Researchers at IBM X‑Force and Flare Research have uncovered data that sheds light on how North Korea's fake IT worker schemes operate and infiltrate companies in order to funnel money back to the regime and steal sensitive information.

In a published report, "Inside the North Korean infiltrator threat," the pair detail evidence of the top-level infrastructure used to manage the operations, how workers apply for and secure IT roles, and mitigation strategies businesses can use to avoid falling victim.

The threat of North Korean nationals operating as remote IT contractors or full-time technology staff inside unsuspecting companies has come to light over the past several years, yet the report says security experts are only starting to realize the scale and sophistication of the operation.

It cites information from the US Government that these IT workers can earn more than $300,000 a year, and upwards of 100,000 North Koreans are spread across 40 countries generating approximately $500 million a year for Pyongyang.

The researchers found documents and spreadsheets revealing the roles within the fake IT worker ecosystem, comprising recruiters, facilitators, IT Workers and collaborators/brokers.

Recruiters are, like bona fide recruitment staff, responsible for screening potential IT staff and recording interviews. These are sent to facilitators who decide whether to accept or deny them for employment, much like a hiring manager.

However, it is unclear whether many candidates realize they are being recruited to work for the Norks. Recruiters may tell them the company they are applying to is an "early-stage stealth startup" with no published corporate information, often using the name "C Digital LLC."

Candidates are mentored in applying for employment at western-based companies and given a US-based identity to use.

Facilitators and IT workers are the most important roles within the system. These are expected to have experience in full stack web app development, .NET and Wordpress. Collaborators are Westerners that provide their identities for use in the IT worker fraud scheme, and may assist in other ways.

Timesheets found by the researchers detail hours worked on "Bids" and "Msg" by the fake workers, where "Bids" is how many bids in a day they made on freelancing sites such as Upwork, and Msg likely refers to how many messages or connections a worker made on UpWork, LinkedIn, or Freelancer.

The workers make use of fake identities to pursue work opportunities -counterfeit accounts or verified accounts linked to real individuals who may have unwillingly given the worker access.

Once employed in a full-time role, fake workers are often very successful, since they sometimes have multiple people helping them to produce their work, with the hope of getting a promotion and gaining more privileged access to the IT systems.

One of the most essential tools for North Korean IT workers is Google Translate, the report says. This is used in nearly every part of their online activity, including for translating job descriptions, creating applications and communicating with others as part of their work.

The report identifies some tools associated with fake workers, which companies can watch out for. One is known as OConnect and/or NetKey, - a known North Korean VPN - likely used to connect to internal networks in Pyongyang.

Also common is IP Messenger, or IPMsg, an open-source messaging application that does not require a central server, meaning it doesn't rely on centralized platforms operated by US companies such as Discord or Google.

The report outlines some mitigation strategies, including warning signs like fake backgrounds, AI face changers, or AI voice changers during online interviews. Employers should also watch for discrepancies between the candidate's resume and what they say in interviews, such as what languages they claim to speak and where they claim to reside.

Alternatively, there is a killer interview question, as reported by The Register previously: ask them something like "How fat is Kim Jong Un?" and if they are a North Korean, they will terminate the call instantly. ®