By Jaewoo Park and Hyung Jun You
The man speaks English, says he’s Japanese and claims to be a mobile and web developer ready for hire. “I have the experience to start contributing from Day One,” he says, sounding like any eager job candidate would on a job search site.
But potential employers have reason to be wary, an investigation by RFA Korean shows. Other computers and empty chairs can be seen in the room with him, suggesting this freelancer doesn’t work alone. There appears to be a security camera above his right shoulder. Perhaps more suspicious: the IP address from where the video was posted is based in Ukraine, not Japan.
Cyber security experts say these clues indicate the man may be part of a team of North Korean IT specialists enlisted to raise money and gather intelligence for leader Kim Jong Un’s isolated regime.
Even as few of its citizens have access to the internet, North Korea has developed an elite group of hackers and cyber scammers who have allegedly stolen hundreds of millions of dollars through cyber crime.
Some of its personnel, including apparently the man in the video, try to get hired by IT firms that pay cryptocurrency or Chinese renminbi, a significant portion of which they send to their government.
Others have allegedly stolen the equivalent of tens of millions of dollars by hacking cryptocurrency virtual repositories. A U.N. panel of experts estimated the regime took in as much as $1 billion in crypto theft in 2022, double the prior year. One estimate put the total that year even higher, at $1.7 billion.
Besides theft, the same cyber break-in techniques are being used to spy for the regime. This June, the United States and South Korea warned that hackers were posing as journalists or academics to gather intelligence on regime critics or to compromise government databases.
“North Korea is just basically persistent – they have a lot of people working on this and they are going to keep trying,” said Nicholas Weaver, a researcher at the nonprofit International Computer Science Institute, of the country’s cyber efforts. “And all it takes is one mistake.”
An ‘elite’ team
The cyber attacks have prompted a series of indictments, sanctionsand warnings from the United States, South Korea and other countries. But North Korea’s “increasingly sophisticated capabilities” mean it can adapt to new barriers, says Jung Pak, the U.S. State Department’s deputy special representative for North Korea.
According to the U.S., Kim Jong Un uses the proceeds from his cyber operations to help pay for weapons development in the face of international sanctions designed to impede the activity.
As much as one-third of the missile program is paid for through cyber theft, the U.S. estimates, even though the sporadic reports from inside the hermit kingdom suggest starvation among its citizens is not uncommon.
The intro video of the man claiming to be Japanese was shared with RFA on the understanding that it would not name the company, which fears retaliation from hackers.
The profile was removed from the job site three years ago, a company official said. But as any job candidate must, the man has shown persistence. His name, image and resume still exist on other sites – just one of several fraudulent accounts RFA found in its investigation.
“The DPRK workers go where they are able, and the United States is not immune from these workers,” Pak said, referring to the country’s official name, the Democratic People’s Republic of Korea. She said there are thousands of “elite” IT professionals working on behalf of the regime.
The mission for the man in the video is impossible to say for sure. But presumed North Korean cyber scammers have been active enough online that job recruiters have identified a number of “tells” that raise suspicions.
The candidates often pretend to live in small towns in Canada or the United States, so as to avoid any possibility of having to meet in person with prospective employers that more typically are located in California’s Silicon Valley, northern Virginia or another tech hub.
They often claim Chinese or Japanese heritage but have IP addresses in other countries. They also insist on remote work.
Neil Dundon, the chief executive officer of Crypto Recruit, which links IT professionals with cryptocurrency companies, says another red flag is job applicants who insist on working on so-called “smart contracts,” a blockchain application by which funds are transferred.
“This is the kind of big hacks that you read about for 10 million [dollars],” Dundon told RFA. “They can go in and they can put malicious code in there.”
The recent rise of cryptocurrencies in fact has been especially lucrative for North Korea, according to U.S. officials and cyber experts.
“Cryptocurrency heists are a growing, if not their top, method for generating revenue for the regime,” Pak said.
Crypto “wallets” that enable the purchasing and trading of cryptocurrencies have become a popular target for hackers, who take the stolen coin to so-called “mixers” that can obscure their origins – an exercise akin to traditional money-laundering.
Robert Meany, a crypto investor from Connecticut, said he lost about $40,000 in crypto coins he had stored through Atomic Wallet, an Estonia-based crypto company that was reportedly hacked in June.
“I opened it up and it showed all the money in there and then all of a sudden, it just sort of drained to zero,” Meany told RFA.
Meany is part of a lawsuit filed in Colorado against Atomic Wallet for allegedly failing to provide sufficient safeguards to protect the assets in its account, but U.S. officials suspect that North Korea was behind the theft, which is estimated to total $100 million.
“These victims, in many cases, lost everything they’ve saved up,” said Daniel Thornburgh, a lawyer at the Colorado-based firm Aylstock, Within, Kreis & Overholtz that has filed the suit.
