North Korean operatives posing as recruiters to hijack verified freelancer accounts

North Korean operatives have “diversified” their way of defrauding victims through freelancing and code-hosting platforms that recruit unsuspecting users as identity proxies for remote tech jobs, according to cybersecurity researchers. 

Democratic People’s Republic of Korea (DPRK) IT workers are using Upwork, Freelancer, and GitHub to impersonate legitimate workers and evade international sanctions by using verified accounts belonging to real people.

According to cybersecurity researcher Heiner García Pérez, a member of SEAL Intel, the hackers begin by posting freelance job offers or approaching candidates, then move conversations to encrypted channels like Telegram or Discord, where they provide detailed instructions on how to set up remote access and verification checks.

DPRK bad actors use freelancers to bypass sanctions

Garcia found that DPRK operatives can bypass geographic filters, identity checks, and VPN detection systems that would normally block users from sanctioned countries by quietly using verified identities. 

It enables them to apply for or perform remote IT jobs under a stolen or borrowed identity, concealing their origin while collecting payments from unsuspecting clients. 

“These actors are organized, coordinated, and share operational playbooks. The consistency of their methods shows this is part of a repeatable, state-backed system,” the SEAL Intel member wrote.

As reported by Cryptopolitan in August, several North Korean IT workers have infiltrated international companies using false identities. This has reportedly helped DPRK authorities deploy remote IT professionals abroad to secure freelance or contract roles under stolen or borrowed identities, coupled with shell companies masking their affiliation.

Those whose identities are used receive only around 20% of total earnings, while the operatives keep 80%, funneled through crypto wallets or even traditional bank accounts. 

Use of AI to manipulate images and company names

García Pérez’s investigation uncovered several behaviors of technical sophistication and deliberate concealment. In one case, an IT worker had created a Google Drive folder labeled “My Photo,” where AI-edited portraits were stored together with folders bearing other individuals’ names. He believes these digital documents are separate personas managed by the same operator.

The files he recovered from the drive had a deeper insight into the recruitment and payment processes. One file titled “Account” contained instructions explaining how to access Upwork, the purpose of the collaboration, and how profits would be divided. 

Some of the folders were named in Korean, such as “it개발 매칭 플랫폼 사이트,” which translates to “IT development matching platform site.” The investigator propounded that such documents were used for “Korean-speaking users and the domestic IT ecosystem.”

Heiner García Pérez also found that North Korean actors are exploiting online communities for disabled people, job-matching portals, and even friendship websites such as InterPals to recruit collaborators.

Payment flows through crypto, PayPal, and banks

Ideal targets of such operations are mostly located in the United States, Europe, and parts of Asia. However, Ukraine and the Philippines were the most frequently identified regions among recruitment materials because they have geographic locations for candidates in lower-income settings who may be more receptive to “fast-earning opportunities.”

“If a client posts a project, many freelance users bid on that project. So, the client discusses their own project with freelancers and gives the project to the selected developer. If I choose, I can work on the client’s project. After the project is completed, I can receive money from the client. The money will be credited to your freelancer account,” one IT recruiter explained how to make money to a freelance account holder named “Ana.”

The profit-sharing structure between operatives and collaborators is agreed upon early in the exchange. In most of the documented cases, IT workers convince victims to route through cryptos, PayPal, and even bank transfers.

In one verified case, a North Korean IT worker used a fraudulent Upwork account registered under the identity of an Illinois-based architect.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.