While North Korean so-called IT workers are becoming increasingly sophisticated at infiltrating crypto organizations to steal funds, they're not unstoppable. The recommendations below might help you and your company avoid falling into these traps.
The team of crypto security researchers at Security Alliance (SEAL) has published a detailed report on how cybercriminals from the Democratic People's Republic of Korea (DPRK) operate, providing an extensive list of recommendations on how employers and workers can protect themselves.
The recommendations are meant not only for companies and recruiters but also for freelancers, as DPRK-linked IT workers are increasingly posing as recruiters, looking for unsuspecting collaborators on platforms like Upwork and Freelancer.
"In many cases, victims ultimately surrender full access to their freelance accounts or install remote-access tools such as AnyDesk or Chrome Remote Desktop," SEAL said, adding that this enables criminals to operate under the victim’s verified identity and IP address.
Therefore, according to the security researchers, among other things, freelancers should independently verify recruiters, never share or delegate verified accounts, and decline any request to install or use remote access tools or browser extensions simply to "bid," "verify identity," or "onboard."
They should also keep communication on-platform and be highly suspicious if a recruiter immediately tries to move to apps like Telegram.
A DPRK-linked cybercriminal appears to have used the identities of more than a dozen people for various employment-related activities. Source: SEAL
What’s more, fake recruiters sometimes require victims to receive a payment and then manually send a large percentage to a third party or "teammate," which is a classic revenue-laundering scheme, SEAL warned.
Meanwhile, recruiting teams have been advised to establish stricter vetting procedures to detect fake "recruiter" profiles and prevent account abuse.
As for detection teams, security researchers recommend, among other measures, blocking unapproved remote monitoring and management (RMM) tools and creating high-priority alerts for any traffic or execution of approved or unapproved RMM/VPN tools associated with newly onboarded contractors.
Additionally, as cybercriminals increasingly use AI-powered tools to fake their identities, several tricks may help catch them. For example, requiring candidates to present ID photos on flat, matte surfaces and instructing them to hold documents at specific orientations or angles. Asking candidates to blink, turn their heads, read a short phrase, or mirror a gesture might also help detect screen replays and synthetic faces.
"The observed shift in DPRK-linked IT worker behavior – from individually securing fraudulent employment to actively recruiting and managing collaborators – marks a critical evolution in their operational strategy," SEAL concluded, stressing that without coordinated countermeasures and an emphasis on intent-driven detection, this model is poised to become an expanding pillar of DPRK’s cyber-enabled financial operations.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked