- A key component to a scheme developed by North Koreans in getting remote-work tech jobs is working with Americans on mainland soil to serve as a facilitator or proxy—in exchange for hefty fees. A cybersecurity expert posed as an American willing to go along with the IT worker plot to learn the ins and outs of the blueprint U.S. authorities estimate has generated hundreds of millions for North Korea, and impacted hundreds of Fortune 500 companies.
The message Aidan Raney sent to a Fiverr profile he learned was being manned 24/7 by North Korean engineers looking to recruit American accomplices was simple and straightforward.
“How do I get involved?” Raney asked.
The five-word text worked, said Raney, and days later the Farnsworth Intelligence founder was on a series of calls with his new North Korean handlers. Raney spoke to three or four different people, all of whom claimed to be named “Ben,” and seemed not to realize that Raney knew he was dealing with multiple individuals and not just a single person.
It was during the second call that Raney asked rapid-fire questions to learn the finer points of serving as a proxy for North Korean software developers posing as Americans to get remote-work tech jobs.
How would the North Korean engineers handle his workload for him? The plan was to use remote-access tools on Webex to evade detection, Raney told Fortune. From there, Raney learned he would be required to send 70% of any salary he earned in a potential job to the Bens using crypto, PayPal, or Payoneer, while they would handle creating a doctored LinkedIn profile for him as well as job applications.
The Bens told Raney they would do most of the groundwork, but they needed him to show up to video meetings, morning standups, and scrums. They even took his headshot and turned it into a black-and-white photo so it would look different from any of his pictures floating around online, he said. The persona they cultivated using Raney’s identity was someone well-steeped in geographic information system development, and wrote on his fake bio that he had successfully developed ambulance software to track the location of emergency vehicles.
“They handle essentially all the work,” Raney told Fortune. “What they were trying to do was use my real identity to bypass background checks and things like that and they wanted it to be extremely close to my real-life identity.”
The vast North Korean IT worker scam has been in effect since about 2018 and has generated hundreds of millions in revenues annually for the Democratic People’s Republic of Korea (DPRK). In response to severe economic sanctions, DPRK leaders developed organized crime rings to gather intelligence to use in crypto heists and malware operations in addition to deploying thousands of trained software developers to China and Russia to get legitimate jobs at hundreds of Fortune 500 companies, according to the Department of Justice.
The IT workers are ordered to remit the bulk of their salaries back to North Korea. The UN reported lower-paid workers involved in the scheme are allowed to keep 10% of their salaries, while higher-paid employees keep 30%. The UN estimated the workers generate about $250 million to $600 million from their salaries per year. The money is used to fund North Korea’s weapons of mass destruction and ballistic missile programs, according to the Department of Justice, FBI, and State Department.
In the past two years, the DOJ has indicted dozens of people involved in the scheme, but cybersecurity experts say the indictments haven’t deterred the lucrative IT scam. In fact, the scheme has grown more sophisticated over time, and North Koreans continue to send out numerous applications to open job postings using AI to perfect the bios and coach American proxies through interview questions.
Bojan Simic, founder of verification-identity firm Hypr, said the social engineering aspect has evolved, and North Korean engineers—and other crime rings that have mimicked the scam—are using public information plus AI to augment past tactics that have worked for them. For instance, IT workers will look at a company’s employee profiles on LinkedIn to learn their start dates, and then call a service desk using AI to mask their voice to reset their password. Once they get to the next security question, they’ll hang up and call back once they know the answer to the next question—like the last four digits of a Social Security number.
“Two and a half years ago, this was a very manual process for a human being to do,” said Simic. “Now, it’s a fully automated process and the person will sound like somebody who speaks like you do.”
And it isn’t just American accents North Koreans are deepfaking. A security officer at a Japanese bank told Simic he hardly ever worried about hackers calling IT service desks and tricking employees into providing information because most hackers don’t speak Japanese—they speak Russian or Chinese, recalled Simic.
“Now, all of a sudden, the hackers can speak fluent Japanese and they can use AI to do it,” he said. It’s completely upended the risk landscape for how companies are responding to these threats, said Simic.
Still, there are methods to strengthen hiring practices to root out job seekers using false identities.
“Adding even a little bit of friction to the process of verifying the identities” of people applying for jobs will often prompt the North Korean engineers to chase easier targets, Simic explained. Matching an IP location to a phone location and requiring cameras to be turned on with adequate lighting can go a long way, he said.
In Raney’s case, the Bens landed him a job interview and they used remote access to open the Notepad application on his screen so they could write responses to the recruiter’s questions during the discussion. The scheme worked: A private U.S. government contractor made Raney a verbal offer for a full-time remote-work job that paid $80,000 a year, he said.
Raney immediately had to turn around and tell the company he couldn’t accept the offer and that he was involved in an incident-response investigation for a client.
He eventually let things die out with the North Korean Bens, but before he did, he spent some time trying to get them to open up. He asked about their families, or the weather. He texted the Bens and asked whether they spent time with relatives during the holidays. They responded saying there was nothing better than spending time with loved ones, adding a wink emoji, which struck Raney as different from the way they typically responded. Based on the messages, and seeing people hovering over their shoulders and pacing behind them during video calls, Raney concluded their conversations were heavily monitored and the North Korean engineers were surveilled constantly.
Raney’s account was first reported on HUMINT, a Substack covering the intelligence community. Before national-security reporter Sasha Ingber published her story, Raney sent the North Korean Bens a note that said, “I’m sorry. Please escape if you can.”
The message was never opened.
In response to a request for comment, LinkedIn directed Fortune to its update on fighting fake accounts.
A Fiverr spokesperson said the company’s trust and safety team monitors sellers to ensure compliance and continuously updates its policies to reflect the evolving political and social landscapes.
In a statement, Payoneer told Fortune the firm uses robust compliance and monitoring programs to combat the challenge of DPRK operatives posing as IT consultants.
