US warns companies not to inadvertently hire North Korean IT workers

The US Department of State has released an advisory warning that the Democratic People’s Republic of Korea (DPRK) has been utilising thousands of re-mote, freelance IT workers posing as non-North Korean nationals around the world to generate revenue for Pyongyang’s weapons programmes, in violation of both US and UN sanctions. Companies who hire such workers could be left exposed to legal consequences for the violation of international sanctions.

Pretending to be from South Korea, Japan, China, Eastern Europe or the USA, these IT workers utilise mainstream online platforms where freelance, self-employed IT workers can bid for jobs in areas such as software development or mobile application soft-ware.

Due to the nature of working remotely, the workers are able to obfuscate their identities online using a combination of spoofed IP addresses, virtual private networks (VPNs), proxy servers and text-based communication.

In addition to the disguised digital identities, counterfeit, falsified or doctored physical identity documents are also commonly used. It is not unusual for driving licenses, social security cards, ID cards, high school and university qualifications, work visas, credit cards and bank or utility statements to be forged for the purpose of an employment contract. Even statements of work, invoices and client communications (which are commonly used as evi-dence of self-employment on freelance platforms) are often falsi-fied using minimal contact information to deter further verifica-tion.

The US Department of State advisory stated that the workers are most often located in North Korea, China or Russia, with a small-er number based in Africa and South East Asia.

North Korea is subject to both UN and US sanctions in order to disable the funding of Pyongyang’s nuclear weapon and ballistic missile programmes. By dispatching remote workers, income can be generated for its programmes surreptitiously—whilst this ac-counts for most of the activity, some workers have also assisted in government-backed hacking activities within large tech companies also.

Companies found to be employing North Korean workers could face legal penalties for violating international sanctions. Guidance within the US advisory statement includes red flags to look out for, and also lists mitigating measures that can be taken, to avoid unknowingly employing a remote North-Korean IT worker:

Red Flag Indicators

• Inconsistencies in name spelling, nationality, claimed location, contact information, educa-tional history, work history and payment details.
• Surprisingly simple portfolio sites, social media profiles, or developer profiles.
• Direct messaging or cold-calling, advertising services and proficiencies.
• Requests to communicate on a separate platform to the one that they were operating on.
• Any suggestion that the worker cannot receive documents or equipment items at the address on their ID documentation.
• Seeking payment in virtual currency.
• Contact information which is incorrect or keeps changing (especially phone numbers or email addresses).
• Inability to communicate in a timely manner, especially through “instant” messaging methods.
• Reluctance to use video-calling.

Mitigating Measures

• Conduct pre-employment background checks to verify identity, documents and location.
• Verify all documents provided for the contract (invoices, work agreements) independently.
• Verify the existence of any websites or accounts which have been referenced.
• Require submission of video, or a video interview, to verify identity.

To read the full statement from the US Department of State.