Latest news with #DTEX
Yahoo
18-05-2025
- Business
- Yahoo
‘This is the mafia' — How North Korea structures its IT workers like an organized crime syndicate
A detailed report on North Korea's cyber-crime operations has revealed the inner workings and structure behind Kim Jong Un's plan to evolve a highly lucrative scheme in which trained tech workers infiltrate American and European businesses. The North Korean IT workers send nearly their entire salaries home to fund the regime's nuclear weapons program, using AI as a key tool. Meanwhile, North Korea has pitted its IT workers against each other to spur competition and rake in more money. The crime syndicate La Cosa Nostra in the U.S. is built around 'Five Families' that famously war with each other for money and power. North Korea's prosperous cyber-crime operations are similar, except there is only one family and it belongs to authoritarian leader Kim Jong Un. 'Stop looking at North Korea's cyber program as a government program like the other major state programs and liken them to a single-family mafia organization and the lines begin to unblur,' states a new report from cybersecurity firm DTEX. The report delves into the organization and structure of the Democratic People's Republic of Korea (DPRK) and its extensive—and flourishing—pipeline of trained operatives who have infiltrated Fortune 500 companies with its IT workers scheme. This year, North Korea advanced the strategy to a new stage, recruiting 90 top graduates for an AI research center and demanding double their monthly earnings from each worker—even as teams worked feverishly to launder $1.5 billion stolen in a hack of cryptocurrency exchange Bybit after the start of the year. For context, the DPRK's crime syndicate involves a vast global scheme in which trained technologists from North Korea have been deployed by the thousands. The workers have impersonated or stolen American identities to illegally obtain remote jobs in IT. They send their salaries back home to North Korea to fund Kim's nuclear weapons and ballistic missile ambitions. The IT workers are only one prong in the regime's cyber cartel; they share intelligence with malicious North Korean Advanced Persistent Threat (APT) actors who operate under the Korean People's Army. According to UN estimates, the IT workers reliably generate $250 million to $600 million per year, while the APTs have stolen at least $3 billion in crypto. 'This is the mafia,' Michael 'Barni' Barnhart, an investigator who leads DTEX's DPRK efforts, told Fortune. The economic structure ensures the money travels up the chain, spans multiple criminal enterprises, and is based on tight-knit but competitive internal relationships. Like in The Sopranos, titular mob boss Tony Soprano calls the shots, while capos like Christopher Moltisanti deliver whatever he needs, he said. 'The profits—from ransomware, cryptocurrency theft, financial fraud, and insider infiltration— flow upward to fund weapons development and sanctions evasion,' states the report, written by Barnhart. (He is the author, but notes that he sourced his intelligence from an extensive global alliance of investigators.) According to the report, many of the IT workers and APT actors know each other. As part of the scheme, children who show promise in math and science in elementary school are plucked from an early age to get training as a military cyber operative or an IT worker. They attend elite schools like the Kim Sung Il Military University and the Kumsong Academy together and learn advanced computer science in a constantly replenished talent pipeline. Cyber investigators call it a 'bro network,' and have found chats between workers who lean on old school friends to find out how to make more money, explained Barhart. An image of two verified IT workers published by DTEX shows happy-looking young guys with nice watches and Nike-branded gear hanging out. Many of the operatives who ran successful heists a decade ago are now in managerial positions or serving as advisors and professors for the new generation of IT workers, said Barnhart. However, the photos don't show a particularly brutal twist in the scheme: the various four- or five-man delegations of workers are encouraged to compete against each other. Barnhart described it as a 'dog eat dog world where the only real winners are Kim Jong Un's family and the North Korean elites.' While much of the revenue that's generated funds operations and weapons, some goes to purchasing luxury goods for Kim and his family, said Barnhart. In 2025, North Korea doubled the monthly financial quota for workers in China, the report revealed, and Barnhart said all workers—IT and otherwise—faced the same punishing new requirement to keep foreign money pouring into the regime. The workers face grueling, 16-hour days up to six days a week, with hardly any breaks. Thus, the friendly 'bro network' operates on a case-by-case basis, noted Barnhart. The competition is exacerbated by the need to bring in more cash and crypto. On average, workers get to keep less than 20% of their earnings and they have to fund operations, equipment, and servers with their own money. In one documented example in the report, a worker earned $5,000 in a month and was allowed to keep $200. 