FBI warns of North Korean IT workers’ data extortion
CWS 3.0 - Contingent Workforce Strategies
FBI warns of North Korean IT workers’ data extortion

main content
The US Federal Bureau of Investigation on Jan. 23 released an update to previous guidance regarding North Korean IT workers, citing “increasingly malicious activity,” which has recently included data extortion.
The update coincides with a US Department of Justice announcement that two staffing firm owners and three others were indicted for helping North Korean IT workers obtain remote employment at US companies. The FBI arrested Erick Ntekereze Prince, owner of staffing firm Taggcar, and Emanuel Ashtor, owner of IT staffing firm Vali Tech.
North Korean IT workers could earn more than $300,000 in some cases, and teams of IT workers could collectively earn more than $3 million annually, the Justice Department said. The North Korean government withholds up to 90% of wages.
Read more about the case here.
‘Victimization’ of US-based Businesses
“FBI is warning the public, private sector, and international community about North Korean IT workers’ continued victimization of US-based businesses,” the public service announcement stated. “In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”
It cited the following:
- After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies’ proprietary code.
- North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code.
- North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices for further compromising opportunities.
Data Monitoring Recommendations
To protect your business, the update suggests monitoring your data. This includes disabling local administrator accounts and limiting privileges for installing remote desktop applications.
Monitoring and investigating unusual network traffic, including remote connections to devices or the installation/presence of prohibited remote desktop protocols or software, is also important.
“North Korean IT workers often have multiple logins into one account in a short period of time from various IP addresses, often associated with different countries,” the notice states.
Businesses can also monitor network logs and browser session activity to identify data exfiltration through accessible means such as shared drives, cloud accounts and private code repositories. In addition, monitor endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.
Strengthen Remote-Hiring Processes
The FBI recommends the following remote-hire processes:
- Implement identity verification processes during interviewing, onboarding and throughout the employment of any remote worker. Cross-check HR systems for other applicants with the same résumé content and/or contact information. North Korean IT workers have been observed using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.
- Educate HR staff, hiring managers and development teams regarding the North Korean IT worker threat, specifically focusing on changes in address or payment platforms during the onboarding process.
- Review each applicant’s communication accounts, as North Korean IT workers have reused phone numbers (particularly Voice over Internet Protocol numbers) and email addresses on multiple résumés purportedly belonging to different applicants.
- Verify your third-party staffing firms are conducting robust hiring practices and routinely audit those practices.
- Use “soft” interview questions to ask applicants for specific details about their location or education background. North Korean IT workers often claim to have attended non-US educational institutions.
- Check applicant résumés for typos and unusual nomenclature.
- Complete as much of the hiring and onboarding process as possible in person.