A candidate for Oregon’s state legislature—who was later elected to represent southwest Portland and East Beaverton—had her team hire a designer for her campaign website last year. According to a staff member familiar with the work, the web developer was hired from freelance platform Upwork after a phone interview. There were no red flags during the interview process, nor did the developer indicate that there would be anyone else working on the website, the staffer said. The contract started May 10, the site went live around mid-July, and the contract ended on August 27. The budgeted cost was $2,000.
However, the web developer hired to design the site had a subcontractor handle minor edits at the end of the project. A North Korean information technology worker, known and tracked by cybersecurity professionals around the world, logged into the WordPress content management system on the backend of the campaign website using credentials linked to the web developer.
The hired developer told Fortune he had no knowledge of the North Korean IT worker scheme and wasn’t aware of the threat or the vast ongoing conspiracy perpetuated by authoritarian leader Kim Jong-Un to fund the regime’s nuclear weapons program. The developer denied any collaboration with North Koreans.
In a statement, Oregon state Rep. Dacia Grayber told Fortune the campaign website did not store any user data or sensitive details.
“As soon as we learned there was a suspicious login to the WordPress site, my team and I took steps to secure all login information, and ensure that no user data was put at risk,” Grayber told Fortune. “We appreciate being made aware of this larger trend, and find it deeply concerning that in such a tech-dependent world, traditionally trusted means of identity verification are still not enough to mitigate entities that may want to do America harm.”
In case you’re unfamiliar, the Democratic People’s Republic of Korea (DPRK) has deployed more than 100,000 workers to 40 countries around the world to work in sewing, construction, and other industries to avoid crushing financial sanctions. Jobs in information technology, the bowels of tech, have proven to be a reliable cash cow for the regime and a seismic challenge for Fortune 500 companies to thwart.
In sum: North Korean software developers are posing as Americans to get high-paying remote jobs in tech. The plan has been so successful they are trying out new ways to generate cash and crypto now that word has spread about the highly lucrative IT worker scheme.
Under the scam, trained DPRK IT workers steal or rent American identities, use generative AI to craft résumés and fake LinkedIn profiles, and then get remote jobs with U.S. firms under false pretenses and in violation of international laws. All told, the IT worker program reliably generates between $250 million to $600 million per year, according to the UN. DPRK authoritarian ruler Kim Jong-Un uses the money to fund the country’s illegal nuclear weapons and ballistic-missile program.
A UN report detailing the IT worker scheme revealed the North Korean developers make about $15,000 to $60,000 per month apiece, and all are required to earn a minimum of $100,000 a year through full-time and freelance tech work. While the IT worker scheme is generally grounded in making money for North Korea, it also yields intelligence that fuels the country’s flourishing criminal cyber-heist empire. Between 2017 and 2023, the UN estimates DPRK attacks yielded at least $3 billion in crypto. The crimes were allegedly carried out by North Korean Advanced Persistent Threat (APT) actors who operate under the Reconnaissance General Bureau of the Korean People’s Army.
DPRK IT workers, interrupted
The scheme has since been disrupted by numerous indictments, reports, and companies stepping up their game in terms of identity verification. Just this month, the U.S. Treasury financial crimes enforcement network (FinCen) launched a rule proposal that identified Cambodia-based Huione Group as a money-laundering concern. FinCen claimed Huione Group was behind money-washing related to at least $37 million in proceeds from DPRK cyber heists.
“Huione Group has established itself as the marketplace of choice for malicious cyber actors like the DPRK and criminal syndicates, who have stolen billions of dollars from everyday Americans,” said Secretary of the Treasury Scott Bessent in a FinCen statement.
Bryan Vorndran, assistant director of the FBI’s cyber division, told an audience of cybersecurity experts in Las Vegas last week that he gets “many” calls from companies and highly sophisticated venture-capital firms with tech businesses in their portfolios that are dealing with the DPRK worker problem.
“The threat has evolved as industries and the government have tried to counter it,” said Vorndran, speaking at the RSAC annual security conference. “It’s very pervasive.”
Bill Pulte, director of the Federal Housing Finance Agency told Bloomberg TV in an interview that he referred North Koreans and Chinese workers at Fannie Mae and Freddie Mac to criminal authorities.
“I mean, what are the North Koreans and the Chinese doing in these companies,” Pulte said at the Milken Institute Global Conference in California.
Given the spotlight on the issue, DPRK IT workers are pivoting.
Michael “Barni” Barnhart, an investigator who leads DPRK efforts at security firm DTEX, told Fortune the specific area that IT workers have been testing involves an early-stage scheme to pose as heating, ventilation, and air conditioning (HVAC) or remodeling and architectural specialists. The IT workers are posing as experienced engineers in Minnesota, Illinois and countries like Australia by fabricating licenses and then offering their services to people looking to get blueprints approved, Barnhart said. The IT workers have also faked permitting and design approvals for their own work.
Barnhart said the workers are targeting residential markets in Australia and the U.S. and the scheme takes place entirely online. The workers look up state government and municipal websites to find the certifications and approvals needed, copy profiles from real people to make their own appear legitimate, and then offer to provide designs and renderings from licensed professionals to people looking to improve their homes.
“They love doing cyber crime that is so far underneath the threshold of giving a damn about that it’s not reportable,” said Barnhart. “But when thousands of people do it at the same time, it’s quite profitable for the regime.”
By tracking known DPRK IT worker profiles, Barnhart said he found evidence that a restaurant in Chino, California, purchased plans online from a North Korean operative and used them to rebuild their outdoor patio.
DPRK workers selling plans used for homebuilding or commercial construction could easily go south if the plans are unsound or the workers get aggressive. And, potential involvement in campaign donations or U.S. elections is also concerning, he said.
“What if it was a bigger campaign?” said Barnhart. An IT worker embedded with an APT could have designed the website, added a tracker or malware to it, and used it for propaganda, he said.
Jef Green, president of compliance and merchant services provider C&E Systems, which handled the Grayber campaign’s donation collections, told Fortune there’s a complete separation between funding and the information the campaigns use to build their websites.
“If someone has access to her website, they never have any access whatsoever to the merchant page or the donation page,” said Green. “That is our software.”
These incidents appear minor and are focused on revenue generation, but they are still warning signs, said Barnhart.
“You can do all the right things to verify workers but the second you outsource something” there can be lapses in policies and procedures, said Barnhart. “They love to do these things through a third party.”
In a statement, Upwork told Fortune fraud prevention and compliance with U.S. and international sanctions are critical priorities. The company said it has invested in industry-leading security and identity verification measures.
“It represents a challenge that affects the entire online work industry, and Upwork is at the forefront of combating these threats,” the company said. “Any attempt to use a false identity, misrepresent location, or take advantage of Upwork customers is a strict violation of our terms of use, and we take aggressive action to detect, block, and remove bad actors from our platform.”
An Upwork spokesperson told Fortune the web developer profile who was hired to work on Grayber’s campaign has been deactivated from the platform.
