Last year, employees at Cinder, a tech startup that provides content moderation software and is led by former intelligence officials, began to notice strange anomalies in the thousands of job applications it received. While many of the resumes were impressive, touting roles at Facebook and Google, the people who submitted them often had no internet presence beyond professional networking sites. Sometimes their profiles appeared to match those of other people. During interviews, a number of them spoke poor English. When a Cinder employee grilling one applicant recognized a Korean accent, the company began to worry it might be the target of a North Korean scheme.
During one virtual interview “with a suspected North Korean applicant, I said that we come from the CIA and work on nation state investigations,” Cinder’s engineering head Declan Cummings told Forbes. “He dropped from the call immediately.” The company recently said in a blog post that it believed as many as 80% of its applicants from some job websites were North Korean.
Cinder is one of thousands of companies that have been inundated by remote IT workers assisting North Korea, a country designated by the U.S. as providing support for acts of international terrorism. The threat accelerated alongside the rise of remote work in 2020, but a string of recent arrests and disclosures by companies like Cinder have brought new attention to the issue.
And with the arrival of AI, some businesses have been overwhelmed with applications from suspected North Korean operatives. “We saw one email account using automation to apply to 300 different jobs, they’re just spraying and praying,” said Michael Barnhart, who leads the Democratic People’s Republic of Korea (DPRK) investigations at the Google Cloud-owned cybersecurity company Mandiant. In other cases, Barnhart said he’s seen AI “do the work for them, these guys run seven to 10 profiles per person…and all that money is going back to the regime.”
Experts and law enforcement officials believe the North Korean scheme is being carried out by networks who target remote IT roles and use U.S.-based laptop farms to hide their true location. One telltale sign of the scheme is workers requesting company property like laptops being sent to an address that is different from that listed on their resume, according to Seth Arthur, who has monitored the issue at open source intelligence firm Nisos. Other cases are harder to detect when stolen identities are being used, often slipping by background checks and other security precautions.
The workers have primarily targeted IT roles at companies ranging from Fortune 500 to mom and pop businesses with the goal of earning money to help fund the North Korean state. The U.S. government has said that some North Korean IT workers are making as much as $300,000 a year each, generating “hundreds of millions of dollars” for the DPRK regime, including funds for its weapons of mass destruction program.
The Department of Justice launched an initiative in March to tackle the problem, and recent arrests have highlighted the extent of the fraud. In May, the FBI detained an Arizona woman who allegedly acted as the U.S. front of a scheme that used the stolen identities of more than 60 U.S. citizens to gain employment at 300 U.S. companies — including an unnamed Silicon Valley tech firm and multiple Fortune 500 companies, according to an Department of Justice indictment. Ultimately, the DOJ said the scheme generated $6.8 million by more than a dozen overseas IT workers with ties to the DPRK.
Then this month, a Nashville, Tenn., man was charged for his role running a so-called laptop farm at one of his residences, where he’d allegedly assisted IT workers based in North Korea and China to assume stolen identities, and then gain and maintain employment at multiple American and British companies, according to the Justice Department.
The FBI declined to comment. The Justice Department didn’t respond to a comment request.
In addition to Cinder, other companies have spoken out about being targeted. Last month, the cybersecurity awareness company KnowBe4 disclosed that it had hired a person suspected of being from North Korea, and that person had installed unauthorized software and downloaded malware. The company said in a blog post that “no data was lost, compromised, or exfiltrated on any KnowBe4 systems.”
CEO Stu Sjouwerman told Forbes that after publishing the blog post, some clients panicked, but others were grateful for bringing awareness to the issue, adding that it was discussed widely at the recent Black Hat hacker conference held in Las Vegas. After seeing the doctored image that had been used by the now-fired North Korean employee, Sjouwerman recalled: “There was one person who said, ‘what, we just hired that guy!’”