Ryan Wegner, Director of Intelligence, SEAL-ISAC
This example illustrates the SEAL-ISAC database of individual threat actors identified as DPRK operatives. The information shown in this screenshots was pulled from public reports.
For several years, it’s been top of mind for many in the crypto space that DPRK IT workers are accidentally hired by companies outside of North Korea, a concern intensified by the increase in remote work, the sophistication of these campaigns, and the potential consequences for companies under international sanctions regimes. According to government reports, the DPRK has dispatched thousands of highly skilled IT workers around the world to earn revenue for their weapons program. Various government agencies and cybersecurity have highlighted the practice as a way for North Korea to circumvent sanctions and generate foreign currency.
In March 2022, the United Nations Security Council Sanctions Committee on North Korea issued a 'Final report of the Panel of Experts submitted pursuant to resolution 2569 (2021),' a proactive step that draws attention to sanctions evasion and overseas labor.
Several months later, in May 2022, the U.S. Department of State, the U.S. Department of the Treasury, and the Federal Bureau of Investigation (FBI) issued a joint advisory: 'Guidance on the Democratic People's Republic of Korea Information Technology Workers.' This comprehensive advisory provides detailed information on how North Korean IT workers operate, red flag indicators, and mitigation measures for companies.
These workers abuse the entire ecosystem of freelance work platforms to surreptitiously obtain IT development contracts from client companies around the world—as well as abuse many social media platforms—to communicate with clients and payment platforms to receive payment for their work.
However, detecting these individuals is easier said than done due to their elaborate false identities and backstories, such as forged academic certificates and fabricated work experience completed with forged documents and credentials. Additionally, their genuine abilities enable them to pass technical interviews. Some have been planning well in advance, with carefully crafted online personas with LinkedIn profiles, GitHub contributions, and other professional footprints built up over the years. We’ve seen operatives with experience in legitimate IT roles that give them real references.
To effectively detect when a North Korean IT worker is using fake identities to apply for a job, most companies would need to gather and analyze various types of information to verify their identity, work history and education, digital footprint, patterns in code comments or documentation, and links to sanctioned entities. Unfortunately, that’s beyond the scope of most companies, even some well-resourced ones, as we’ve seen in recent media reports. And because no single piece of information is likely to be conclusive, companies should consider a holistic approach, combining multiple data points and expert analysis to make accurate assessments while minimizing false positives.
North Korean IT workers are particularly attracted to blockchain and cryptocurrency companies for several reasons, including evading international sanctions by avoiding traditional financial systems. Yet, the perception that all cryptocurrency transactions are anonymous and untraceable has repeatedly been proven false by cybersecurity researchers and law enforcement. You can expect enforcement in this space to continue ratcheting up — and soon.
However, that likely won’t stop threat actors like the DPRK from targeting cryptocurrency firms because of the potential for cyber exploitation. Working at a cryptocurrency firm provides insights into security vulnerabilities that could be exploited for state-sponsored hacking or theft.
Blockchain companies also typically offer more remote positions, allowing DPRK workers to operate within North Korea or another country. Additionally, the global shortage of blockchain developers makes it easier for skilled individuals to find employment regardless of background checks. North Korea has invested heavily in cryptocurrency mining and hacking, making the blockchain sector a natural fit for their skill set.
It's important to note that many legitimate blockchain and cryptocurrency companies are aware of these risks and are implementing stricter verification processes. However, the industry's decentralized and often international nature continues to present challenges inaltogethery preventing infiltration by DPRK workers.
The attraction of DPRK IT workers to this sector underscores the need for heightened due diligence, better security measures within the blockchain and cryptocurrency industry, and increased collaboration among companies operating in this space.
To help companies stay up-to-date on known tactics and identities associated with North Korean operatives, SEAL-ISAC built a dedicated feed for members to share information they’ve observed about individual threat actors. This information is classified based on STIX (Structured Threat Information eXpression), a standard for exchanging cyber threat intelligence, ensuring both confidence and confidentiality.
SEAL-ISAC members share details on specific documentation, identifiers, and known associations with the DPRK, allowing other members to search the database of known threat actors using information they’ve obtained from fraudulent job applications or financial transactions.
To apply for membership, please visit isac.securityalliance.org/app.