How to fund an illegal nuclear arsenal by using stolen identities – the North Korean way

The institutional world is also awash with digital malevolence. The hacking of IT infrastructures and the subsequent massive ransoms that are demanded to return systems to normal are widely reported, including nasty events at critical institutions like hospitals and courts.

An extraordinary piece of investigative reporting came out this week, written by Sam Kessler from CoinDesk. His article exposed a fetid subterranean cavern underneath this nastiness, all of it linked to North Korea.

Remote-working has been around for as long as the internet has had sufficient bandwidth, but it was turbocharged during the pandemic when many workers were asked (or chose) to stay at home. This led to the burgeoning practice of hiring remote workers, particularly in the tech sector, where good programmers are highly sought after. Coding is largely a solo activity and physical meetings are not really necessary; Zoom, Teams and Meet work perfectly well for online meetings.

More importantly, coders are borderless. Inexpensive software development expertise can be found in far-flung places like Pakistan and Vietnam, and it is cheap when compared with hiring equivalent skills in richer nations like the US or EU. Good software developers are to be found anywhere and everywhere. 

A tech company or corporate IT department seeking to hire coders puts out an advert on one of many global online recruitment sites, advertising a new position. The advert describes the project and skill prerequisites, and also requests details about an applicant’s programming language expertise, previous projects, education and the like. 

Here is the startling result of Kessler’s investigation. 

More than 50% of all applicants for these online software jobs are North Korean, and all 50% hide behind other identities. Non-North Korean identities. There are two reasons for this. 

Firstly, it is illegal in the US to hire North Korean citizens to work on US-based projects. Secondly, the state of North Korea is not trusted, for good reason. No company with rational governance would want exposure to a state that is reputedly funded by cyber-crime and crypto-crime. Fake identities are, for the job applicants, an absolute necessity.

The Kessler investigation followed the money, which provided hard evidence of both the identity scams and the ultimate recipient of the funds generated. The report was replete with blurred out photographs of North Korean scammers and their fake IDs, and dotted-line charts of funds as they skipped from wallet to wallet. But there were some interesting nuances along the way.

Kessler and his team traced the movement of money from hiring companies to online “contractors”. Some of the North Koreans using stolen IDs did not steal anything - job done, they were simply paid and many of the companies were satisfied with the work. (North Korea reportedly has vast training facilities for talented software engineers, presumably to press-gang them into precisely this sort of work.) 

But then, following the money further (most often paid in cryptocurrency which is very easy to trace), Kessler’s team found that the “contractors” were passing the payment back to addresses associated with the North Korean government. This suggests the unsettling possibility that the contractors are in the position of indentured servants, keeping very little of their earnings for themselves (the FBI estimates that the workers keep 10 – 30%). 

A second group of scammers were discovered, more dangerous by far. They were also North Korean programmers, again hidden behind other identities (like Japanese, Singaporean and Korean – because people speaking differently Asian-accented English all sound roughly the same to Western ears when they are interviewed online). This group deployed ransomware into institutional IT systems or, more profitably, syphoned huge amounts of money from crypto companies holding custody of blockchain-based funds. (Crypto companies are not averse to hiring developers and engineers who are remote, transient and globally scattered.) 

Here is an example of what happens.

A North Korean, blockchain-literate software engineer applies for a job at a crypto company (there are thousands of job openings in this arcane world), hiding behind the stolen identity of a real Japanese programmer (ID theft is not difficult and stolen identities can be openly bought on the dark web). The crypto company, perhaps a little green behind the ears, only cursorily checks the preferred applicant’s ID (forged) and previous work experience (real). He (they are almost always men) is hired. 

Often the new hire does great work and everything goes swimmingly. Apparently. What the company doesn’t know is that he has used his inside position to access private crypto keys, either by direct hacking or (more simply) befriending and phishing other staff. He quits (he may even finish the job), disappears behind his fake ID, and then proceeds to suck millions out of the blockchain (in some cases hundreds of millions). 

Some well-known names in crypto - including Injective, ZeroLend, Fantom, Sushi, Yearn Finance, Truflation and Cosmos Hub - have unwittingly hired North Korean developers. Some were later hacked and drained of funds.

These payouts are not the paltry hourly rates earned by the earlier group of workers – they are enough to fund North Korea’s nuclear program. All the evidence points in this direction. (North Korea has no export industry at all, if you exclude their recent jackpot of selling munitions to Russia for its war against Ukraine.)

How did the investigators discover where the money trail ends? Well, the crypto wallet addresses that were uncovered at the end of the line are officially under sanction by the US Office of Foreign Assets Control because they were found to be fronts for the North Korean regime.

What can we learn here? Obviously, a company should make sure that they hire people who are who they say they are, although this is easier said than done. Here in our country, a large part of our national governance machine seems easily duped by fictitious CVs. Internationally, the opportunities for digital fakery are endless – from passports to certificates to photos and voices. 

There are, of course, companies that specialise in employee authentication, but many employers are too stingy to pay the cost, relying instead on patently risky procedures such as requiring a photo of an applicant holding his passport. As if that would stop anyone with a million-dollar incentive. 

So what about North Korea, not only a rogue nuclear state but also a harsh prison for its citizens? What can the world do about a country that doesn’t play by the rules? Especially when their main activity is stealing from others without consequence or shame? There is not much anyone can do, I suppose, other than employing extreme vigilance. 

It is technically difficult to hack a blockchain by finding a software vulnerability and it is technically difficult to penetrate a hardened traditional IT infrastructure. Unless you can get your hands on a private key or (in the case of non-blockchain environments) the system administrator password. Then it is child’s play. 

And what better way to do it than to land a job at the target company and be invited in through the front door? DM

Steven Boykey Sidley is a professor of practice at JBS, University of Johannesburg. His new book It’s Mine: How the Crypto Industry is Redefining Ownership is published by Maverick451 in SA and Legend Times Group in UK/EU, available now.