'These quotas also foster a culture of competition within teams, with workers seeking to gain advantages over their colleagues to receive favors and be allowed to send more money back to their families,' Barnhart wrote. 'They're also encouraged to report each other for 'unpatriotic' behavior.' That's one of the reasons small U.S. tech founders have asked job applicants to make a negative comment about Kim's intellect or his weight before progressing to a formal interview. The IT workers wouldn't risk being caught insulting the authoritarian leader—and it would be unheard of to do so. Barhnart said it's very much 'every man out there is for himself' and the workers are beaten if they don't make enough money. 'It is a rough life,' he said. 'If they can't make their quotas, we see them at times mention (beatings).' Another picture DTEX published showed IT workers in a cramped space working on doctored IDs and WhatsApp chats with a mounted camera on the wall for government monitoring. Barnhart said the competition for work on freelance-job platforms where the IT workers find new opportunities is intense. He estimated that it takes roughly three hours to get a North Korean IT worker to apply for a job posting if it's related to crypto and software development. Some of the workers have even resorted to reporting each other on the freelance platforms, with one IT worker calling another a 'scammer' in a reply to a post from an IT worker seeking a job. The report states that the pressures on workers to generate revenues has given rise to side hustles, which are allowed as long as they continue to increase their earnings. Much like the mafia, financial gain, fear, violence, and identity are drivers of the IT worker scheme, but Barnhart wrote that what sets the DPRK apart is the 'survival-based incentive structure at the heart of its engine.' 'Cyber operatives are not motivated by ideology, but by material necessities: food, shelter, healthcare, and education for their families,' he wrote. 'Loyalty is not the core driver. Survival is.' Read more about North Korea's IT workers scheme: Chinese companies are secretly powering North Korea's global IT workers scheme The North Korean IT worker scheme infiltrated an American election campaign website A North Korean agent applied for a job at a popular crypto firm: They tripped him up with a simple question about Halloween Nashville man accused of helping thousands of North Koreans get remote-work jobs in IT This story was originally featured on
WIRED
14-05-2025
- Business
- WIRED
North Korean IT Workers Are Being Exposed on a Massive Scale
May 14, 2025 6:00 AM Security researchers are publishing 1,000 email addresses they claim are linked to North Korean IT worker scams that infiltrated Western companies—along with photos of men allegedly involved in the schemes. Photo-Illustration: Wired Staff; ManuelThe young developers are having the time of their lives. They pop open bottles of sparkling wine, eat steak dinners, play soccer together, and lounge around in a luxurious private swimming pool, all of their activity captured in photos that were later exposed online. In one picture, a man poses in front of a life-sized Minions cardboard cutout. But despite their exuberance, these are not successful Silicon Valley entrepreneurs; they're IT workers from the Hermit Kingdom of North Korea, who infiltrate Western companies and send their wages back home. Two members of a cluster of North Korean developers, who allegedly operated out of Southeast Asian country Laos before being relocated to Russia by the beginning of 2024, are today being identified by researchers at cybersecurity company DTEX. The men, who DTEX believes have used the personas 'Naoki Murano' and 'Jenson Collins,' are alleged to have been involved in raising money for the brutalist North Korean regime as part of the widespread IT worker epidemic, with Murano alleged to have previously been linked to a $6 million heist at crypto firm DeltaPrime last year. For years, Kim Jong-un's North Korea has posed one of the most sophisticated and dangerous cyber threats to Western countries and businesses, with its hackers stealing the intellectual property needed to develop its own technology, plus looting billions in crypto to evade sanctions and create nuclear weapons. In February, the FBI announced that North Korea pulled off the biggest ever crypto heist, stealing $1.5 billion from crypto exchange Bybit. Alongside its skilled hackers, Pyongyang's IT workers, who often are based in China or Russia, trick companies into employing them as remote workers and have become an increasing menace. 