The US and South Korean governments have been increasingly sounding an alarm about the unwitting hiring of North Korean IT workers through online platforms. Court papers unsealed this week detail the lengths to which the IT workers go to disguise their North Korean affiliation.

The story begins in August 2019 when the Federal Bureau of Investigations interviewed an individual in the US who held an account at a US-based “global freelancing platform.” The court filing doesn’t detail the name of the website but describes it as “an online marketplace where businesses advertise for independent professionals or freelance workers, who in turn can find work in a variety of industries, including software development and information technology.”

During the interview, this person described a deal with a second individual, through which the second individual would be able to carry out work through the former’s account on the freelancing platform.

As part of the deal, the interviewee purchased a laptop and kept it connected to the Internet in their home. The second individual could use remote access software to connect through the laptop to the freelancing platform. The deal eventually grew to four laptops, for which the individual was paid $100 per month per laptop. They also took a commission from money earned through the platform, according to the court papers.

The setup is more complex than using a virtual private network (VPN) but also probably more difficult to detect. The internet protocol (IP) addresses of many VPN networks are well known, and traffic from them can be filtered for additional scrutiny, whereas access from a domestic US Internet connection is much less likely to draw attention.

After the information technology (IT) freelancing work was done, payment was deposited into the account of the individual who owned the freelancing account. They took a slice of the earnings and remitted the remainder to via an online payment account registered with a “126.com” email address, a popular Chinese email provider.

The court papers said the answer to the payment account’s security question was “yinxing,” noted as Chinese for “Silver Star.”. It’s one of several links to Silver Star outlined in the papers that assert all the accounts and workers involved are linked to Yanbian Silverstar.

Yanbian Silverstar Network Technology Co., Ltd. is a Jilin-based software development company sanctioned by the US in 2018. The company, also known as “China Silver Star” or “延边银星网络科技有限公司” has a North Korean CEO, Jong Song Hwa (정성화), and a sister company in Vladivostok, Russia, called Volasys Silver Star. Both companies are North Korean-controlled and are active in IT outsourcing work, according to the US government, which asserts they have earned “millions of dollars” for the country.

In the specific case involving the laptop, a total of $85,000 was remitted to individual two from individual one between April 2018 and October 2019, according to the court papers.

During the investigation, the FBI also uncovered numerous Microsoft and Google accounts used in the scheme. The accounts “discussed using identities of third parties to open accounts at payment and freelancer platforms” and “used Korean language and North Korean honorifics to communicate with each other,” according to the court papers.

As part of the case, the FBI seized 17 domain names and approximately $1.5 million in payment accounts said to be controlled by Yanbian Silverstar. The domain names had been used to set up websites that looked like legitimate businesses, although they were, in fact, fake companies designed to fool people into thinking they were dealing with a reputable company.

The US and South Korean governments have been warning for some time about the danger of hiring North Korean IT workers online who use fake identities to pass as citizens of other countries. The latest case demonstrates how difficult this can be to spot, but an updated advisory offers several red flags, including an unwillingness or inability to appear on camera for an interview. Full details of the case are available in the following court filings:

Affidavit and Application for Seizure – $397k;

Affidavit and Application for Seizure – 12 Domain Names;

Affidavit and Application for Seizure – $1.1 million;

Affidavit and Application for Seizure – 5 Domain Names;