Insight

Beware of the fake IT worker

Published

Written by

Read time

Written by Tom Montague – Sales Director.

Last summer, security firm KnowBe4 revealed that it had hired a North Korean hacker by mistake.

After conducting interviews for the remote software engineer position, performing background checks and verifying references, the company sent the worker a Mac workstation - and the moment he received it, it started loading malware. Luckily, the company realised what was happening before any real harm was done.

But this is just one example of a growing phenomenon, whereby remote workers using false identities are being supplied with equipment that is then deliberately loaded with malware or viruses. The workers (or bad actors) are generally North Korean, though some are coming via front companies believed to be backed by the Chinese government.

In September, cyber security company Mandiant said it had discovered that dozens of Fortune 100 companies had accidentally hired North Koreans who were using stolen identities.

And a month later, cyber security organization SentinelLabs uncovered a network of front companies based in China, Russia, Southeast Asia, and Africa, purporting to be reputable software development outsourcing businesses. 

The firms were putting forward workers with fake identities and forged credentials to take part in interviews using virtual private networks (VPNs) to mask their true location – which was actually North Korea or neighbouring countries. 

The aim appears to have been to earn money for the North Korean regime's weapons of mass destruction and ballistic missile programmes, avoiding current sanctions, with some of these “workers” earning up to $300,000. 

In other cases, such as that of KnowBe4, data theft and extortion attempts appear to have been the motivation.

Government action

The US government has now seized the websites of the firms uncovered by SentinelLabs, and in December 2024, 14 North Koreans were indicted for wire fraud, money laundering, and identity theft.

"To prop up its brutal regime, the North Korean government directs IT workers to gain employment through fraud, steal sensitive information from US companies, and siphon money back to the DPRK," said US deputy attorney general Lisa Monaco. 

"This indictment of 14 North Korean nationals exposes their alleged sanctions evasion and should serve as a warning to companies around the globe – be on alert for this malicious activity by the DPRK regime."

But North Korean fake workers are popping up elsewhere too, including on mainstream gig economy platforms such as Fiverr and Upwork, offering skills such as software and mobile application development.

They get through identity checks by using fake documents such as driver’s licences, passports, work visas and AI-manipulated photographs that have been bought on the dark web, stolen, or forged. 

And after getting the job, the workers use some plausible excuse to have their laptop shipped to a new location, after which it's sent on to a 'laptop farm', enabling remote access by offshore hackers. 

How to stay safe

When even a tech security firm can fall for the scam, it's clear that organisations hiring staff are going to have to be very careful indeed. However, there are a number of signs that a remote worker may not be all that they seem.

Making sure that you don't hire a fake worker by mistake is basically all about tighter and more rigorous vetting processes. This starts with the freelance platform; perform due diligence to check it's reputable and be wary if you're asked to communicate outside that platform.

It's best to insist on a face-to-face interview if at all possible – or video call if not. Tools can help identify any use of AI.

Make sure the worker’s information is consistent across freelance platforms, social media, external websites, payment platforms and so on, and check identity verification documents for signs of forgery.

Verify contact information, employment and higher education history; SentinelLabs advises looking out for any inconsistencies, such as an Asian education combined with employment records that predominantly feature US- or UK-based positions. 

And the precautions shouldn't stop once the new worker is on board. Commercial VPNs should be banned, and possibly remote collaboration applications too. Avoid making payments in cryptocurrency, and look out for odd financial behaviour, such as frequently changing the bank accounts where pay checks are deposited or using money transfer services. 

"These schemes present significant risks to employers, including potential legal violations, reputational damage, and insider threats such as intellectual property theft or malware implantation," advises SentinelLabs.

"Addressing these risks requires heightened awareness and stringent vetting processes to limit North Korea's ability to exploit global tech markets."

CAPTCHA
7 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Contact us on 0330 008 1334