DPRK Remote Workers Hiring Scheme: Lessons Learned

In mid July 2024, a US security awareness training company revealed that it unwittingly hired a North Korean hacker using a stolen identity for a remote Principal Software Engineer position. This example of a successful employment fraud is one of many in which the Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) information technology (IT) workers successfully used fake personas and stolen identities of American citizens to fraudulently obtain remote employment from unwitting companies in the United States. Nisos previously published a research post in December 2023 warning companies of the fraudulent employment scheme, in which Nisos investigators revealed the tactics, techniques, and procedures (TTPs) of these threat actors. As a follow up to that information Nisos investigators provide further insight into the best practices to consider when conducting interviews and vetting applicants to better protect themselves from unauthorized access to sensitive company systems and data by North Korean threat actors.

Anomalies in Applicants and References

Nisos has significant experience in helping our clients identify, investigate, and prevent employment fraud schemes. During our investigations into these schemes we have identified the following best practices for screening applicants and references to lower the risk of hiring DPRK IT workers for remote jobs.

Applicant Screening Best Practices

Ensure the interview process involves on-camera and/or in-person interviews.

Ensure the applicant provides identification documentation in-person in order to better identify falsified documentation. Require mandatory in-person employee onboarding.

Verify prior employment. Applicants often list major companies in their employment history, likely both to inflate their experience and to deter the hiring organization from contacting their provided references.

Conduct a detailed review of the applicant’s online presence for consistency in name, appearance, work history, education, etc.

Nisos investigators found that DPRK IT workers often updated their mailing address prior to their equipment being shipped to them. This is an indication that the identity and information provided during the hiring process may have been stolen.

Once an offer is accepted, the threat actor will ask for the laptop to be shipped to a different location from any of the ID documents provided during the application process, claiming they have moved or temporarily relocated. We recommend that our clients conduct research into the new address to verify that it is linked to the individual.

Reference Screening Best Practices

Be sure to collect and retain all contact information for the references reviewed by HR in relation to the job applicant. Many times the references are the same individual, or connected to the same network of people, as the job applicants.

References may not want to appear on camera if requested and their answers are kept brief and provide no real contextual information of how the reference supervised or worked with the applicant.

Tactics, Techniques, and Procedures

Common DPRK IT workers TTPs highlighted in the December 2023 report include the following, which are only a subset of indicators identified by Nisos investigators.

Personas claim to have experience developing web and mobile applications, knowledge of multiple programming languages, and an understanding of blockchain technology.

Personas have accounts on employment, people information websites, as well as IT industry-specific freelance contracting platforms, software development tools and platforms, and common messaging applications, but typically lack social media accounts and personal content, suggesting that the personas are created solely for the purpose of acquiring employment.

Photos of the same individual are used to create multiple personas.

Personas have several accounts with the same name and photo that are sometimes associated with different locations, some of which are abroad.

Personas’ accounts contain only minimal information, and some of the resume content on the accounts is likely copied from real individuals in the IT industry.

Lessons Learned For Enterprise Leaders

The North Korean IT worker scheme is pervasive and targets companies of all sizes and in numerous industries, including cybersecurity. Learning opportunities for enterprise leaders include the following:

Improved vetting processes for remote candidates.

An understanding of the benefits of OSINT research to accompany internal systems monitoring.

General awareness training and mechanisms for employees to spot and report suspicious behavior.

Read our full DPRK investigative report.

How Can Nisos Help You?

Successful employment fraud investigations rely on a combination of external and internal investigation components. Nisos’ non-attributable investigation methods combined with our client’s own network infrastructure research have successfully identified DPRK remote worker employment fraud and traditional employment fraud indicators. Partnering with an intelligence and investigations firm like Nisos can help enterprise leaders more quickly understand, prevent and in some cases cease unwanted activity within their companies to protect their own and their client’s sensitive data.