North Korean IT operatives are adjusting their strategies to recruit freelancers to act as identity proxies for remote work.
These operatives contact job seekers on platforms like Upwork, Freelancer, and GitHub, then shift the conversation to Telegram or Discord, where they guide them to install remote access software and go through authentication.
In past cases, North Korean staff obtained remote work opportunities by forging identification documents. According to Heiner García, a telecommunications network threat intelligence expert and blockchain security researcher, these operatives are now circumventing related obstacles by collaborating with certified users, who authorize others to remotely operate their computers.
Real identity holders receive only one-fifth of the payment, while the remaining funds are transferred to the operatives via cryptocurrency or even traditional bank accounts. By leveraging real identities and local network connections, operatives can evade monitoring of high-risk areas and VPNs.
Earlier this year, García set up a virtual cryptocurrency company and interviewed a suspected North Korean operative seeking remote tech positions in collaboration with Cointelegraph. The applicant claimed to be Japanese but abruptly ended the call when asked to introduce himself in Japanese.
García then continued to communicate with the suspected operative via private messages, where the individual requested him to purchase a computer and provide remote access.
This request aligned with a pattern García encountered later. Evidence related to suspicious accounts included onboarding presentations, recruitment scripts, and "repeatedly used" identification documents.
García told Cointelegraph:
He added that the person handing over the computer is "a victim." "They are unaware. They think they are joining a normal subcontracting arrangement."
According to the chat logs he reviewed, recruits would ask basic questions like "How do we make money?" and were not engaged in any technical work. They were only responsible for account verification, installing remote access software, and keeping the device online, while the operatives used their identities to apply for jobs, communicate with clients, and deliver results.
While most appear to be unwitting victims, some clearly know what they are involved in.
In August 2024, the U.S. Department of Justice arrested Nashville resident Matthew Isaac Knoot, who operated a "dual account operation" project allowing North Korean IT workers to impersonate U.S. employees using stolen identity information to take orders.
Recently in Arizona, Christina Marie Chapman was sentenced to over 8 years in prison for operating a similar project that funneled over $17 million to North Korea.
The most favored recruits are from the U.S., Europe, and parts of Asia, as certified accounts can access high-value corporate positions with fewer geographical restrictions. However, García also found that individuals from economically unstable regions, such as Ukraine and Southeast Asia, are similarly exploited.
"They specifically target low-income populations and also focus on vulnerable groups," García stated. "I have even seen them attempt to contact people with disabilities."
The United Nations has stated that North Korean IT work and cryptocurrency theft are allegedly funding the country's missile and weapons programs.
García pointed out that this method is not limited to the cryptocurrency sector. In one case he investigated, a North Korean worker used stolen U.S. identity to impersonate an architect from Illinois, bidding on construction-related projects on Upwork and delivering design results to clients.
While external attention is focused on cryptocurrency money laundering, García's research found that traditional financial channels are also being abused. This proxy model also allows illegal actors to receive bank payments under legitimate names.
"This is not just about cryptocurrency," García said. "They do everything—construction, design, customer support, as long as they can access it."
Even though recruitment teams are becoming increasingly aware of the risks posed by North Korean operatives obtaining remote positions, they usually only notice when abnormal behavior triggers an alert. Once an account is banned, these individuals will switch to a new identity to continue operations.
Chat logs show that once a certain Upwork account was suspended due to frequent activity, the operative instructed the recruit to have a family member open the next account.
This constant identity switching makes accountability and attribution extremely difficult. The person whose name is on the account is often deceived, while the actual operator is in another country, making them invisible to both freelance platforms and clients.
The biggest advantage of this model is that everything seen by compliance systems appears real and trustworthy—real identities, local networks. On the surface, all conditions seem to meet requirements, but the person behind the keyboard is entirely different.
García noted that the most obvious danger signal is when someone asks you to install remote access tools or allow others to "work" using your certified account. Legitimate recruitment processes do not require control over your device or personal information.
Related: Reports indicate that a Nordic bank that once rejected cryptocurrency is about to launch a Bitcoin (BTC) ETP.
Original article: “Are You a Freelancer? North Korean Spies May Be Using You”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
