Flashpoint Investigation: Uncovering the DPRK’s Remote IT Worker Fraud Scheme

On December 12, 2024, the United States indicted fourteen North Korean nationals for using stolen identities to get remote IT jobs at US-based companies and nonprofits. Over the last six years, this scheme has provided the North Korean government (DPRK) at least $88 million USD and ever since its discovery, Fortune 500 companies, technology and cryptocurrency industries have been reporting even more secret DPRK agents siphoning funds, intellectual property, and information.

Leveraging Flashpoint’s expansive intelligence collection, our analysts conducted an investigation that uncovered the tactics and procedures used by North Korean threat actors in this scheme. How? By using information-stealing malware infections against them, uncovering key communications shedding light on their tactics and operations.

Reverse Engineering Infected Host Information

Flashpoint’s investigation was based around the Department of Justice’s (DOJ) original indictment, which listed the domain names of several fake companies used to embellish resumes and provide fake references:

1. Baby Box Info
2. Helix US
3. Cubix Tech US

Searching within Flashpoint’s Compromised Credential Monitoring (CCM) data holdings, Flashpoint analysts discovered that there were several accounts linked to those fake domains that were infected with information stealing malware. Further analysis was able to link the above domains to one of the indicted individuals using the vague US identity “J.S.”

Surfacing Infected Machines Using Flashpoint Intelligence

According to historical domain registrant information from domain hosting history, all three domains provided the same email address as a registrant point of contact. Using CCM, Flashpoint was able to surface an infected host located in Lahore, Pakistan, which contained a saved credential for that very same registrant email account. Password reuse revealed additional accounts likely controlled by the same entity, including many organizations from another Lahore-based infection host.

This second infected machine contained a credential, “jsilver617,” potentially tied to the “J.S.” identity referenced in the indictment. While not definitive, the “jsilver617” username was used to log in to an unknown web server identified only by its IP address. AnyDesk remote desktop software was installed, suggesting it was accessed remotely. Additionally, the host also had numerous saved credentials from various corporate human resources sites and job boards, indicating that it had been used intensively to apply to dozens of tech jobs throughout 2023.

Saved browser and autofill entries for this machine contained references to Baby Box and Cubix, fake companies that the DOJ alleges were created by DPRK threat actors.

Officially Tying jsilver617 to North Korea

These points of overlap between information contained in Flashpoint’s CCM dataset and the indictment strongly suggested the infected hosts were involved in the DPRK remote work scheme. However, initially, our analysts did not identify conclusive links to North Korean actors.

Comparing Usual Signatures from the DPRK

Flashpoint has observed signatures from DPRK actors, such as the use of Astrill virtual private networks (VPNs) with a US IP address alongside characteristic locale settings on an infected host. For example, the Korean language input method installed alongside a Chinese time zone setting. 

Involving “jsilver617”, the IP addresses were located in Pakistan. Some of the identities on the infected host claimed US residency, as seen through addresses entered on job applications captured by browser autofill. Other location references indicated possible travel to the United Arab Emirates, France, and Nigeria but showed no overt links to North Korea.

Browser History Links Infected Host to DPRK

However, among fifty browser profiles, one profile stood out due to unique contents captured in its browser history that was logged by the infostealer infection—Google Translate URLs capturing dozens of translations between English and Korean.

Although the purpose of these translations is unclear, the messages uncovered by Flashpoint’s investigation provides insights into the tactics, techniques, and procedures (TTPs) employed by North Korean remote work scheme actors. It also provides evidence of their possible successes and failures. The original history entries are URL-encoded, and they have been reformatted to enhance readability and edited to remove the personal information of individuals who may be co-conspirators or victims of identity theft.

An Exclusive Look at Real DPRK Threat Actor Messages

Fake References for Real Jobs

These Google Translate entries appeared to include job references and an email from the companies named in the indictment: Helix and Baby Box. This demonstrates the use of front companies to provide references for fraudulent applicants seeking jobs at legitimate companies.

