North Korea Using IT Workers Abroad for Cybercrime and Sanctions Evasion

このページを日本語で読む

On April 7, the Tokyo Metropolitan Police Department's Public Security Bureau uncovered the case of a person believed to be a North Korean IT worker. The individual was suspected of aiding and abetting identity fraud. Such IT workers are a key means for North Korea to earn foreign currency. Experts see these IT workers as a trump card for North Korea to earn foreign currency while it continues its nuclear and missile development in defiance of United Nations Security Council (UNSC) resolutions.

Information obtained through impersonation is believed to be misused in cyberattacks by hackers. As a result, countries around the world are increasing their vigilance.

Hidden IT Workforce

According to a report by the UNSC Panel of Experts, there are an estimated 1,000 North Korean IT workers inside the country and about 3,000 working abroad. Overseas workers are mainly based in China, Russia, and Southeast Asia.

According to the UNSC report, domestic groups in North Korea also rely on overseas counterparts to open bank accounts and launder funds. On online platforms, the workers hide their real nationality and identity. They accept low-cost contracts from companies in various countries to develop apps and software, earning significant profits.

Their annual earnings are estimated to reach between $250 million USD and $600 million.

America and South Korea have issued guidelines since 2022 that address the issue. In Japan, the National Police Agency (NPA) and other authorities also published a warning to relevant businesses in March 2024.

Alongside public warnings, Japanese authorities are also cracking down on domestic collaborators.

Crackdown on Domestic Collaborators

According to the NPA, North Korean IT workers use fake IDs or ask relatives and acquaintances in Japan to act as their proxies. These proxies register on freelance job platforms that connect workers with clients.

The proxies receive part of the payment and send the rest overseas. In some cases, they also use money transfer services.

In September 2024, the Shizuoka Prefectural Police referred two individuals to prosecutors. The two had allegedly opened a foreign exchange margin trading (FX) account under the instructions of a person believed to be a North Korean IT worker based in Russia.

However, building a legal case against North Korean workers based overseas is considered highly challenging.

There is also increasing awareness of a broader structure behind these activities. Hackers use information obtained by IT workers to launch cyberattacks, often targeting cryptocurrency companies. This appears to be part of a systematic effort by North Korea to obtain foreign currency.

According to the UN Panel of Experts, between 2017 and 2023, North Korea allegedly carried out 58 cyberattacks. These attacks reportedly stole about $3 billion.

Furthermore, the panel also pointed out that around half of North Korea's foreign currency income and approximately 40% of its weapons of mass destruction funding comes from cyberattacks. This makes countermeasures an urgent priority.

Red Flags

According to the NPA, common signs of impersonation by North Korean IT workers include:

Multiple accounts created with the same ID
Lack of fluency in Japanese
Offering services at unusually low prices
Proposing payments in cryptocurrency

Authorities warn that outsourcing work to such impersonators may violate Japan's Foreign Exchange and Foreign Trade Act. Police are urging freelancer platform operators to strengthen identity verification and detect suspicious accounts.

On April 7, the Tokyo Metropolitan Police Public Security Bureau launched an official X (formerly Twitter) account called the Counter Cyber Attack Center.

This account shares information on cyber threats and protective measures.

In its first post, the bureau issued a warning about impersonation by individuals believed to be North Korean IT workers.

Author: The Sankei Shimbun

このページを日本語で読む