Beware of Low-Cost IT Freelancers: Risks Posed by North Korean Cyber Actors

In recent years, the allure of affordable IT services has drawn many businesses to hire freelancers through platforms such as Upwork, Fiverr, and Freelancer.com. Yet, the hidden danger behind these bargains is often overlooked. The German Federal Office for the Protection of the Constitution (BfV) recently issued a dire warning: many low-cost IT freelancers, particularly those operating from or on behalf of North Korea, are involved in fraudulent schemes. While they promise expertise and efficiency, these individuals frequently pose serious security risks that could compromise the integrity of companies worldwide.

How These Schemes Work

North Korean IT professionals disguise themselves as seasoned software developers, graphic designers, or IT support specialists. To gain the trust of prospective employers, they craft well-constructed resumes, often accompanied by fake or stolen credentials. These profiles are posted on social media platforms such as LinkedIn, GitHub, and even GitHub, where they claim extensive portfolios and glowing reviews.

However, the reality is much more alarming. These workers are not just looking for a paycheck; their activities fund North Korea's regime, particularly its nuclear and missile programs. The use of cryptocurrencies like Bitcoin or Ethereum makes it extremely difficult to track financial transactions, and intermediary accounts are frequently utilized to further obscure the identities of these individuals.

Inconsistent and Suspicious Behaviors

Several red flags may indicate that you’re dealing with a North Korean cyber actor. For one, they usually prefer to communicate strictly via text and will often avoid face-to-face or video meetings. This makes it harder for employers to verify the authenticity of their identity. Even when a video call is agreed upon, there are signs to watch out for, such as delayed responses or unnatural eye movements, which could indicate that the freelancer is reading pre-prepared answers.

Additionally, resumes and personal details often don't align. There are inconsistencies in their educational background, employment history, and language proficiency. They might claim to have studied in Japan or South Korea but list work experience primarily in the U.S. or Europe. It's also not uncommon to find multiple social media profiles under the same name but with different photos.

The Consequences of Hiring These Freelancers

Hiring these North Korean freelancers doesn't only threaten a company's data security, but it can also lead to severe legal and reputational repercussions. Businesses unknowingly working with these individuals are indirectly helping to fund North Korea's illegal weapons programs. Additionally, working with such contractors could lead to sanctions violations, tarnishing a company's reputation and subjecting it to hefty fines.

Beyond compliance issues, there is the significant risk of malware installation. In confirmed cases, North Korean freelancers have been caught installing malicious software onto company servers immediately after receiving work equipment. These actions put not only internal data but also intellectual property at serious risk of being stolen or leaked.

Recommended Actions for Employers

To safeguard against these risks, companies must take a proactive approach to hiring freelancers, especially when dealing with remote workers. Below are several recommendations:

1. Verify Identity via Video or In-Person Interviews: Always insist on a face-to-face or video interview to verify the freelancer's identity. During the interview, be on the lookout for signs of deception, such as long pauses or unnatural eye movements.
2. Check Consistency Across Documents: Ensure that all personal details, including education, employment history, and language proficiency, are consistent across their resume and profiles.
3. Avoid Cryptocurrency-Only Payments: Do not rely solely on cryptocurrency payments. These transactions are hard to trace and are often used by fraudsters to conceal their identities.
4. Monitor Access and Use of Company Resources: Ensure that freelancers have limited access to sensitive files. It’s also crucial to prevent them from downloading unauthorized software to company devices. Implement endpoint security measures and ensure that devices are regularly updated.
5. Validate References Independently: Contact previous employers and educational institutions directly, using publicly available contact information rather than what the freelancer provides.
6. Be Wary of External Communication Requests: If a freelancer requests to move communication off the platform where they were hired, such as suggesting Telegram or Skype, this could be a red flag. Keep all communications transparent and on-platform to maintain accountability.

The Global Reach of North Korean IT Workers

North Korean freelancers are not limited to specific countries or regions. According to reports, they often use VPNs and proxy servers to mask their true location, which might make them appear to be operating from South Korea, Japan, or even Eastern Europe. These individuals are active across various sectors, including healthcare, entertainment, finance, and software development.

Their ability to blend into the global freelance workforce has been alarming for government agencies like the BfV, which have documented several instances where these IT professionals managed to infiltrate companies in Europe and North America. In addition to disguising their physical locations, they often employ AI-generated photos or altered images to pass off stolen identities as their own.

Conclusion

The allure of cheap IT labor can be tempting, especially for businesses looking to cut costs in an increasingly digital world. However, the risks of hiring unverified freelancers, particularly those operating out of North Korea, far outweigh the financial benefits. These actors pose significant security threats, endanger intellectual property, and fund illegal activities. Companies must implement stringent vetting processes and take precautionary measures to protect their assets and data.

In a world where cyber threats are becoming increasingly sophisticated, employers must remain vigilant. By taking the recommended precautions, businesses can mitigate the risks and avoid falling prey to fraudulent schemes that not only jeopardize their operations but also contribute to global instability.