Company: Helix
Employer Name: [omitted]
Designation: CTO
Email: ******@helix-us[.]com
Phone: [omitted]
LinkedIn: hxxps://www[.]linkedin[.]com/in/*******/ 
Company Address: [omitted]
Name: [omitted]
Designation/Role: CTO
Email: *****@babyboxinfo[.]com
Phone: [omitted]
Company Name: Babybox 
LinkedIn: hxxps://www[.]linkedin[.]com/in/******
Company Address: [omitted]&op=translate

---

Dear Sarah,
Thank you for reaching out. I am [name omitted], the HR Manager at Cubix. I am here to assist you with the requested information.
Regarding the connection between Cubix and [company name omitted], I would like to inform you that [omitted] has been a trusted partner in providing talented developers to our company. We have had a successful collaboration with [company name omitted] in recruiting top-notch professionals who have made significant contributions to our team and projects.

Now, in regards to the employment verification for [name omitted], please find the requested details below:
Start and End Dates of Employment: 05/07/2018 - 05/20/2023
Position/Job Title: Lead full stack developer
Reason for Leaving: Voluntarily left this position to pursue remote work opportunities and take advantage of the flexibility it offers.
Eligibility for Rehire: Eligible for rehire without any concerns or issues.
Manager (Supervisor ) Contact Info:
[name omitted]
Email: *****@cubixtechus[.]com

If you have any further inquiries or require additional information, please don't hesitate to let me know. I am here to assist you with the necessary details.
Best regards,
[name omitted]
HR Manager
Cubix&op=translate

Evidence of Recruitment or Direction

These messages hinted at a supervisory relationship, likely between a Korean speaker and non-Korean speaker, based on the use of Google Translate. Additionally, they contained elements of advice and tradecraft, such as discussions of how to persuade a manager not to require use of a camera during meetings and about voice manipulation or dubbing. Some of the messages also expressed frustration and disappointment directed at a remote worker participating in the scheme, observing that they had failed to find new jobs and, in one case, may have been found out.

We need to make the Abdul's voices heard for a week. After that we can turn off the camera. They are very sensitive to voices. They might not ask Abdul to turn on the video if they don't think there is a difference in thg voices.&op=translate

---

and you know that was same some that we have already summitted your profile, at that time they told that your rate is high and gave offer to another person , but that offer is backout and now they have backfill of it. please let me know if we can submit your profile at $65/hr on C2C/1099. this time prime vendor is different, but client is same.&op=translate

---

I didn't complain when you didn't get the assignment for two months. But this is a different matter. It's proof that you're a failure and if you're like this, you won't be able to handle this job well.&op=translate

Evidence of Operations and Partners

Some messages contained discussions about shipping electronic devices, likely phones and laptops. Recent reporting, including the recent indictment, describes laptop farms where a US-based collaborator receives corporate devices shipped by the employer and a North Korean worker accesses them remotely.

want to be certain that the laptops are in nigeria and it would be delivered. Thats what i want to be clear of&op=translate

---
	
Bros, abeg trust me. I dey jam for customs dey import goods, including mobile phones and other things, wey get specific rules and regulations. Customs officers dey check and control the importation of goods to make sure say dem dey follow legal requirements and make correct payments for duties and taxes.

Bros, my 290 mobile devices dey hold, all my guys dey hold too, even though I ready to pay double of the money wey dem collect from you for customs, just to secure our relationship. I dey try my best, tomorrow dem go release the devices. My main thing wey I wan deliver na mobile phones, no be laptops, but I still dey do this for you, make you understand. 

I dey hold my mobile phones and your devices too, and I dey give priority to your devices sake of the promise wey I give you. I dey try talk to the inspector wey dey for customs, I don even give am something, so by tomorrow, I go fit bring out your devices.&op=translate

Other browser history items revealed tracking numbers for international courier services, including for a shipment that may have originated in Dubai.

Protect Against Threat Actor Activity Using Flashpoint

Flashpoint’s investigation into the North Korean remote work fraud scheme paints a detailed picture of sophisticated digital deception and demonstrates the critical need for threat intelligence. Leveraging Flashpoint’s expansive CCM data and analytical capabilities, our analysts were able to connect seemingly disparate digital breadcrumbs, ultimately revealing the intricate tactics and global reach of this state-sponsored operation.

Building on these crucial insights, Flashpoint’s comprehensive data collections combined with expert analysis empowers organizations to identify compromised credentials, detect suspicious activity, and gain a deeper understanding of threat actor TTPs. Request a demo today to see for yourself how Flashpoint equips security teams with the intelligence necessary to mitigate the risks involved with sophisticated fraud and threat actor activity.