In the time we have been publishing MyIDMatters, it is unlikely that we have encountered a story as strange as this one. The Justice Department (DOJ) has recently unsealed documents related to an IT workers scheme perpetrated by the Democratic People’s Republic of Korea. These workers reportedly infiltrated more than 300 United States organizations by stealing U.S. identities to raise money for North Korea. You read that correctly: instead of attacking the privacy of these companies, these IT workers collected a paycheck. All in all, nearly 7 million dollars were collected by foreign actors over the course of three years.
According to the Justice Department, this is the largest such case ever tried in U.S. history; along the way, a litany of U.S. citizens and businesses were harmed and defrauded. For understandable reasons, the DOJ did not disclose the names of specific employers, though they did offer descriptions: a “top-5 national television network and media company,” a “premier Silicon Valley technology company” and an “iconic American car manufacturer” were just a few of the organizations listed.
For the scheme to work, a U.S. resident in Arizona assisted overseas IT workers by compromising the identities of more than 60 citizens that were used by foreign nationals. The nationals worked from a laptop farm in the U.S., allowing the foreign IT workers to access laptops on U.S. soil to appear as though they were working from the United States. As of now, the Department of State is offering up to $5 million for any information about the U.S. citizen’s co-conspirators. Even the most informed organizations are not immune. KnowBe4, a global cybersecurity firm, admitted that it hired a North Korean national who passed four interviews with fraudulent credentials and an AI-assisted application photo—two months after the DOJ announced the initial DPRK attack. Although this malicious actor was not provided access to customer data, private networks, cloud infrastructure or confidential information, he was still able to execute unauthorized software before the company’s security protocols intervened. When even cybersecurity organizations are being duped, identity attacks are becoming more sophisticated, and everyone needs to be on the lookout.