South Korean authorities issue warning about disguised North Koreans getting IT jobs

South Korean authorities issued an interagency advisory Thursday warning companies about hiring North Korean IT workers who disguise their true nationality and use their wages to help fund the country’s sanctioned nuclear weapons program.

The advisory was published by several ministries, alongside South Korea’s National Police Agency and its National Intelligence Service, requesting “enhanced due diligence and more stringent identity verification process from domestic companies to avoid hiring or engaging in business contracts with [North Korean] IT workers who disguise their nationality and identities.”

It follows a similar alert in May issued by the FBI, Treasury Department and State Department to American companies looking to hire freelance workers.

Thursday’s advisory from the South Korean authorities warned that North Korean workers were located “all around the world, obfuscating their nationality and identities” while earning “hundreds of millions of dollars a year” by freelancing as developers.

The unusual diaspora was created as a result of sanctions imposed on North Korea in 2016 due to its nuclear missile tests, which led to a sharp decline in the country’s exports. With such a dramatic fall in income, the regime turned to using IT workers to contribute to funding its nuclear and ballistic missile program.

The South Korean government said it had preemptively reviewed the identity verification process used by several freelance work platforms, and “concluded that it is indeed possible for [North Korean] IT workers to obtain employment from domestic companies by obfuscating their identity.”

These workers “are presumed to be engaging in wide-ranging types of work, including the development of decentralized applications, smart contracts and digital tokens, as well as mobile and web-based applications that span a range of fields and sectors, including business, health and fitness, social networking, sports, entertainment, and lifestyle,” said the advisory.

“The vast majority” of the workers’ earnings were remitted back to North Korea to entities that have been sanctioned under UN Security Council resolutions, and then used to fund North Korea’s weapons research programs, said the advisory.

It added that “in some cases they are involved in malicious cyber activities, such as obtaining illicit gains by taking advantage of vulnerabilities in smart contract codes. Therefore, domestic blockchain companies must exercise extra caution so as to avoid employing [North Korean] workers,” it warned.

Last month, the Treasury Department reissued sanctions on the Tornado Cash cryptocurrency mixer service, accusing the platform of helping North Korean government hackers launder more than $455 million stolen in March 2022.

The U.S. has also previously accused North Korean hackers of being behind the headline-grabbing attack on Ronin Network, which saw almost $600 million in cryptocurrency stolen.

Alexander Martin

Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

Recent Posts

Deepfake news anchors spread Chinese propaganda on social media

In a series of videos posted on Twitter, Facebook and YouTube, Chinese state-aligned actors used…

6 hours ago

New info-stealing malware used against Ukraine organizations

A new information-stealing malware named Graphiron is being used against a wide range of targets…

11 hours ago

Hackers used fake websites to target state agencies in Ukraine and Poland

Hackers attempted last week to infect Ukrainian government computer systems with malware hosted on fake…

12 hours ago

‘No evidence of malicious access,’ Toyota says about serious bug exploited by outside researcher

Toyota said it remediated the vulnerability discovered by researcher Eaton Zveare. The company referred others…

13 hours ago

Turkey’s government restricts access to Twitter amid earthquake response

Internet traffic data showed that Twitter was totally inaccessible from with Turkey. The government has…

14 hours ago

CISA publishes recovery script for ESXiArgs ransomware as Florida courts, universities reel

CISA adapted work by two Turkish developers into a script for recovering files affected by…

15 hours ago