Wikipedia
Thousands of IT workers from North Korea have been employed by Fortune 500 companies using fake documents and continue to be employed illegally.
It is noted that programmers from the DPRK impersonate US specialists using fake or stolen documents identity cards. By earning money in American companies in this way, they transfer money to finance the regime of North Korean dictator Kim Jong-un.
According to the US Treasury, the State Department, and the FBI, starting in 2018, Fraud with employees in the IT sector annually brings hundreds of millions of dollars in revenue to the DPRK. According to the founder of the startup g8keep Harrison Leggio, about 95% of the resumes he receives come from programmers from North Korea.
Currently Leggio admits that he will not even schedule an interview with a candidate who looks like a promising specialist on paper unless he agrees to pass the last test, which is to say something negative about Kim Jong-un. For example, «how fat is the DPRK leader?». Leggio made sure that North Korean employees are strictly forbidden to insult the DPRK dictator and can be punished for this, even in the case of negative statements in private.
The founder of g8keep noted that when he first offered a similar test to a job applicant, he started freak out and swear. The job seeker subsequently blocked Legio on all social media platforms. Now, Legio runs the same test before every interview. Other startups and founders he knows do the same.
The UN estimates that fraud against DPRK IT workers generates $250 million to $600 million annually. This has led cybersecurity professionals to come together to share information about strategies, profiles, VPNs, and signs to look out for.
However, the development of AI has allowed fraudsters from the DPRK to create several false identities and be hired by 6-7 companies at the same time. According to analysts, by 2025, the scale of these fraudulent schemes will only expand, covering not only the United States but also Europe and Asia.
According to the head of cybersecurity at Google Cloud Michael Barnhart, who has been tracking cyber threats from the DPRK for many years, programmers from North Korea based in Russia and China, use AI to create biographies with an emphasis on attractive work experience at the company. They work in teams to apply for jobs in bulk, using stolen U.S. IDs or through intermediaries in the U.S. or abroad.
Some IT professionals have even set up shell companies to pose as legitimate recruitment firms or web design agencies, for example, which then partner with large Fortune 500 companies. Among global companies, security services have implemented various systems and strategies to root out North Korean IT professionals looking for work, as well as those already employed and working in companies.
In particular, most American companies already conduct background checks on job applicants’ declared place of residence. These practices range from video interviews with a camera to the use of identity verification tools with geolocation features to compare a government-issued ID with a selfie, helping to match people with their identity and location.
Representatives of the cybersecurity company CrowdStrike note that a group of programmers from the DPRK, called Famous Chollima, was involved in 304 cases in 2024 and continues to employ fake workers in American companies this year. According to the senior vice president of CrowdStrike, this group of North Korean fraudsters specializes in theft of intelligence information and cryptocurrencies, including the theft of $1.5 billion from a crypto exchange in Dubai. Another activity of Famous Chollima is the employment of IT specialists from the DPRK in American companies using forged documents.
Fraudsters from the DPRK are actively imitating the provision of services to US IT professionals in order to steal and falsify their IDs. Over the past two years, the Department of Justice has charged dozens of North Korean nationals and unnamed co-conspirators with the scheme, accusing them of stealing U.S. identities, conspiracy to violate U.S. sanctions, wire fraud, and money laundering In this regard, a man from Nashville was arrested, and a woman from Arizona pleaded guilty to running «farms of fake accounts» as part of this scheme.
In the Arizona case, a 49-year-old woman from Phoenix helped her North Korean accomplices get jobs at Fortune 500 banks, a television network, an aerospace company, an automobile company, and a Silicon Valley technology company. Using 60 stolen IDs, she helped IT professionals get jobs at 300 companies that paid them millions for their work.
Source: Fortune