May 23, 2022

By: Chris Griner, Shannon Reaves, Tom Firestone, Christopher R. Brewster, Gregory Jaeger, Andrew J. Astuno, Erin Bruce Iacobucci

Big Risks Require Robust Compliance Programs

On May 16, the U.S. Department of State, Department of Treasury and Federal Bureau of Investigation (FBI) issued a joint advisory declaring that the Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) is using information technology (IT) workers to obtain sensitive foreign technology and generate revenue for North Korea’s Weapons of Mass Destruction (WMD) programs.[1]

The advisory draws on a series of reports by the UN Security Council 1718 Sanctions Committee,[2] and provides detailed information on how DPRK IT workers operate overseas. The advisory lists red flags to help companies identify DPRK IT workers and recommends various protective measures. Businesses that hire North Korean IT workers, even unknowingly, can face severe penalties, including large fines and, in the case of willful violations, criminal prosecution.

The Danger

According to the advisory, almost all DPRK IT workers are subordinate to, and generate revenue for, entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. As contractors, DPRK IT workers sometimes use their privileged access to steal data about critical infrastructure, procure WMD and ballistic missile-related items , enable malicious cyber intrusions, and assist with the DPRK’s money-laundering and virtual currency transfers. In some cases, these IT workers have even designed virtual currency exchanges and created analytic tools and applications for virtual currency trading (a common means of sanctions evasion). In one case, DPRK IT workers employed as developers by a U.S. company fraudulently charged the company’s payment account and stole over $50,000 in 30 small installments over a matter of months.

How DPRK IT Workers Gain Access

According to the advisory, DPRK IT workers often use online platforms to get freelance contracts in North America, Europe, and East Asia. They frequently rely on stolen or forged identity documents, virtual private networks (VPNs), virtual private servers (VPSs) and third-country IP addresses to conceal their nationality, often presenting themselves as South Korean, Chinese, Japanese, East European or U.S.-based teleworkers. In some cases, they find local, non-DPRK nationals to serve as the nominal heads of companies that are secretly controlled by North Koreans. In other cases, they pay a foreign company to provide them with ostensibly legitimate employment and hide their true identities. DPRK IT workers often acquire proxy accounts held by third parties to bid on, win, work on, and receive payment for, projects on freelance software developer websites.

Legal Risks of Employing DPRK IT Workers

Under a series of Executive Orders issued pursuant to the International Emergency Economic Powers Act (IEEPA)[3], U.S. persons are prohibited from engaging in transactions with the Government of North Korea and the Workers’ Party of Korea without authorization from the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). U.S persons that employ or support DPRK IT workers anywhere in the world and/or process related financial transactions may face severe civil and criminal penalties. Even unintentional and unknowing violations may result in substantial monetary penalties. Willful violations can result in imprisonment, substantial fines, and potential forfeiture of all funds involved in the illicit transactions.

Criminal prosecution is not just a theoretical possibility. For example, in 2020, the Department of Justice disclosed charges against 28 North Koreans and 5 Chinese citizens with laundering over $2.5 billion in assets through 250 shell companies around the world.[4] This is just one of many recent prosecutions related to North Korea. Others have involved cyberattacks, illegal imports and exports to/from North Korea, and ransomware extortion demands.[5]

In addition to the Justice Department’s enforcement authority, OFAC has the authority to impose financial sanctions on any U.S. person determined to have, among other things:

• Engaged in significant activities on behalf of the Government of the DPRK or the Workers’ Party of Korea that undermine cybersecurity;
• Operated on behalf of the DPRK in the IT industry;
• Engaged in certain other malicious cyber-enabled activities;
• Engaged in at least one significant importation from or exportation to the DPRK of any goods, services, or technology;
• Sold, supplied, transferred, or purchased, directly or indirectly, to or from the DPRK or any person acting for or on behalf of the Government of the DPRK or the Workers’ Party of Korea, software, where any revenue or goods received may benefit the Government of the DPRK or the Workers’ Party of Korea; or
• Materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, the Government of the DPRK or the Workers’ Party of Korea.

