Fake LinkedIn profiles, Webex, and Fiverr: Inside the North Korean IT worker scheme roiling the Fortune 500
A key component to a scheme developed by North Koreans in getting remote-work tech jobs is working with Americans on mainland soil to serve as a facilitator or proxy—in exchange for hefty fees. A cybersecurity expert posed as an American willing to go along with the IT worker plot to learn the ins and outs of the blueprint U.S. authorities estimate has generated hundreds of millions for North Korea, and impacted hundreds of Fortune 500 companies.
The message Aidan Raney sent to a Fiverr profile he learned was being manned 24/7 by North Korean engineers looking to recruit American accomplices was simple and straightforward.
'How do I get involved?' Raney asked.
The five-word text worked, said Raney, and days later the Farnsworth Intelligence founder was on a series of calls with his new North Korean handlers. Raney spoke to three or four different people, all of whom claimed to be named 'Ben,' and seemed not to realize that Raney knew he was dealing with multiple individuals and not just a single person.
It was during the second call that Raney asked rapid-fire questions to learn the finer points of serving as a proxy for North Korean software developers posing as Americans to get remote-work tech jobs.
How would the North Korean engineers handle his workload for him? The plan was to use remote-access tools on Webex to evade detection, Raney told Fortune. From there, Raney learned he would be required to send 70% of any salary he earned in a potential job to the Bens using crypto, PayPal, or Payoneer, while they would handle creating a doctored LinkedIn profile for him as well as job applications.
The Bens told Raney they would do most of the groundwork, but they needed him to show up to video meetings, morning standups, and scrums. They even took his headshot and turned it into a black-and-white photo so it would look different from any of his pictures floating around online, he said. The persona they cultivated using Raney's identity was someone well-steeped in geographic information system development, and wrote on his fake bio that he had successfully developed ambulance software to track the location of emergency vehicles.
'They handle essentially all the work,' Raney told Fortune. 'What they were trying to do was use my real identity to bypass background checks and things like that and they wanted it to be extremely close to my real-life identity.'
The vast North Korean IT worker scam has been in effect since about 2018 and has generated hundreds of millions in revenues annually for the Democratic People's Republic of Korea (DPRK). In response to severe economic sanctions, DPRK leaders developed organized crime rings to gather intelligence to use in crypto heists and malware operations in addition to deploying thousands of trained software developers to China and Russia to get legitimate jobs at hundreds of Fortune 500 companies, according to the Department of Justice.
The IT workers are ordered to remit the bulk of their salaries back to North Korea. The UN reported lower-paid workers involved in the scheme are allowed to keep 10% of their salaries, while higher-paid employees keep 30%. The UN estimated the workers generate about $250 million to $600 million from their salaries per year. The money is used to fund North Korea's weapons of mass destruction and ballistic missile programs, according to the Department of Justice, FBI, and State Department.
In the past two years, the DOJ has indicted dozens of people involved in the scheme, but cybersecurity experts say the indictments haven't deterred the lucrative IT scam. In fact, the scheme has grown more sophisticated over time, and North Koreans continue to send out numerous applications to open job postings using AI to perfect the bios and coach American proxies through interview questions.
Bojan Simic, founder of verification-identity firm Hypr, said the social engineering aspect has evolved, and North Korean engineers—and other crime rings that have mimicked the scam—are using public information plus AI to augment past tactics that have worked for them. For instance, IT workers will look at a company's employee profiles on LinkedIn to learn their start dates, and then call a service desk using AI to mask their voice to reset their password. Once they get to the next security question, they'll hang up and call back once they know the answer to the next question—like the last four digits of a Social Security number.
'Two and a half years ago, this was a very manual process for a human being to do,' said Simic. 'Now, it's a fully automated process and the person will sound like somebody who speaks like you do.'
And it isn't just American accents North Koreans are deepfaking. A security officer at a Japanese bank told Simic he hardly ever worried about hackers calling IT service desks and tricking employees into providing information because most hackers don't speak Japanese—they speak Russian or Chinese, recalled Simic.
'Now, all of a sudden, the hackers can speak fluent Japanese and they can use AI to do it,' he said. It's completely upended the risk landscape for how companies are responding to these threats, said Simic.
Still, there are methods to strengthen hiring practices to root out job seekers using false identities.
'Adding even a little bit of friction to the process of verifying the identities' of people applying for jobs will often prompt the North Korean engineers to chase easier targets, Simic explained. Matching an IP location to a phone location and requiring cameras to be turned on with adequate lighting can go a long way, he said.
In Raney's case, the Bens landed him a job interview and they used remote access to open the Notepad application on his screen so they could write responses to the recruiter's questions during the discussion. The scheme worked: A private U.S. government contractor made Raney a verbal offer for a full-time remote-work job that paid $80,000 a year, he said.
Raney immediately had to turn around and tell the company he couldn't accept the offer and that he was involved in an incident-response investigation for a client.
He eventually let things die out with the North Korean Bens, but before he did, he spent some time trying to get them to open up. He asked about their families, or the weather. He texted the Bens and asked whether they spent time with relatives during the holidays. They responded saying there was nothing better than spending time with loved ones, adding a wink emoji, which struck Raney as different from the way they typically responded. Based on the messages, and seeing people hovering over their shoulders and pacing behind them during video calls, Raney concluded their conversations were heavily monitored and the North Korean engineers were surveilled constantly.
Raney's account was later publicized on an International Spy Museum podcast. Before the episode aired, he sent the North Korean Bens a note that said, 'I'm sorry. Please escape if you can.'
The message was never opened.
In response to a request for comment, LinkedIn directed Fortune to its update on fighting fake accounts.
A Fiverr spokesperson said the company's trust and safety team monitors sellers to ensure compliance and continuously updates its policies to reflect the evolving political and social landscapes.
In a statement, Payoneer told Fortune the firm uses robust compliance and monitoring programs to combat the challenge of DPRK operatives posing as IT consultants.
This story was originally featured on Fortune.com
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Hill
25 minutes ago
- The Hill
Newsom: Pentagon lying over LA to justify National Guard deployment
California Gov. Gavin Newsom (D) on Monday accused the Defense Department of 'lying to the American people' in justifying deploying National Guard troops to the state to quell Los Angeles protests against federal immigration raids, asserting that the situation intensified only when the Pentagon deployed troops. 'The situation became escalated when THEY deployed troops,' Newsom posted to X, referring to the Pentagon. 'Donald Trump has manufactured a crisis and is inflaming conditions. He clearly can't solve this, so California will.' Newsom was responding to a post from DOD Rapid Response on X, a Pentagon-run account, which claimed that 'Los Angeles is burning, and local leaders are refusing to respond.' President Trump on Saturday deployed 2,000 National Guard troops to the Los Angeles area amid the ICE protests, with White House press secretary Karoline Leavitt saying the decision was made due to 'violent mobs' attacking 'Federal Law Enforcement Agents carrying out basic deportation operations.' While protests have intensified in recent days, devolving at times into violence, the majority of gatherings have been largely peaceful. Still, California National Guard troops began arriving in Los Angeles on Sunday morning, with some 300 deployed on the ground later that day at three locations: Los Angeles proper, Paramount and Compton. White House officials have sought to highlight images of burning vehicles and clashes with law enforcement to make the case that the situation had gotten out of control. 'The people that are causing the problem are professional agitators. They're insurrectionists. They're bad people. They should be in jail,' Trump told reporters on Monday. In addition, Defense Secretary Pete Hegseth has threatened to deploy approximately 500 U.S. Marines to the city, with U.S. Northern Command on Sunday confirming the service members were 'prepared to deploy.' The use of American troops has rankled California officials, who have said the federal response 'inflammatory' and said the deployment of soldiers 'will erode public trust.' Newsom also has traded insults with Hegseth, calling him 'a joke,' and that the idea of deploying active duty Marines in California was 'deranged behavior.' 'Pete Hegseth's a joke. He's a joke. Everybody knows he's so in over his head. What an embarrassment. That guy's weakness masquerading as strength. . . . It's a serious moment,' Newsom said in an interview with podcaster Brian Tyler Cohen. The tit-for-tat continued when chief Pentagon spokesman Sean Parnell then took to X on Monday to attack Newsom. 'LA is on FIRE right now, but instead of tackling the issue, Gavin Newsom is spending his time attacking Secretary Hegseth,' Parnell wrote. 'Unlike Newsom, [Hegseth] isn't afraid to lead.' Newsom, who has formally demanded the Trump administration pull the National Guard troops off the streets, has declared the deployment 'unlawful' and said California will sue the Trump administration over its actions. 'There is currently no need for the National Guard to be deployed in Los Angeles, and to do so in this unlawful manner and for such a lengthy period is a serious breach of state sovereignty that seems intentionally designed to inflame the situation,' David Sapp, Newsom's legal affairs secretary, wrote in a letter to Hegseth on Sunday. 'Accordingly, we ask that you immediately rescind your order and return the National Guard to its rightful control by the State of California, to be deployed as appropriate when necessary.' In the past 60 years, a U.S. president has only on one occasion mobilized a state's National Guard troops without the consent of its governor to quell unrest or enforce the law. That was in 1965, when former President Lyndon Johnson sent Guard members to Selma, Ala., to protect civil rights protesters there.
