Highly skilled software and mobile application creators from North Korea pose as remote workers from the US to get contracts as developers for US or European technology and cryptocurrency companies.

This warning comes in a fresh joint advisory by the US Department of State, the US Department of the Treasury and the Federal Bureau of Investigation (FBI) that outlines the importance North Korean IT workers play in generating revenues for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs in contravention the U.S. and UN sanctions.

Hackers who work for North Korea – officially known as the Democratic People’s Republic of Korea (DPRK), have gained notoriety for their sophisticated hacks on cryptocurrency exchanges over the last five years. In 2021 alone, they have stolen more than $400 million worth of cryptocurrency from the DPRK.

The FBI, US Cybersecurity and Infrastructure Security Agency (CISA) and Treasury last month issued a warning of the possibility that the North Korean Lazarus Group, or APT 38, is targeting exchanges in the cryptocurrency and blockchain sector using spear-phishing attacks as well as malware.

Treasury was also warned in April that identified Lazarus in the $600 million heists that occurred in March that were committed by The Ronin Blockchain network, which was the foundation for the game of play-to-earn Axie Finity.

However, the highly skilled North Korean IT workers play another role for DPRK through their role as sub-contracted programmers within US and European contracting firms to allow hacking by DPRK.

The US government has set out “red flag” indicators that firms could employ North Korean freelance developers and suggestions for companies to “protect against inadvertently hiring or facilitating the operations of DPRK IT workers.”

“The DPRK dispatches thousands of highly skilled IT workers worldwide to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions,” the report states.

DPRK IT personnel are primarily found in the People’s Republic of China (PRC) and Russia; however, the US declares some are situated across Africa and Southeast Asia.

“The vast majority of [DPRK IT workers] are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs and its advanced conventional weapons development and trade sectors. This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, violating US and UN sanctions.”

Instead of engaging directly in cyberattacks, DPRK IT workers use privileges within their contractor roles for logistical support to DPRK hackers, providing access to virtual infrastructure, helping facilitate the selling of stolen data, and assisting DPRK’s cash laundering and transfers of virtual currency.

“Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions. Additionally, there are likely instances where workers are subjected to forced labor,” the warning states.

The tight labor market combined with a high demand for software developers in the US and Europe is in favor of North Korean software developers, who can earn 10 times more than an average North Korean laborer working in a factory or working on a construction site in the world.

The roles DPRK tech professionals specialize in reflect the most popular areas of technology across the West and around the world, such as applications for mobile and websites creating cryptocurrency exchange platforms, digital coins, game-based mobile apps, online gaming, AI-related software as well as firmware and hardware creation, VR and AR programming facial and biometric recognition software, as well as the development of databases.

The DPRK employees often work on virtual currency projects across categories that include fitness, business, health and social networking and entertainment, sports and lifestyle, as per the guidelines.

It’s not surprising that DPRK IT personnel use VPNs and other IP addresses from other countries to hide their online connections and stay out of the conditions of service for the online platforms they utilize. These workers are also using proxy addresses to solicit jobs and may operate a specific device for banking to avoid anti-money laundering measures. Additionally, they’re using fake or stolen identity documents to conceal their identities.

Some red flags are the following: multiple logins to one account, from different IP addresses, linked to different countries within a short amount of timespan; developers logging into various accounts using an IP address, developers being logged in to accounts continuously for up to a few days at a stretch; router ports like 3389, and other configurations that are associated with remote desktop sharing software; multiple developer accounts that receive high scores from a single client account within a short time and a large amount of bidding on projects and a limited amount of bids accepted for assignments and frequent money transfers via payment platforms, particularly to Chinese-based banks.

The report reveals that DPRK IT workers employed by a US company fraudulently charged the account with $50,000 in tiny installments spread over a couple of months.

The US agencies advise that contractors interview applicants via video to verify their identity. They also recommend refusing low-quality photos as evidence of authenticity.