Foreign persons also can face criminal penalties for sanctions evasion schemes that have even a minimal U.S. nexus. Further, foreign financial institutions that have knowingly conducted or facilitated significant trade with the DPRK, or knowingly conducted or facilitated a significant transaction on behalf of a person designated under a DPRK-related Executive Order may lose the ability to maintain a correspondent or payable-through account in the United States.

Look for Red Flags

To help reduce these risks, the advisory provides a detailed list of red flags that companies employing freelance developers should use to identify hidden DPRK IT workers:

• If a freelance software development website or payment platform account has been shut down or the worker contacts the employer requesting use of a different account, especially if registered to a different name;
• Use of digital payment services, especially PRC-linked services;
• Inconsistencies in name spelling, nationality, claimed work location, contact information, educational history, work history, and other details across a developer’s freelance platform profiles, social media profiles, external portfolio websites, payment platform profiles, and assessed location and hours;
• Surprisingly simple portfolio websites, social media profiles, or developer profiles;
• Direct messaging or cold-calls from individuals purporting to be C-suite level executives of software development companies to solicit services or advertise proficiencies;
• Requests to communicate with clients and potential clients on a separate platform than the original freelance platform website where the client found the IT worker;
• An employer proposes to send documents or work-related equipment such as a laptop to a developer, and the developer requests that items be sent to an address not listed on the developer’s identification documentation. Employers should be particularly suspicious if a developer claims they cannot receive items at the address on their identification documentation;
• Seeking payment in virtual currency in an effort to evade KYC/AML measures and use of the formal financial system;
• Requesting payment for contracts without meeting production benchmarks or check-in meetings;
• Inability to conduct business during required business hours;
• Incorrect or changing contact information, specifically phone numbers and emails;
• Biographical information which does not appear to match the applicant;
• Failure to complete tasks in a timely manner or to respond to tasks;
• Inability to reach them in a timely manner, especially through “instant” communication methods; and
• Asking co-workers to borrow some of their personal information to obtain other contracts.

The advisory also warns freelance work and payment platform companies to be aware of the following red flags that may indicate that DPRK IT workers are using their platforms for malicious purposes:

• Multiple logins into one account from various IP addresses in a relatively short period of time, especially if the IP addresses are associated with different countries;
• Developers are logging into multiple accounts on the same platform from one IP address;
• Developers are logged into their accounts continuously for one or more days at a time;
• Router port or other technical configurations associated with use of remote desktop sharing software, such as port 3389 in the router used to access the account, particularly if usage of remote desktop sharing software is not standard company practice;
• Developer accounts use a fraudulent client account to increase developer account ratings, but both the client and developer accounts use the same PayPal account to transfer/withdraw money (paying themselves with their own money);
• Frequent use of document templates for things such as bidding documents and project communication methods, especially the same templates being used across different developer accounts;
• Multiple developer accounts receiving high ratings from one client account in a short period, with similar or identical documentation used to establish the developer accounts and/or the client account;
• Extensive bidding on projects, and a low number of accepted project bids compared to the number of projects bid on by a developer; and
• Frequent transfers of money through payment platforms, especially to PRC-based bank accounts, and sometimes routed through one or more companies to disguise the ultimate destination of the funds.

Enhanced Compliance Measures

Plainly, the national security risks presented by North Korean IT workers are substantial, and require a substantial response. The advisory provides a detailed list of compliance measures that companies should implement to reduce the risk of hiring DPRK IT workers. Specifically, the advisory recommends that freelance work and payment platform companies:

