- A provider of identity verification and fraud tools was recently targeted by what appear to be multiple North Korean IT workers managing dozens of personas. The stream of resumes to Socure for software development positions all boasted experience at brand-name tech firms like Amazon, Google, and Netflix. Turns out they were all fake.
“Anthony from Staten Island” had a polished set of credentials and claimed he previously worked at Meta Platforms. During a Zoom interview for a senior software engineer job, the supposed New Yorker was charming and articulate as he talked about creating a key chat application at the $1.6 trillion social media giant.
For the first 20 minutes, everything went smoothly. Anthony smiled, engaged naturally, and delivered polished responses to questions. Then, it all changed.
“What was most striking was he was really affable,” recalled Rivka Little, Socure’s chief growth officer. “You can 100% see why people would become a victim to this.”
When the interview advanced to more complex two-part questions that required further explanation, Anthony lost his place. He seemed more stilted and less certain, Little told Coins2Day.
Socure believes Anthony was a North Korean IT worker, part of a sophisticated and insidious criminal organization that consists of trained technologists from the Democratic People’s Republic of Korea (DPRK). The DPRK IT workers use American identities, real or fabricated, and apply for remote jobs in IT at American and European companies.
The scheme has been a massive runaway success. Hundreds of Coins2Day 500 companies have unwittingly hired thousands of IT workers from the DPRK, and the IT crew sends its salaries to authoritarian leader Kim Jong Un. Kim uses the money to fund the country’s weapons of mass destruction program. The scheme generates between $200 million to $600 million a year, according to UN estimates, and the DPRK IT workers collaborate with highly skilled operatives responsible for stealing billions in crypto heists.
The scheme is so pervasive that some tech founders have resorted to asking potential job candidates to insult Kim before progressing to a formal interview. DPRK IT workers are constantly surveilled and insulting the supreme leader of the regime would lead to severe punishment.
The threat is scaling rapidly. This year, Kim doubled the earning quotas required of the worker delegations and launched a new artificial intelligence unit called Research Center 227 to support the country’s cyber crime initiatives, according to research from security firm DTEX.
Red flags, shifting tactics
Socure is publicizing its experience with Anthony to alert other companies to new warning signs and also to avoid the pitfalls of overly restrictive hiring practices that might make it harder for legitimate job seekers. The challenge is the fraudulent candidates are skilled and some are very charming, Little explained.
“Anyone can fall for these interviews—he did really well for a long period of time,” said Little.
Some of the indicators that companies are relying on won’t work in the long term, she warned. For instance, Anthony gave a surname that sounded Italian and he claimed to hail from Staten Island. During his interview however, he had an accent that didn’t align with his origin story.
“People come in all kinds of packages,” she noted. Superficial nuances shouldn’t be used to eliminate candidates. And while the DPRK IT workers tend to use stereotypical Western names, if they tweaked their scheme slightly and used names that correlated with their accents, those signs would disappear.
More telling, she said, were the inconsistencies in Anthony’s digital footprint. Many of the fabricated resumes sent to Socure in recent months had big marquee names that made them stand out. Google, Meta, Amazon, and Netflix were often included and the job applicants claimed to have been responsible for the most innovative and interesting products at those companies. A quick check with certain internal staff who worked at Meta during the time Anthony claimed to be there revealed no one knew him.
Another flag was the immaturity of Anthony’s digital identity. His email address and phone number had been connected to his name for only a matter of weeks. Usually, people have phone numbers and email addresses linked to them going back years, she noted. And despite a LinkedIn profile matching his work history and displaying the bright green “Open to work” banner, Anthony didn’t have much going on with connections, posts, or likes on the platform. It was unusual for someone with an extensive tech background.
However, the last thing a company should do is to create more friction and drama that would make it more difficult for legitimate job candidates, she said. Plus, while the North Korean IT worker scam creates risk to hiring companies, there are plenty of reverse schemes that target job seekers. A woman contacted Socure and told the company she had been interviewed for a job by a fake HR person and scammed out of thousands of dollars after providing her name, ID, and bank account details thinking she had been hired.
It creates the need for a delicate balance, said Little. Companies need to protect themselves from fraudulent hires, but can’t create so much friction that legitimate candidates find it too difficult to apply for a job.
Little suggested that companies integrate passive ID verification into their HR platforms to check identity in the background without requiring upfront ID from candidates. Careful interview techniques that probe for scripted responses or the use of AI in the midst of conversation plus digital footprint clues can also help reveal fraudulent job seekers.
“I’ve almost never seen such an intersection of fraud, money laundering, and sanctions violations,” said Little. “It’s a perfect storm.”