'What we're doing isn't working, and if it is working, it's not working fast enough,' says Michael 'Barni' Barnhart, a leading North Korean cyber researcher and principal investigator at DTEX. As well as identifying Murano and Collins, DTEX, in a detailed report about North Korean cyber activity, is also publishing more than 1,000 email addresses that it alleges to have been identified as linked to North Korean IT worker activity. The move is one of the largest disclosures of North Korean IT worker activity to date. North Korea's broad cyber operations can't be compared with those of other hostile nations, such as Russia and China, Barnhart explains in the DTEX report, as Pyongyang operates like a 'state-sanctioned crime syndicate' rather than more traditional military or intelligence operations. Everything is driven by funding the regime, developing weaponry, and gathering information, Barnhart says. 'Everything is tied together in some way, shape, or form.' The Misfits Move In Around 2022 and 2023, DTEX claims both Naoki Murano and Jenson Collins—their real names are not known—were based in Laos and also travelled between Vladivostok, in Russia. The pair appeared among a wider group of possible North Koreans in Laos, and a cache of their photos were first exposed in an open Dropbox folder. The photos were discovered by a collective of North Korean researchers who often collaborate with Barnhart and call themselves a 'Misfit' alliance. In recent weeks, they've posted numerous images of purported North Korean IT workers online. North Korea's IT workers are prolific in their activities, often trying to infiltrate multiple companies simultaneously by using stolen identities or creating false personas to try to appear legitimate. Some use freelance platforms; others try to recruit international facilitators to run laptop farms. While their online personas may be fake, the country—where millions do not have basic human rights or access to the internet—steers talented children into its education pipeline where they can become skilled developers and hackers. That means many of the IT workers and hackers are likely to know each other, potentially since they were children. Despite being technically adept, they often leave a trail of digital breadcrumbs in their wake. Murano was first linked to North Korean operations publicly by cryptocurrency investigator ZachXBT, who published the names, cryptocurrency wallet details, and email addresses of more than 20 North Korean IT workers last year. Murano was then linked to the DeltaPrime heist in reporting by Coinbase in October.. Members of the Misfits collective have shared photos of Murano looking pleased with himself while eating steak and a picture of an alleged Japanese passport. Meanwhile, Collins, who DTEX included in its report and who was featured in swimming pool photos included in the Dropbox folder, was most commonly involved in IT work that generated revenue for Pyongyang, says narcass3 a member of the Misfits who asked to be identified by their online handle. 'He seems to have mainly just worked on crypto/blockchain projects, including one which seems to be completely DPRK backed or primarily made up of IT workers,' narcass3 says. Evan Gordenker, a consulting senior manager at the Unit 42 threat intelligence team of cybersecurity company Palo Alto Networks, says he is familiar with the two personas identified by DTEX and other outlets and the cluster of North Korean workers that were based in Laos. The group were putting out a lot of job applications, creating fake personas, and searching for potential accomplices, the researcher says. 'It seemed to me like they also enjoyed a level of autonomy that I don't think you tend to see for some of the [IT worker] groups,' Gordenker says. 'I don't know if that's because they generated more money and earned more privileges or just because they happened to have a group lead that operated in that way.' An email address in Murano's name bounced back when contacted by WIRED. Meanwhile an email address in Collins' name did not respond to a request for comment. Hiding in Plain Sight Pyongyang's IT workers have been operating for the best part of a decade, but attention on their activities has intensified in the last 12 months as Fortune 500 companies realized they have inadvertently hired North Koreans. Teams of hackers and IT workers are set 'earnings quotas' by Kim Jong-un's regime, Barnhart says, with IT workers operating from multiple different North Korean military and intelligence organizations. One IT worker that made $5,000 per month could keep $200 of it, the investigator says. Malicious IT workers, who may be likely to steal as well as earning money, are a part of the country's recently revealed AI organization called 227 Research Center, which is part of the the primary intelligence agency the Reconnaissance General Bureau, while others are part of teams at the Ministry of National Defense, according to a cyber organization chart published by Barnhart in the DTEX report. IT workers that solely try to generate revenue from their jobs may be part of the Munitions Industry Department, the research says. The relatively recent uptick in scrutiny around IT workers has come amid a growing US government crackdown: In May 2023, it sanctioned North Korean company Chinyong Information Technology Cooperation Company for employing IT workers in Laos and Russia, while at the start of this year, two North Korean front companies and their China- and Laos-based bosses were sanctioned by the US Treasury Department. The Treasury said IT worker groups earn 'hundreds of millions of dollars' for the regime, and thousands of IT workers are dispatched around the world. 