in Singapore who was seeking remote IT work appeared to refer to a forged profile by the name of “Richard Lee” – the same name on the green card. The US Department of Homeland Security did not respond to a request for comment.
Reuters found a LinkedIn account for a Richard Lee with the same profile photo who listed experience at Jumio, a digital identity verification company.
“We do not have any records of Richard Lee having been a current or former employee of Jumio,” a company spokesperson said. “Jumio does not have any evidence to suggest the company has ever had a North Korean employee within its workforce.”
Reuters messaged the LinkedIn account seeking comment, but received no response. LinkedIn removed the account after receiving requests from Reuters for comment.
“Our team uses information from a variety of sources to detect and remove fake accounts, as we did in this case,” a spokesperson said.