The North Korean fake IT worker problem is ubiquitous
(theregister.com)124 points by rntn 11 hours ago
124 points by rntn 11 hours ago
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
At least in the US,
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
You trot out all the familiar retorts. None of this is a reason to not organize to better represent the interests of labor.
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
- 30 minute recruiter call
- 30-60 minute manager call
- 2x 60 minute leetcode easy/medium
- 1x 60 minute STAR behavioral
- 1x 60 minute systems design or maybe doubling up on a previous category
I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
I don't really see north korean workers as any less deserving of work
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
Not sure why that comment got downvoted. It doesn't seem to detract from the topic at hand.
Not sure if it's feasible, but it's definitely something to consider.
Honestly, sounds like a red flag if even a legitimate applicant is unwilling to voice an opinion on the Kim regime.
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
https://www.socure.com/blog/hiring-the-enemy-employment-frau...
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change: In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
Uhh... I have news for you: https://www.fbi.gov/wanted/cyber/dprk-it-workers
I have a feeling there may be a Nork "flash mob" going on, like when someone says bad stuff about Musk.
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
I agree but I don't actually feel bad about punishing people for committing fraud (as long as we punish all people fairly, etc).
> People will do almost anything, and compromise all their personal values, for money
I think this demonstrates what their ACTUAL values are or at get very least the priority of those values.
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
Other company was, indeed, AI Startup #528532.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
Private disclosures for more sensitive vulnerabilities are a recommended practice. In your analogy, that's why I aluded to.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
I am building a free service to counter exactly this problem.
This has been going on since 2018 at least and I have flagged thousands of such applicants.
Maybe this, with mandatory senior executive and board accountability, will be the wakeup call to stop the outsourcing problem of the last 50 years.
This has nothing to do with outsourcing. These guys are getting hired as permanent employees as often as they’re being engaged as contractors.
It’s about incentives.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
This is about in-house employees. Not outsourcing.
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
> The answer to this is for companies to do even a modicum of personnel vetting.
They do. That is clearly not enough.
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
FWIW, it the "insult Kim Jong-Un" meme that's been going around doesn't work
company finally swipes right only to get catfished by a DPRK agent
nice
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
Exactly. Trade ties only go so far.
But this pov isn’t always rooted in pragmatism. Free market ideologues also think that free markets will bring world peace.
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
Ah yes, bec that’s worked out so well with china.
Anyone with internet access in NK is working at the behest of the government.
> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...