The man on the other end of the line, an FBI agent, told Devin that the seemingly legitimate software developer he hired last summer was a North Korean operative who sent tens of thousands of dollars of his salary to the country’s authoritarian regime.
According to him, a stunned Devin hung up and immediately disconnected the employee from the company’s accounts.
“He was a good employee,” Devin complained, puzzled by the man who claimed to be Chinese and went through several rounds of interviews to get hired. (CNN uses Devin’s alias to protect his company’s identity.)
Now, US federal investigators are publicly warning about a key pillar of the North Korean strategy, which sees the regime deploy operatives to technical positions throughout the information technology industry.
It’s an elaborate money-making scheme that relies on shell companies, contractors, and deceit to prey on a volatile industry that’s always on the hunt for top talent. According to the US Bulletin, North Korean tech workers can earn over $300,000 a year, hundreds of times the median income of a North Korean citizen, and up to 90% of their wages go to the regime.
“(North Koreans) take this very seriously,” said Soo Kim, a former CIA North Korea analyst. “This is not just some random person in their basement trying to mine cryptocurrency,” she added, referring to the process of creating digital money. “It’s a lifestyle.”
But analysts say the cryptocurrency industry is too valuable a target for North Korean operatives to turn their backs on due to the industry’s relatively weak cyber defenses and the role that crypto can play in evading sanctions.
US officials have held a series of private briefings in recent months with foreign governments such as Japan, as well as tech firms in the US and abroad, to sound the alarm about the threat posed by North Korean IT personnel. Korea reported this to CNN.
The list of companies targeted by the North Koreans covers virtually every aspect of the freelance technology sector, including payment processors and recruiting firms, the official said.
“The Treasury Department will continue to prosecute North Korea’s revenue-generating efforts, including its illegal IT pro program and related malicious cyber activities,” Treasury Deputy Secretary for Terrorism and Financial Intelligence Brian Nelson said in a statement to CNN, using the acronym for North Korea. .
CNN emailed and called the North Korean embassy in London asking for comment.
Federal investigators are also looking for Americans who can share their experience with digital currencies in North Korea.
In April, a 39-year-old American programmer named Virgil Griffith was sentenced to more than five years in US prison for violating US sanctions on North Korea after speaking at a 2019 blockchain conference on how to avoid sanctions. Griffith pleaded guilty and, in a statement to the judge before sentencing, expressed “deep regret” and “shame” for his actions, which he attributed to his obsession with seeing North Korea “before it falls.”
But the long-term problem facing US officials is much more subtle than the glaring blockchain conferences in Pyongyang. This is due to an attempt to limit the scattered sources of funding that the North Korean government receives from its tech diaspora.
The North Korean government has long capitalized on outsiders underestimating the regime’s ability to fend for itself, thrive on the black market and harness the information technology that underpins the global economy.
One of the most infamous North Korean hacks occurred in 2014, when Sony Pictures Entertainment’s computer systems were damaged in retaliation for The Interview, a film that chronicles a fictional plot to kill Kim Jong-un. Two years later, North Korean hackers stole about $81 million from Bangladesh Bank using the SWIFT system to transfer bank funds.
Since then, North Korean hacker groups have kept a close eye on the booming cryptocurrency market.
Revenues were astronomical at times.
“Most of these crypto firms and services are still far from the level of security we see in traditional banks and other financial institutions,” said Fred Plan, chief analyst at cybersecurity firm Mandiant, which has investigated alleged North Korean tech workers and shared some of its findings with CNN.
Thousands of North Korean tech workers abroad give Pyongyang a double-edged sword: they can earn salaries that bypass UN and US sanctions and go straight for the regime, and occasionally offer North Korean-based hackers a foothold in cryptocurrencies or other tech firms. IT professionals sometimes provide “logistical” support to hackers and transfer cryptocurrencies, according to a recent US government advisory.
“The community of skilled programmers in North Korea who have permission to contact Westerners is certainly quite small,” Nick Carlsen, who until last year was an FBI intelligence analyst specializing in North Korea, told CNN.
“These guys know each other. Even if a particular IT professional is not a hacker, he definitely knows him, ”said Carlsen, who now works at TRM Labs, a firm that investigates financial fraud. “Any vulnerability they can find in the customer’s systems is at serious risk.”
“We are actively looking for signs of government-sponsored activity on the platform and are taking swift action against attackers to protect our members,” LinkedIn said in a statement to CNN. “We do not wait for requests, our threat intelligence team removes fake accounts using the information we disclose and intelligence from various sources, including government agencies.”
Learning to spot red flags
Some members of the cryptocurrency industry are becoming more cautious in their search for new talent. In the case of Jonathan Wu, a video call with a job candidate in April may have prevented him from unwittingly hiring someone he suspected was a North Korean tech worker.
As the head of growth marketing at Aztec, a company that offers privacy features for Ethereum, a popular type of cryptocurrency technology, Wu was looking for a new software engineer when the hiring team came across a promising resume someone had submitted.
The applicant declared experience with non-fungible tokens (NFTs) and other segments of the cryptocurrency market.
“Looks like someone we could hire as an engineer,” Wu, who lives in New York, told CNN.
But Wu saw several red flags in the applicant, who introduced himself as “Bobby Sierra”. Wu said he spoke in broken English during the interview, turned off his webcam, and had difficulty giving his backstory as he practically demanded a job at Aztec.
Wu never hired Sierra, who claimed to live in Canada on her resume.
“Looks like he was in a call center,” Wu said. “It looks like there were four or five guys in the office who also spoke loudly, also apparently in job interviews or phone calls, and spoke in a mixture of Korean and English.”
Sierra did not respond to messages sent to his alleged email and Telegram accounts asking for comment.
CNN has received resumes that alleged North Korean tech workers submitted to Wu’s firm and a cryptocurrency startup founded by Devin. The summaries seem deliberately general so as not to arouse suspicion, and contain buzzwords popular in the cryptocurrency industry, such as “scalability” and “blockchain”.
According to Mandiant, one suspected North Korean operative tracked by Mandiant, a cybersecurity firm, asked many questions to other members of the cryptocurrency community about how Ethereum works and interacts with other technologies.
According to Mandiant chief analyst Michael Barnhart, the North Korean may have been collecting information about the technology that could be useful for its subsequent hack.
“These guys know exactly what they want from Ethereum developers,” said Barnhart. “They know exactly what they’re looking for.”
Fake resumes and other tricks used by the North Koreans are likely to become even more believable, said Kim, a former CIA analyst who now works as a political analyst at RAND Corp., a think tank.
“Even though trading isn’t perfect right now, in terms of their ways of approaching foreigners and exploiting their vulnerabilities, it’s still a fresh market for North Korea,” Kim told CNN. “In light of the challenges the regime is facing – food shortages, fewer countries willing to engage with North Korea… it’s just going to be something they will continue to use because, essentially, no one is holding them back.”