'IT workers play the numbers game and are applying for remote roles in volume,' says Rafe Pilling, director of threat intelligence, at Sophos' Counter Threat Unit. That means they often make errors. 'They seem to operate at such a pace that they can make mistakes like leaving Github repositories of CVs and tools publicly accessible, leaving comments in code and scripts, making mistakes across CV's that make them easier to spot as fakes, and slip-ups on camera during interviews that can reveal subterfuge.' Alongside identifying Murano and Collins, DTEX also published more than 1,000 email addresses allegedly linked to North Korean IT worker operations that have been gathered through investigations and collaboration with researchers. Each email address has been provided by multiple sources, Barnhard says. A WIRED analysis of almost two dozen of the emails, using open-source intelligence tools and a database of material leaked online, shows few of them appear to have any signs of authentic online behavior; some email addresses are linked to online developer tools or freelancing websites, with others having very little online presence. 'There's quite a bit of reuse of personas and some of them last years and years,' Unit 42's Gordenker says. Others might be used just once, Gordenker says, but the scammers can quickly create new personas if needed. 'You'll see a persona that works, for instance, can sometimes have four or five, six different jobs across the lifespan.' As more IT workers are identified, they are increasingly adopting their tactics to try to make themselves harder to spot. Multiple cybersecurity researchers have found North Koreans using face-changing software during video interviews or using AI assistants to help answer questions in real-time. Changing Faces The IT worker stands in the middle of the cramped room and poses for his photo. A clock on the wall reads 11:30. In the background, three other men wearing military uniforms hunch over computers. A rack of laundry appears at the back of the room in the photo, which was first published by DTEX. 'There's a lot to unpack in that one image,' Barnhart says. Barnhart explains that while much is unknown about the photo, it reveals some details about how the group of IT workers operate. One of the men, in the far right corner of the photograph, appears to have WhatsApp messages open on his computer screen, with multiple chats ongoing. Attached to the wall above him is a surveillance camera. 'The MSS watches them so they don't become defectors,' Barnhart says, referring to North Korea's counterintelligence agency and secret police, the Ministry of State Security. As the men are based out of a small work space, they are likely to lower down the pecking order of IT workers and will, like their compatriots, also face digital surveillance when they use their computers, he says. Barnhart says software he has seen monitors what the IT workers type and send on their devices. 'They hate it,' he says. 'It sends flags out to external servers whenever sexual imagery or sexual content is talked about or if Kim Jong-un is [mentioned].' Other researchers have spotted suspected IT workers ending job interviews when asked a variation on the question: 'How fat is Kim Jong-un?' While it's unclear where the men in the room may be physically located, there are signs that the portrait photograph of the central subject has been used to create a false persona. Subsequent images obtained by Barnhart show the man edited into different clothes and turned into a cartoon-style illustration of his face. 'It shows him messing with the hairline. It shows him altering features, it shows him basically getting his profiles ready,' Barnhart says. One of these photos—of him edited into a leather jacket—appears on the website of 'Benjamin Martin,' a self-styled web3 and full-stack developer. Aside from appearing to be the North Korean from the IT worker photo, two of the companies listed on Martin's online CV tell WIRED they have not heard of the persona, let alone employed him. One of the firms said it was not fully incorporated during most of the time the Martin persona listed he was working there. Martin did not respond to messages sent to the email listed on the developer webpage while a Telegram account linked to a phone number on Martin's website responded 'yes' in a limited Chinese-language exchange when asked if they were a North Korean IT worker. Ultimately, Barnhart says, people need to understand how North Korean hackers and IT workers are operating, with fluidity between groups and approaches, before significant disruption of their efforts can take place. 'We need to refocus, we need to reshape,' Barnhart says. 'North Korea has already moved on to their next point and now they're subcontracting and creating another layer of obfuscation there, too.'
