North Korea Likely Using Foreigners as Fronts in Recruitment Scams, Reports Say
Digital technology expert Fraser Edwards, CEO of UK verification startup Cheqd, reported to Decrypt that North Korean IT workers are allegedly changing their tactics to infiltrate foreign companies. According to Edwards, they now appear to be using foreigners to help them get through the initial, “noisy” stages of the recruitment process.
Edwards confirmed this individual was one of several attempts made by suspected North Korean operators to join his company over the last year. He noted a pattern: candidates sound European on the first call but shift to heavily accented Asian speech during subsequent interviews and coding tests, while evidence reveals their actions align with North Korean users of the technology they supposedly master.
This strategy coincides with North Korea’s significant profit from cybercrime. Chainalysis data indicates North Koreans were responsible for stealing $1.34 billion of the $2.2 billion stolen from crypto platforms in 2024, highlighting their increased cyber capabilities. Compromising tech companies apparently serves as a method to further their illicit activities.
North Korea isn’t the only target industry. Recruiters like Owen Healy in Ireland similarly report seeing more attempts by people pretending to be based in Europe, a method that might be harder to spot using current recruitment tools. Healy suspects these individuals hide in legitimate countries as fronts, potentially having their work performed remotely from North Korea.
These infiltration attempts underscore the need for robust recruitment verification processes. Cheqd is adapting its search for new talent, planning to rely more on trusted networks of purposed developers to replace broader recruitment strategies.
In Brief
- Reports indicate North Korean IT workers are increasingly using foreigners to navigate initial recruitment stages.
- This strategy aims to bypass easy interview questions typically asked in early rounds.
- North Korea has stolen $1.34 billion in crypto in 2024, the highest amount attributed to Pyongyang.
Context & Implications
The shift described by Cheqd aligns with North Korea’s documented systematic development of financial means through cyber operations, expanding beyond traditional sanctions-busting. Infiltrating legitimate technical and professional companies could potentially enable more sophisticated human intelligence gathering and further opportunities to weaponize compromised account information for identity theft and money laundering.
While not new, these tactics appear increasingly prevalent. Cheqd points to specific examples of foreigners being “fronted” by North Koreans in recruitment processes. Recruiters are now concerned about two fronts: detecting impostors hiding their origins, and dealing with sophisticated impersonation using other foreigners.
During the Cheqd case, investigators noticed the remote worker using Korean shortcut keys during a live programming test. Healy anticipates this pattern will continue as North Koreans hire proxies in legitimate countries to position themselves further upstream in the interview process.
The article also notes simultaneous challenges in verifying credentials across all fields due to AI-generated CVs and the proliferation of tools designed to aid cheating. The evolving nature of recruitment verification is a critical challenge for cybersecurity professionals.