Atomic Wallet did not respond to a request for comment other than to say that “the investigation is still ongoing, and nothing is confirmed.”
The Sony hack
Much of the world likely first heard about North Korea’s hacking capabilities in 2014 when its operatives infiltrated Sony Pictures’ computers in an apparent revenge attack for its production of the satirical comedy, The Interview.
The film includes a scene of Kim Jong Un tearfully exclaiming that he doesn’t need his father, who preceded him as leader, and depicts the son’s fictional death.
Pak said the episode was the first time a state-sponsored actor targeted a private business in the United States. Confidential corporate data, internal emails and unreleased films were all publicly released, and people associated with the film were threatened.
In 2020, the U.S. brought charges against three operatives of a North Korean-sponsored hacking group known as Lazarus for the Sony hack and for a string of other cyber crimes that followed over a five-year period.
The 33-page indictment describes an operation impressive in scope and sophistication. The three men, who remain at large, allegedly hid malware in word processing software, crypto apps and on websites their targets were known to frequent – a so-called “watering hole” operation.
In total, according to the indictment, the hackers attempted to steal or extort more than $1.3 billion through crypto heists, raids on ATMs and “cyber-enabled extortion schemes” from victims from Bangladesh to Mexico.
“We almost need to stop thinking of North Korea as a regime or a type of government, and more so like a mafia family,” said Michael Barnhart, a principal analyst at Mandiant, a cybersecurity subsidiary of Google. “They are more like a criminal enterprise.”
Part of the operations described in the indictment involved the creation of several bogus companies to entice employees at legitimate companies to open fraudulent job offers that hid malicious software, or malware.
RFA’s investigation found that one fictitious company named in the 2020 indictment – iCrytpoFx – is still used online, including on LinkedIn, a networking site which has more than 900 million users worldwide.
A “Yujin Cha,” for example, advertises herself as a marketing manager for the company. RFA discovered through a reverse image search that the accompanying photo was stolen from a South Korean female professor’s university bio.
The professor, who asked not to be named, did not know that her photo had been fraudulently used until she was contacted by RFA.
RFA contacted LinkedIn about the fraudulent account but has not received a response as of press time, and the fake profile was still active at the time of publication.
Another person claimed to be the CEO of iCryptoFx. The account was later deleted after RFA messaged for a comment.
This week, The Times of London reported that China, too, has used LinkedIn as a platform for intelligence gathering. A Chinese official using the alias Robin Zhang created fake companies to try to entice government officials, academics and scientists into releasing classified information, according to the report.
“Our Threat Prevention & Defense team actively seeks out signs of state-sponsored activity and removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies,” an official from LinkedIn told the Times.
Please read this
U.S. officials say North Korea’s cyber teams have only gotten more adept at illegally penetrating computer systems, and it isn’t always money they are after.
Shin Kak-soo, a former South Korean ambassador to Japan, told RFA that in June he received an email from “Natalia Slavni,” a research analyst at the Stimson Center, a Washington, D.C., think tank, who edits analysis and commentary about North Korea.
In the email, Slavni asked Shin to review an attached paper on North Korea nuclear weapons. The request wouldn’t have been out of the ordinary – but it wasn’t the actual Slavni making the request. It was someone pretending to be her.
Shin was later told he’d been hacked and had to have his computer wiped to rid it of the malware attached to fraudulent email. The email appears to be part of an operation designed strictly to gather information, rather than to extort money.
Cybersecurity experts say the hackers often start with simple requests that wouldn’t necessarily raise alarms, patiently waiting for an opportunity to strike by implanting malware. Others may simply be intent on gathering intel about an organization’s operations.
“They will send their targets emails. They will create conversations out of them. They will send them questionnaires,” said Asheer Malhota, a researcher at Cisco Talos, a threat intelligence company. “This is all in a bid to establish trust with their targets.”
Recorded Future, a Massachusetts-based cybersecurity firm, said in a report in June that more than 70% of the North Korean hacking cases it identified over the last 14 years – more than 180 in total – were related to espionage.
It found about 50 examples of financially motivated attacks and 10 cases of cyberattacks designed to be “disruptive.”
“North Korea is extremely adaptive in its strategy for cyber attacks,” said Rachel Paik, a researcher at CDRF Global, a cybersecurity company. “Once international bodies start to sanction certain authorities, or once their methods are discovered, they are able to change tactics.”
This summer, the United States and South Korea issued a joint cybersecurity advisory, warning that North Koreans were posing as colleagues or journalists to fool their targets, often academics and officials at think tanks. One main point: old standbys to prevent hacking – like looking out for weird URLs and bad grammar – are likely no longer enough.