Yahoo
26 minutes ago
- Yahoo
Mass. Sen. Warren: DOGE accessed ‘sensitive' student loan data at Education Dept., calls for probe
U.S. Sen. Elizabeth Warren says she wants to know how the quasi-governmental Department of Government Efficiency gained access to 'sensitive' student loan information at the U.S. Department of Education. On Monday, Warren and U.S. Sen. Ed Markey, both Democrats, called for the agency's acting inspector general to find out how that breach happened. They were joined by Democratic senators from eight states, including U.S. Sen. Richard Blumenthal of Connecticut. Warren said lawmakers learned of the potential breach of systems at Federal Student Aid after DOGE, which was helmed until recently by tech titan Elon Musk, infiltrated the agency. In response, Education Department officials revealed that DOGE workers 'supported' a review of the FSA's contracts. As a part of that review, one employee was granted 'read-only' access to two internal systems that held sensitive personal information about borrowers. The agency said it had since revoked that access. But, according to Warren, it did not explain why that access had been revoked, or whether the employee had continued access to other databases. 'Because of the [Education] department's refusal to provide full and complete information, the full extent of DOGE's role and influence at ED remains unknown,' the lawmakers wrote in a June 8 letter to René L. Rocque, the agency's acting inspector general. That 'lack of clarity is not only frustrating for borrowers but also dangerous for the future of an agency that handles an extensive student loan portfolio and a range of federal aid programs for higher education,' the lawmakers continued. Warren, Markey and their colleagues have called on Roque's office to determine whether the department adhered to the Federal Privacy Act, which dictates how the government can collect and use personal information. They also asked Roque to 'determine the impact of DOGE's new plans to consolidate Americans' personal information across government databases.' 'It won't end well for Trump' if he does this amid LA protests, ex-GOP rep says All Ivy League schools are supporting Harvard lawsuit — except these 2 Embassies directed to resume processing Harvard University student visas Over 12,000 Harvard alums lend weight to court battle with Trump in new filing Markey: Trump using National Guard in LA to distract from big cuts in 'Big Beautiful Bill' Read the original article on MassLive.
Yahoo
26 minutes ago
- Yahoo
Trump meant for National Guard deployment to act as a deterrent, White House says
President Trump's tense, late-night phone call with Gov. Gavin Newsom on Friday night came with a warning: 'Get the police in gear.' The president was being shown evidence by his staff of theft at a 7-Eleven and of federal law enforcement with lacerations. His patience would last less than 24 hours before federalizing the National Guard in a historic action. 'He told the governor to get it under control and watched again for another full day, 24 hours, where it got worse,' Karoline Leavitt, the White House press secretary, told The Times in an interview. 'The assaults against federal law enforcement upticked, the violence grew, and the president took bold action on Saturday evening to protect federal detention spaces and federal buildings and federal personnel.' The president did so, Leavitt said, 'with the expectation that the deployment of the National Guard would hopefully prevent and deter some of this violence.' Read more: President Trump suggests Gov. Newsom should be arrested; Newsom decries 'step toward authoritarianism' The opposite occurred. The worst violence yet took place on Sunday, with some rioters torching and hurling concrete at police cars, hours after National Guard troops had arrived in Los Angeles County. The protests had been largely peaceful throughout Friday and Saturday, with isolated instances of violent activity. Leavitt said that Newsom and Karen Bass, the mayor of Los Angeles, have 'handicapped' the Los Angeles Police Department, "who are trying to do their jobs." Local leaders 'have refused to allow the local police department to work alongside the feds to enforce our nation's immigration laws, and to detain and arrest violent criminals who are on the streets of Los Angeles,' she said. The president and his so-called immigration czar, Tom Homan, have suggested that political leadership — including Newsom himself — could face arrest over 'obstructive' behavior. "It is a basic principle in this country that if you break the law, you will face a consequence for that," Leavitt said. "So if the governor obstructs federal enforcement, or breaks federal laws, then he is subjecting himself to arrest." Leavitt said she would not get ahead of Trump on whether he will invoke the Insurrection Act, a law that allows the president to suspend Posse Comitatus, which prohibits the military from engaging in local law enforcement. Read more: Downtown L.A. hit by widespread vandalism, damage as city struggles to calm unrest But she took note that, on Monday, the president referred to some of the rioters as insurrectionists, potentially laying the groundwork for an invocation of the law. 'The president is wisely keeping all options on the table, and will do what is necessary to restore law and order in California,' she said, 'and protect law-abiding American citizens. And federal immigration enforcement operations will continue in the city of Los Angeles, which has been completely overrun by illegal alien criminals that pose a public safety risk and need to be removed from the city.' The president's order, directing 2,000 National Guard troops to protect federal buildings in the city, allows for a 60-day deployment. Leavitt would not say how long the operation might last, but suggested it would continue until violence at the protests ends. 'I don't want to get ahead of the president on any decisions or timelines,' she said. 'I can tell you the White House is 100% focused on this. The president wants to solve the problem. And that means creating an environment where citizens, if they wish, are given the space and the right to peacefully protest.' 'And these violent disruptors and insurrectionists, as the president has called them, are not only doing a disservice to law-abiding citizens, but to those who wish to peacefully protest. That's a fundamental right this administration will always support and protect.' Get the L.A. Times Politics newsletter. Deeply reported insights into legislation, politics and policy from Sacramento, Washington and beyond, in your inbox twice per week. This story originally appeared in Los Angeles Times.
