North Koreans use fake names and scripts to get remote IT work for cash
By James Pearson
LONDON (Reuters) – Using fake names, fake LinkedIn profiles, fake employment papers and fake interview scripts, North Korean IT workers seeking employment at Western technology companies are using sophisticated tricks to get hired.
Getting a job outside North Korea to secretly earn foreign currency for the isolated country requires sophisticated strategies to convince Western human resources managers, according to documents reviewed by Reuters, an interview with a former North Korean IT employee and cybersecurity researchers.
According to the United States, South Korea and the United Nations, North Korea has sent thousands of IT workers abroad – an effort that has accelerated over the past four years to raise millions to fund Pyongyang’s nuclear missile program.
“People are free to express ideas and opinions,” says an interview script from North Korean software developers, who, when asked, offer suggestions on how to describe a “good corporate culture.” Freely expressing one’s thoughts could result in a prison sentence in North Korea.
The scripts, totaling 30 pages, were unearthed by researchers at Palo Alto Networks, a U.S. cybersecurity company, which discovered a cache of internal documents online detailing the workings of North Korea’s remote IT staff.
The documents contain dozens of fraudulent resumes, online profiles, interview notes and fake identities that North Korean workers used to apply for software development jobs.
Reuters found further evidence in leaked dark web data that revealed some of the tools and techniques used by North Korean workers to convince companies to let them work in jobs in far-flung countries such as Chile, New Zealand, the United States, Uzbekistan and the United Arab Emirates too busy.
The documents and data reveal the North Korean authorities’ extensive efforts and deception to ensure the success of a plan that has become a vital foreign exchange lifeline for the cash-strapped regime.
North Korea’s UN mission did not respond to a request for comment.
Remote IT workers can earn more than 10 times what a traditional North Korean worker working abroad in construction or other manual jobs earns, the U.S. Department of Justice (DOJ) said in 2022, and teams from They can collectively earn more than $3 million per year.
Reuters could not determine how much the system has generated over the years.
Some of the scripts designed to prepare workers for interview questions include excuses for the need to work remotely.
“Richard,” a senior embedded software developer, said: “I flew to Singapore a few weeks ago. My parents got Covid and I decided to be with family members for a while. Now I plan to return to Los Angeles in three months. I think I could start working remotely immediately, then I’ll be on board when I return to LA.”
A recently defected North Korean IT employee also reviewed the documents and confirmed their authenticity to Reuters: “We created 20 to 50 fake profiles every year until we were hired,” he said.
He looked at the scripts, data and documents and said it was exactly the same as what he had done because he recognized the tactics and techniques used.
“Once I got hired, I would create another fake profile to get a second job,” said the worker, who asked to remain anonymous, citing security concerns.
In October, the US Department of Justice and the Federal Bureau of Investigation (FBI) seized 17 website domains that were allegedly used by North Korean IT employees to defraud companies and $1.5 million in funds.
North Korean developers working at U.S. companies hid behind pseudonymous email and social media accounts and generated millions of dollars annually through the program on behalf of sanctioned North Korean companies, the DOJ said.
“There is a risk to the North Korean government as these privileged workers face dangerous realities in the world and the forced backwardness of their country,” said Sokeel Park of Liberty in North Korea (LINK), an organization that works with defectors.
CASH
Last year, the U.S. government said North Korean IT workers were employed primarily in China and Russia, with some in Africa and Southeast Asia, and could earn up to $300,000 a year each.
In his experience, the former IT worker said that everyone is expected to earn at least $100,000, of which 30-40% will be repatriated to Pyongyang, 30-60% will be spent on overhead costs and 10-30% from the workers.
He estimated there were about 3,000 others like him abroad and another 1,000 living in North Korea.
“I worked to earn foreign exchange,” he told Reuters. “It varies from person to person, but basically once you get a remote job you can work for as little as six months or as long as three to four years.”
“If you can’t find a job, you freelance.”
The researchers, part of Palo Alto’s Unit 42 cyber research division, made the discovery while investigating a campaign by North Korean hackers targeting software developers.
One of the hackers left the documents on a server, Unit 42 said, suggesting there were links between North Korea’s hackers and its IT staff, although the defector said espionage campaigns were intended only for a select few: “Hackers are trained separately . These missions are not given to people like us,” he said.
Still, there are crossovers. The Justice Department and FBI have warned that North Korean IT workers could use the access to hack their employers, and some of the leaked resumes suggested experience at cryptocurrency firms, an industry long targeted by North Korean hackers.
FALSE IDENTITIES
Data from Constella Intelligence, an identity investigation company, showed that one of the employees had accounts on over 20 freelance websites in the United States, Britain, Japan, Uzbekistan, Spain, Australia and New Zealand.
The worker did not respond to an emailed request for comment.
The data compiled from leaks on the dark web also revealed an account on a website that sells digital templates to create realistic-looking fake identification documents, including U.S. driver’s licenses, visas and passports, Reuters found.
Documents unearthed by Unit 42 included resumes for 14 identities, a fake U.S. green card, interview scripts and evidence that some workers had purchased access to legitimate online profiles to appear more authentic.
The “Richard” in Singapore seeking remote IT work apparently referred to a fake profile with the name “Richard Lee” – the same name on the green card. The U.S. Department of Homeland Security did not respond to a request for comment.
Reuters found a LinkedIn account for a Richard Lee with the same profile photo, who cited experience at Jumio, a digital identity verification company.
“We have no record of Richard Lee being a current or former Jumio employee,” a Jumio spokesperson said. “Jumio has no evidence that the company ever had a North Korean employee on its workforce.”
Reuters sent a message to the LinkedIn account seeking comment but received no response. LinkedIn removed the account after receiving requests for comment from Reuters.
“Our team uses information from various sources to identify and remove fake accounts, as we did in this case,” a spokesperson said.
(Reporting by James Pearson; Additional reporting by Ted Hesson and Daphne Psaledakis in Washington; Editing by Chris Sanders and Anna Driver)