• Verify documents submitted as part of proposal reviews and contracting due diligence procedures, such as independently verifying invoices and work agreements by contacting the listed clients using contact information given in business databases and not the contact information provided on the submitted documentation;
• Closely scrutinize identity verification documents submitted for forgery, potentially reaching out to local law enforcement for assistance. Reject low-quality images submitted to provide verification of identity;
• Verify the existence of any websites provided to establish accounts; enhance scrutiny for any accounts that have utilized defunct websites to establish the accounts;
• As part of initial due diligence contracting processes and refresh policies, require submission of a video verifying identity or conduct a video interview to verify identity;
• Regularly use port checking capabilities to determine if the platform is being accessed remotely via desktop sharing software or a VPN or VPS, particularly if usage of remote desktop sharing software or VPN services to access accounts is not standard practice;
• Automatically flag for additional review client and developer accounts that use the same or similar documentation to establish the accounts or that use the same digital payment service accounts;
• Automatically flag for additional review the use of the same or similar document templates for bidding and project communication across different developer accounts;
• Automatically flag for additional review multiple developer accounts receiving high ratings from a single client account in a short period, especially if similar or identical documentation was used to establish the accounts;
• Automatically flag for additional review developer accounts with high bidding rates as well as accounts with a low number of accepted project bids compared to the number of project bids. Additionally, flag accounts with a high number of project bids relative to the number of account logins;
• Do not allow any activity in newly established accounts prior to full account verification; and
• Provide extra scrutiny to newly established accounts.

Hiring practices also come under scrutiny. The advisory recommends that companies hiring programmers and developers on freelance platforms:

• Conduct video interviews to verify a potential freelance worker’s identity;
• Conduct a pre-employment background check, drug test, and fingerprint/biometric login to verify identity and claimed location. Avoid payments in virtual currency and require verification of banking information corresponding to other identifying documents;
• Use extra caution when interacting with freelance developers through remote collaboration applications, such as remote desktop applications. Consider disabling remote collaboration applications on any computer supplied to a freelance developer;
• Verify employment and higher education history directly with the listed companies and educational institutions, using contact information identified through a search engine or other business database, not directly obtained from the potential employee or from their profile;
• Check that the name spelling, nationality, claimed location, contact information, educational history, work history, and other details of a potential hire are consistent across the developer’s freelance platform profiles, social media profiles, external portfolio websites, payment platform accounts, and assessed location and hours of work. Be extra cautious of simple portfolio websites, social media profiles, or developer profiles;
• Be cautious of a developer requesting to communicate on a separate platform outside the original freelance platform website where a company initially found the IT worker;
• If sending to a developer documents or work-related equipment such as a laptop, only send to the address listed on the developer’s identification documents and obtain additional documentation if the developer requests that the laptop or other items be sent to an unfamiliar address. Be suspicious if a developer cannot receive items at the address on their identification documentation; and
• Be vigilant for unauthorized, small-scale transactions that may be fraudulently conducted by contracted IT workers.

Although vigilance is critical, it is also necessary to ensure that programs are developed and implemented in accordance with U.S. laws barring discrimination, including discrimination based on race, ethnicity, and national origin.

Conclusion

North Korea has been under U.S. trade sanctions for decades and remains a priority for U.S. enforcement authorities. This attention will increase as North Korea continues to develop its nuclear and intercontinental ballistic missile (ICBM) programs. Red flags matter. Significant risks require enhanced compliance programs. Therefore, companies, especially those in the IT industry, should closely review the advisory and, together with qualified counsel, ensure that they have controls in place to prevent and identify any potential violations.

[1] https://home.treasury.gov/system/files/126/20220516_dprk_it_worker_advisory.pdf.

[2] https://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports.

[3] See https://home.treasury.gov/system/files/126/ieepa.pdf; https://home.treasury.gov/policy-issues/financial-sanctions/faqs/topic/1556; eCFR :: 31 CFR Part 510 -- North Korea Sanctions Regulations; nk_eo_20160316.pdf (treasury.gov); Federal Register :: Imposing Additional Sanctions With Respect to North Korea; Federal Register :: Additional Designation of North Korean Entities Pursuant to E.O. 13382.

[4] See United States v. Ko Chol Man (1:20-cr-00032-RC) D.D.C. 2018).

[5] See, e.g., Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe | OPA | Department of Justice; Department of Justice Announces Forfeiture of North Korean Cargo Vessel | OPA | Department of Justice; North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions | OPA | Department of Justic.

• National Security / CFIUS / Compliance