With the advent of AI, some businesses have been overwhelmed with applications from suspected North Korean operatives.
getty
Last year, employees at Cinder, a tech startup that offers content moderation software and is run by former intelligence officials, began noticing strange anomalies in the thousands of job applications it received. While many of the CVs were impressive, promoting roles on Facebook and Google, the people who sent them often had no online presence beyond professional networking sites. Sometimes their profiles seemed to match those of other people. During the interviews, a number of them spoke poor English. When a Cinder employee grilling an applicant recognized a Korean accent, the company began to worry that he might be the target of a North Korean scheme.
During a virtual interview “with a suspected North Korean applicant, I said we come from the CIA and work on nation-state investigations,” said Cinder’s head of engineering, Declan Cummings. Forbes. “He got off the phone immediately.” The company recently said in a blog post that it believed up to 80% of its applicants from some job websites were North Korean.
Cinder is one of thousands of companies that have been flooded with remote IT workers helping North Korea, a country designated by the US as a sponsor of acts of international terrorism. The threat accelerated along with the rise of remote work in 2020, but a string of arrests and recent disclosures by companies like Cinder have brought new attention to the issue.
And with the advent of AI, some businesses have been overwhelmed with applications from suspected North Korean operatives. “We saw one email account using automation to apply to 300 different jobs, they’re just spraying and praying,” said Michael Barnhart, who heads the Democratic People’s Republic of Korea’s (DPRK) investigation into the cyber security company owned by of Google Cloud, Mandiant. In other cases, Barnhart said he’s seen AI “do the work for them, these people run seven to 10 profiles per person … and all that money goes back to the regime.”
Experts and law enforcement officials believe the North Korean scheme is being carried out by networks targeting remote IT roles and using US-based laptop farms to hide their true location. According to Seth Arthur, who has been monitoring the case at open source intelligence firm Nisos, one telltale sign of the scheme is that workers request that company property such as laptops be sent to an address that is different from the one listed on CVs. Other cases are harder to detect when stolen identities are used, often slipping through background checks and other security precautions.
The workers have mostly targeted IT roles at companies ranging from Fortune 500 to mom-and-pop businesses with the goal of earning money to help fund the North Korean state. The US government has said some North Korean IT workers are earning up to $300,000 a year each, generating “hundreds of millions of dollars” for the DPRK regime, including funding for its weapons of mass destruction program in mass.
The Justice Department launched an initiative in March to tackle the problem, and recent arrests have highlighted the extent of the fraud. In May, the FBI arrested an Arizona woman who allegedly acted as the U.S. front of a scheme that used the stolen identities of more than 60 U.S. citizens to hire at 300 U.S. companies — including an unnamed technology firm of Silicon Valley and many Fortune 500 companies. , according to a Justice Department indictment. Ultimately, the DOJ said the scheme generated $6.8 million from more than a dozen overseas IT workers with ties to the DPRK.
Later this month, a Nashville, Tenn., man was indicted for his role in running a so-called laptop farm at one of his residences, where he allegedly helped IT workers based in North Korea and China to obtain the stolen identities, and then gain and maintain employment at numerous American and British companies, according to the Department of Justice.
The FBI declined to comment. The Justice Department did not respond to a request for comment.
In addition to Cinder, other companies have talked about targeting. Last month, cybersecurity awareness company KnowBe4 revealed that it had hired a person suspected to be from North Korea and that person had installed unauthorized software and downloaded malware. The company said in a blog post that “no data was lost, compromised or exfiltrated on any KnowBe4 system.”
CEO Stu Sjouwerman said Forbes that after the blog post was published, some customers panicked, but others were grateful for the awareness of the issue, adding that it was widely discussed at the recent Black Hat hacker conference held in Las Vegas. After seeing the doctored image that was used of the now-fired North Korean employee, Sjouwerman recalled, “There was one person who said, ‘What, we just hired that guy!’
MORE FROM FORBES