Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
North Korean IT operators are changing strategies and recruiting freelancers to provide proxy identities for remote jobs.
Operators contact job seekers on Upwork, Freelancer and GitHub before moving conversations to Telegram or Discord, where they coach them through installing remote access software and passing identity checks.
In previous cases, North Korean workers scored remote gigs using fabricated IDs. According to Heiner GarcÃa, a cyber threat intelligence expert at Telefónica and a blockchain security researcher, the operatives are now avoiding those barriers from working through verified users that transmit remote access to their computers.
The real owners of the identity receive only a fifth of the payment, while the rest of the funds are redirected to the operatives through cryptocurrency or even traditional bank accounts. By relying on real identities and local Internet connectivity, operators can bypass systems designed to signal high-risk geographies and VPNs.
Inside the evolving recruitment handbook of North Korea’s IT workers
Earlier this year, GarcÃa established a fictitious crypto company and, together with Cointelegraph, interviewed a suspected North Korean operative are looking for a remote technology role. The applicant claimed to be Japanese, then abruptly ended the call when asked to introduce himself in Japanese.
GarcÃa continued the conversation in private messages. The suspected operator asked him to buy a computer and provide remote access.
The question aligned with models that GarcÃa would meet later. Evidence linked to the suspect profiles included onboarding presentations, recruitment scripts and identity documents “reused again and again”.
Related: North Korean spy escapes, reveals ties in fake job interview
GarcÃa told Cointelegraph:
They install AnyDesk or Chrome Remote Desktop and work from the victim’s machine so that the platform sees a home IP.
People who hand in their computers “are victims,” ​​he added. “They are not aware. They think they are joining a normal subcontracting agreement.”
According to chat logs he reviewed, recruits ask basic questions like “How are we going to make money?” and do no technical work themselves. They verify accounts, install remote access software and keep the device online while operators request work, talk to customers and deliver work under their identities.
Although most appear to be “victims” who do not know who they are interacting with, some seem to know exactly what they are doing.
In August 2024, the US Department of Justice arrested Matthew Isaac Knoot of Nashville for running a “laptop farm” that allowed North Korean IT workers to pose as American employees using stolen identities.
More recently in Arizona, Christina Marie Chapman was sentenced to more than eight years in prison for hosting a similar operation that funneled more than $17 million into North Korea.
A recruiting model built around vulnerability
The most valuable recruits are in the United States, Europe and parts of Asia, where verified accounts provide access to high-value corporate jobs and fewer geographic restrictions. But GarcÃa also observed documents belonging to individuals from regions with economic instability, such as Ukraine and Southeast Asia.
“They are targeting low-income people. They are targeting vulnerable people,” said GarcÃa. “I’ve also seen them try to reach out to people with disabilities.”
North Korea has spent years infiltrating the tech and crypto industries to generate revenue and gain a corporate foothold abroad. The UN he said DPRK IT work and crypto theft are allegedly funding the country’s missile and weapons programs.
Related: From Sony to Bybit: How Lazarus Group Became Crypto Supervillain
GarcÃa said the tactic goes beyond crypto. In one case, he reviewed, a DPRK worker used a stolen American identity to pose as an Illinois architect, bidding on construction projects on Upwork. His client received the completed writing assignment.
Despite the attention to crypto-related money laundering, GarcÃa’s research found that traditional financial channels are also being abused. The same identity proxy model allows illicit actors to receive bank payments under legitimate names.
“It’s not just crypto,” GarcÃa said. “They do everything — architecture, design, customer support, anything they can access.”
Because the platforms still have a hard time seeing who is really working
Even as hiring teams become more alert to the risk of North Korean operatives securing remote roles, detection typically comes only after unusual behavior triggers red flags. When an account is compromised, actors switch to a new identity and continue working.
In one case, after an Upwork profile was suspended for excessive activity, the operator instructed the recruit to ask a family member to open the next account, according to the chat logs reviewed.
This shift in identity makes accountability and attribution difficult. The person whose name and documentation are on the account is often deceived, while the individual who actually does the work operates from another country and is never directly visible to freelance platforms or clients.
The strength of this model is that everything a compliance system can see looks legitimate. The identity is real, and the Internet connection is local. On paper, the worker meets every requirement, but the person behind the keyboard is a completely different person.
GarcÃa said the clearest red flag is any request to install remote access tools or let someone “work” from your verified account. A legitimate hiring process does not require checking your device or identity.
Magazine: Bitcoin OG Kyle Chassé is one shot away from a YouTube permaban
