For more than a decade, Kim Ji-min served as an IT worker inside a vast global scheme devised by North Korea’s authoritarian leadership to evade crushing financial sanctions. Kim has since defected to South Korea. Now, he is sharing his experience as a cog in the IT worker conspiracy employed by the Democratic People’s Republic of Korea to amass billions to fund its weapons of mass destruction program.
The North Korean IT worker scheme has become one of the most urgent cybersecurity issues among global Fortune 500 businesses. Hundreds of companies have unknowingly hired thousands of North Korean IT workers in recent years, giving them access to personal information and intellectual property and paving the way for U.S. dollars to be used as a funding source for DPRK authoritarian ruler Kim Jong Un’s nuclear ambitions. U.S. authorities are publicizing the issue with joint warnings from the FBI and Department of Justice, alongside top cyber experts who have chosen to speak out about the threat.
U.S. Attorney for the Northern District of Georgia Theodore S. Hertzberg told Fortune the office announced charges against four North Korean IT workers this week as part of an orchestrated publicity campaign to encourage business and tech leaders to better understand the threat they’re facing.
“It is not uncommon for business owners to meet potential partners and employees online,” said Hertzberg in a statement. “But companies that work in this space would be wise to hire Americans and to thoroughly vet all potential employees and partners, preferably in person.”
Inside the IT worker operation
Kim was one among thousands of trained software developers deployed outside the DPRK to get lucrative jobs in tech using stolen identities. The delegations of workers are then forced to send the majority of their earnings to the government—part of a global money-making and laundering empire that generates up to $600 million a year, according to UN estimates, not including the billions stolen in crypto heists.
Kim told Fortune his minimum earnings target was $5,000 per month up until the COVID-19 pandemic led to a boom in the remote IT sector. Once remote-work offerings exploded, his target amount doubled. Typically, the money was converted to U.S. dollars at local work sites overseas and then delivered either directly to North Korean headquarters or to a representative of the headquarters abroad.
“My primary job was to earn foreign currency through IT services,” said Kim, according to an email translation of his interview responses. “However, during the COVID-19 pandemic, I often received additional instructions to intensify regime propaganda online as well.”
Kim’s interview was facilitated by People for Successful Corean Reunification (PSCORE), which provided translation and access. PSCORE was founded in 2006 by Kim Young-Il, a North Korean defector, and the group has worked with thousands of other former DPRK citizens who have since fled the country. PSCORE retains UN Economic and Social Council consultative status, which allows it to participate in UN meetings and research.
Kim is living in South Korea under an alias to avoid endangering his friends and family, who could be targeted by the DPRK government in retaliation for his actions and interviews with U.S. media. That chilling calculus keeps most North Korean IT workers in line, PSCORE secretary general Bada Nam told Fortune.
According to Nam, the regime’s reach and control extends far beyond individual IT and other workers stationed abroad.
“Not only their immediate family members, but even distant relatives could get punished if a relative escapes from North Korea,” said Nam. “They are sending the message to the entire people of North Korea, ‘If any family member defects from North Korea or betrays their fatherland, then they will get punished.’”
Those who remain behind are often under constant and severe surveillance, Nam explained. DPRK government workers might be following a defector’s family members in addition to entire neighborhoods. The consequences of a defection can be devastating.
“In some cases, they send the entire family to political prison camp and they cannot get out of that camp for their entire life,” he said.
Despite the risk, Kim has chosen to break his silence by answering questions from select news outlets.
Deception Tactics
Kim’s method of disguising his true identity was elaborate and involved the use of popular tech networking and job websites.
“I used platforms like Facebook, LinkedIn, Freelancer.com, and Upwork.com to pose as a client and post project listings,” Kim said. “I would then contact developers, negotiate with them—including handling payment—and gain access to their accounts.”
Using the identities of those who engaged with him on those platforms, whether they were European or American, Kim would then disguise himself using the identities of those who had sent bids to him. Thus, he was using real, verified identities in order to conceal his own, he said. Kim posted on other platforms as well, including Freelance.com, Guru.com, and Toptal, he said.
In his work, Kim received and carried out development orders from multiple American companies, with his main area of work focused on e-commerce shopping sites and occasionally mobile app development. In Europe, he worked on developing a healthcare app. Kim declined to name any specific companies because he said sharing specifics could lead to inferences about his personal information.
While Americans in the U.S. have been indicted for knowingly taking part in the North Korean IT worker scheme by renting out their identities or hosting laptop farms in their homes, in Kim’s experience, the Americans who were involved in the scheme were unwitting. He pushed back against a question referring to Americans involved in the scheme as “accomplices.”
“It would be more appropriate to say they were simply clients who placed orders for work,” he said. “They had no idea we were from North Korea.”
He described the conditions he worked under as “relatively decent.” The workspace and sleeping quarters were “sufficiently spacious” and the food conditions were “good.” But work could also turn brutal if the IT workers weren’t delivering on their financial targets.
“We were required to work a minimum of 10 hours a day, and if we failed to meet the assigned targets, we were sometimes forced to work more than 18 hours a day,” he said.
He denied ever being asked to share information with DPRK workers who engaged in crypto heists and claims he had “no contact whatsoever with individuals involved in those activities.”
Direct contact with Kim’s family wasn’t possible, he said. During phone calls between his overseas team and the headquarters in North Korea, the IT workers would occasionally get brief updates about major family issues, although in principle, sharing personal family matters was forbidden.
“We could receive information if it was truly serious and deemed necessary,” he said. “Conversely, in cases where something significant happened abroad—such as an accident or serious illness—the information could also be relayed back to our families through North Korean headquarters.”
Life after the Scheme
Kim’s decision to defect comes at an enormous personal cost, in addition to the harsh reality that his family and even distant relatives could be in danger because of him. Nam said that fear—coupled with extreme personal risk—creates a psychological trap that stops most DPRK citizens from even thinking about escaping. If families attempt to contact defectors, it can become another tool for DPRK control.
“The regime could pressure the family to contact the defector in South Korea, asking them for small favors,” said Nam. “If the defector responds, sending any information can slowly turn into a situation where they are being used as an unwilling source of information.”
Nam said some defectors have been recaptured afterward because they contacted family members.
For now, Kim remains in South Korea facing an uncertain future. He is skilled in IT so he plans to continue working in the field, but the psychological scars remain.
“As for how I feel—it’s a mix of the joy of gaining freedom and the sorrow of losing my family,” said Kim. “From my perspective, it feels like I’ve lost more than I’ve gained.”
He estimates there are thousands of IT workers operating the way he was, some overseas and others inside North Korea.
In response to a request, a Meta spokesperson declined to comment. LinkedIn directed Fortune to its update on fighting fake accounts. Upwork directed Fortune to its approach to state-sponsored threats. Freelance.com., Freelancer.com, Guru.com, and Toptal did not immediately respond to requests for comment.
Source link
