The US government is once again warning organisations to be on the lookout for North Korean spies posing as freelance IT workers, recommending companies be wary of fully remote freelancers who resist joining video calls and try to hide their real-world location.

Last week, the US Department of Justice said it had seized 17 website domains and US$1.5 million of revenue from a group of IT workers who had been sent to live abroad – typically in Russia and China – where they set up as freelance IT professionals angling to work for international companies.

“The Democratic People’s Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program,” Federal Bureau of Intelligence (FBI) special agent Jay Greenberg said in a statement.

“The seizing of these fraudulent domains helps protect companies from unknowingly hiring these bad actors and potentially damaging their business.”

Greenberg warned that companies risk “losing money or being compromised by insider threats” if they don’t perform due diligence on hiring remote workers.

According to the Department of Justice, North Korea has sent “thousands of skilled IT workers” outside its borders as part of the scheme.

The IT workers create fake identities – email addresses, social media accounts, websites, payments platform accounts – and begin looking for opportunities on known freelancing websites.

Often the agents use counterfeit or stolen information to create these fake identities. They will then pay or trick other people to sit in on job interviews and join video calls on their behalf.

After getting paid for their work, the freelancers try and launder their money before sending most of it back to North Korea which the FBI said could be used to help fund weapons programs.

The department said it has brokered “information-sharing partnerships” to try and block North Korean agents from using their preferred freelancing sites and payment platforms.

North Korean hackers have previously been blamed for stealing cryptocurrency, spreading ransomware, and breaking into organisations that were researching COVID-19 vaccines.

How to avoid hiring a North Korean spy

Back in May 2022, the FBI first sounded the alarm about North Korean IT workers joining businesses and either using their position within the companies to commit cyber crime or just send the money home.

Last week, it updated guidance on how to avoid accidentally hiring a North Korean spy, which is mostly a set of red flags that may be indicators – but not proof – that a worker isn’t who they claim.

Video calls and in-person meetings are early red flags: if someone is unwilling or unable to join a Zoom meeting, or shows “undue concern” about attending in-person meetings, they could be signs of a North Korean spy.

The FBI goes as far as to recommend asking prospective workers to physically hold up their ID documents to camera and even getting them to point their camera outside for proof of location.

Agents have been known to demand prepayment for work and will get angry if they can’t get prepaid.

Similarly, they may extort organisations by threatening to release source code if not given extra payments.

The FBI also recommends requiring freelancers turn off commercial VPNs when accessing company networks so freelancers can’t hide their IP addresses.