Over the years, Jin-su, who uses a pseudonym to protect his identity, took on various remote IT roles with Western companies using numerous fake identities. This effort was part of a clandestine operation to generate income for North Korea. According to a rare interview with Jin-su, he was able to earn at least $5,000 monthly by managing multiple jobs across the US and Europe, with some colleagues reportedly earning even more. Before fleeing, Jin-su was among thousands dispatched internationally—including to China, Russia, Africa, and other regions—to participate in this secretive North Korean initiative.
Although North Korean IT workers are typically under strict surveillance, Jin-su provided detailed testimony that offers a unique perspective on the operation. His story matches findings in United Nations reports and cybersecurity analyses, revealing that 85% of his earnings were sent back to support the North Korean regime. North Korea, subject to international sanctions for years, primarily due to its nuclear ambitions, has found this scheme to be a lucrative venture. A UN Security Council report estimates that such activities bring North Korea between $250 million and $600 million annually.
The rise of remote work during the pandemic has accelerated the scheme’s growth. Some IT workers engage in data theft or employer-targeted hacking for ransom payments. U.S. courts recently indicted 14 North Koreans who collectively amassed $88 million over six years by secretly working and exploiting American companies. Additionally, four more were charged with using false identities for employment with a U.S. cryptocurrency firm last month.
Jin-su, who operated in China as an IT worker for several years, explained that workers usually collaborate in groups of ten. The limited internet access within North Korea compels these workers to operate more freely abroad, often posing as Westerners to avoid sanctions and secure higher wages. Jin-su distinguished this operation from North Korea’s known hacking activities, such as the Lazarus Group, which has been implicated in the theft of $1.5 billion from a cryptocurrency firm earlier this year. Interviewing under assumed identities was a major part of Jin-su’s efforts, as he initially posed as Chinese to gain cooperation from individuals in countries like Hungary and Turkey.
Using these allied identities, he then approached Western Europeans to obtain further identities for job applications in the US and Europe, particularly targeting the British. Fluent English-speaking IT workers typically manage the application process, taking advantage of the anonymity offered by online communication platforms. Jin-su preferred targeting American employers due to higher salaries and highlighted the frequent hiring of multiple North Korean workers by the same companies. The collected earnings are usually laundered through Western and Chinese facilitators.
Recently, a U.S. woman was sentenced to over eight years for assisting North Korean IT workers with employment and money laundering. Although Jin-su’s experiences couldn’t be fully verified independently, corroborating testimonies from other defectors and experts in cybersecurity align with his accounts. Some hiring managers have noticed suspicious applicants, leading them to use unorthodox methods like video calls to verify candidate locations. North Korea’s practice of sending workers abroad isn’t new, with approximately 100,000 engaged in such activities, mainly in China and Russia.
Even though life in China was restrictive for Jin-su, exposing him to the outside world made him question North Korea’s internal situation. Nevertheless, most North Korean IT workers choose to return home, valuing the funds they can earn over the perils of defection, which risks severe repercussions both for themselves and their families. Now settled elsewhere, Jin-su continues to work in IT, finding that his experiences under the regime have equipped him well for a new way of life. Although he now earns less without the multiple jobs and fake identities, he retains more personal income. “I adjusted to earning through illicit means, but now I work legitimately and receive the rewards,” he reflects.
The rampant increase in phishing attacks, with hackers impersonating telecom services like part of this cyber operation, has resulted in stricter security measures. Significant portions of the funds raised through these elaborate schemes are thought to support North Korea’s nuclear initiatives. U.S. officials are urging users to update their security protocols following recent data breaches.
