A Growing Scam Exposes the Vulnerabilities of Remote Work and AI-Generated Identities

In a disturbing trend, North Korean operatives have been infiltrating top tech firms across the United States, posing as remote workers and using stolen identities to amass millions of dollars for the regime’s weapons program. Cybersecurity experts warn that the scam is more widespread than previously understood, with hundreds of companies falling victim to the intricate scheme.

The operatives, often using AI-generated deepfakes to impersonate real people, create fake LinkedIn profiles and apply for high-paying jobs en masse. According to Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, nearly every company he has spoken to about the issue has admitted to hiring at least one North Korean IT worker, if not a dozen or a few dozen. The operatives typically target companies with a high demand for remote IT workers, taking advantage of the shortage of cybersecurity talent in the US.

Once hired, the operatives use stolen credentials to navigate the onboarding process and request work laptops be sent to front addresses in the US, which are often laptop “farms” with dozens of devices kept running by American individuals paid to join the scheme. These laptops are then used to access sensitive company data, plant malicious software, and extort ransom payments from the company.

According to Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike, his team has been tracking the growth of North Korean operatives infiltrating US companies since 2022. In the first week of their tracking program, they identified 30 companies that had fallen victim to the scam. The number of companies affected has continued to grow, with some companies reporting up to 10 scammers on their payroll posing as IT workers.

The operatives’ tactics have evolved over time, with the use of AI-generated deepfakes becoming increasingly sophisticated. They often create fake personas, using stolen information such as addresses and Social Security numbers from real people. These personas are then used to apply for jobs, and the operatives use AI-generated deepfakes to impersonate the real person during the interview process.

Once inside company networks, the operatives plant malicious software to gain access to sensitive company data or intelligence, forcing companies to fork up massive ransom payments. According to Elizabeth Pelker, special agent with the FBI, even if the hackers are caught and fired, they often have an exit strategy to continue extorting the company for financial gain.

Law enforcement agencies are paying attention, with the FBI and other agencies cracking down on the scheme. In February, Christina Chapman, an American citizen, pleaded guilty to working with North Korean operatives for three years to steal American identities and run a laptop farm to sustain the operation. The scam generated more than $17 million, which was funneled to the North Korean government.

The scope of the problem remains unclear, with experts estimating that thousands of unique personas are being used in the scam. The scam is not limited to the US, with similar schemes being tracked in the UK, Poland, Romania, and other European nations. However, companies are fearful of disclosing that they have hired North Korean workers due to the potential legal ramifications of paying agents of a government under heavy economic sanctions.

Experts warn that the scam is a major threat to global cybersecurity, with the potential for significant financial and compliance risks for companies that unknowingly hire North Korean operatives. As the scheme continues to evolve, companies must remain vigilant and take steps to protect themselves from this sophisticated and adaptable threat.