The New York Budgets

Category: Analysis

  • A scheme involving North Korean IT workers successfully gained access to an American election campaign website

    A scheme involving North Korean IT workers successfully gained access to an American election campaign website

    A candidate for Oregon’s state legislature—who was later elected to represent southwest Portland and East Beaverton—had her team hire a designer for her campaign website last year. According to a staff member familiar with the work, the web developer was hired from freelance platform Upwork after a phone interview. There were no red flags during the interview process, nor did the developer indicate that there would be anyone else working on the website, the staffer said. The contract started May 10, the site went live around mid-July, and the contract ended on August 27. The budgeted cost was $2,000. 

    However, the web developer hired to design the site had a subcontractor handle minor edits at the end of the project. A North Korean information technology worker, known and tracked by cybersecurity professionals around the world, logged into the WordPress content management system on the backend of the campaign website using credentials linked to the web developer. 

    The hired developer told Fortune he had no knowledge of the North Korean IT worker scheme and wasn’t aware of the threat or the vast ongoing conspiracy perpetuated by authoritarian leader Kim Jong-Un to fund the regime’s nuclear weapons program. The developer denied any collaboration with North Koreans. 

    In a statement, Oregon state Rep. Dacia Grayber told Fortune the campaign website did not store any user data or sensitive details. 

    “As soon as we learned there was a suspicious login to the WordPress site, my team and I took steps to secure all login information, and ensure that no user data was put at risk,” Grayber told Fortune. “We appreciate being made aware of this larger trend, and find it deeply concerning that in such a tech-dependent world, traditionally trusted means of identity verification are still not enough to mitigate entities that may want to do America harm.”

    In case you’re unfamiliar, the Democratic People’s Republic of Korea (DPRK) has deployed more than 100,000 workers to 40 countries around the world to work in sewing, construction, and other industries to avoid crushing financial sanctions. Jobs in information technology, the bowels of tech, have proven to be a reliable cash cow for the regime and a seismic challenge for Fortune 500 companies to thwart. 

    In sum: North Korean software developers are posing as Americans to get high-paying remote jobs in tech. The plan has been so successful they are trying out new ways to generate cash and crypto now that word has spread about the highly lucrative IT worker scheme

    Under the scam, trained DPRK IT workers steal or rent American identities, use generative AI to craft résumés and fake LinkedIn profiles, and then get remote jobs with U.S. firms under false pretenses and in violation of international laws. All told, the IT worker program reliably generates between $250 million to $600 million per year, according to the UN. DPRK authoritarian ruler Kim Jong-Un uses the money to fund the country’s illegal nuclear weapons and ballistic-missile program. 

    UN report detailing the IT worker scheme revealed the North Korean developers make about $15,000 to $60,000 per month apiece, and all are required to earn a minimum of $100,000 a year through full-time and freelance tech work. While the IT worker scheme is generally grounded in making money for North Korea, it also yields intelligence that fuels the country’s flourishing criminal cyber-heist empire. Between 2017 and 2023, the UN estimates DPRK attacks yielded at least $3 billion in crypto. The crimes were allegedly carried out by North Korean Advanced Persistent Threat (APT) actors who operate under the Reconnaissance General Bureau of the Korean People’s Army. 

    DPRK IT workers, interrupted 

    The scheme has since been disrupted by numerous indictmentsreports, and companies stepping up their game in terms of identity verification. Just this month, the U.S. Treasury financial crimes enforcement network (FinCen) launched a rule proposal that identified Cambodia-based Huione Group as a money-laundering concern. FinCen claimed Huione Group was behind money-washing related to at least $37 million in proceeds from DPRK cyber heists. 

    “Huione Group has established itself as the marketplace of choice for malicious cyber actors like the DPRK and criminal syndicates, who have stolen billions of dollars from everyday Americans,” said Secretary of the Treasury Scott Bessent in a FinCen statement.

    Bryan Vorndran, assistant director of the FBI’s cyber division, told an audience of cybersecurity experts in Las Vegas last week that he gets “many” calls from companies and highly sophisticated venture-capital firms with tech businesses in their portfolios that are dealing with the DPRK worker problem. 

    “The threat has evolved as industries and the government have tried to counter it,” said Vorndran, speaking at the RSAC annual security conference. “It’s very pervasive.”

    Bill Pulte, director of the Federal Housing Finance Agency told Bloomberg TV in an interview that he referred North Koreans and Chinese workers at Fannie Mae and Freddie Mac to criminal authorities. 

    “I mean, what are the North Koreans and the Chinese doing in these companies,” Pulte said at the Milken Institute Global Conference in California. 

    Given the spotlight on the issue, DPRK IT workers are pivoting. 

    Michael “Barni” Barnhart, an investigator who leads DPRK efforts at security firm DTEX, told Fortune the specific area that IT workers have been testing involves an early-stage scheme to pose as heating, ventilation, and air conditioning (HVAC) or remodeling and architectural specialists. The IT workers are posing as experienced engineers in Minnesota, Illinois and countries like Australia by fabricating licenses and then offering their services to people looking to get blueprints approved, Barnhart said. The IT workers have also faked permitting and design approvals for their own work.

    Barnhart said the workers are targeting residential markets in Australia and the U.S. and the scheme takes place entirely online. The workers look up state government and municipal websites to find the certifications and approvals needed, copy profiles from real people to make their own appear legitimate, and then offer to provide designs and renderings from licensed professionals to people looking to improve their homes.

    “They love doing cyber crime that is so far underneath the threshold of giving a damn about that it’s not reportable,” said Barnhart. “But when thousands of people do it at the same time, it’s quite profitable for the regime.” 

    By tracking known DPRK IT worker profiles, Barnhart said he found evidence that a restaurant in Chino, California, purchased plans online from a North Korean operative and used them to rebuild their outdoor patio. 

    DPRK workers selling plans used for homebuilding or commercial construction could easily go south if the plans are unsound or the workers get aggressive. And, potential involvement in campaign donations or U.S. elections is also concerning, he said. 

    “What if it was a bigger campaign?” said Barnhart. An IT worker embedded with an APT could have designed the website, added a tracker or malware to it, and used it for propaganda, he said. 

    Jef Green, president of compliance and merchant services provider C&E Systems, which handled the Grayber campaign’s donation collections, told Fortune there’s a complete separation between funding and the information the campaigns use to build their websites. 

    “If someone has access to her website, they never have any access whatsoever to the merchant page or the donation page,” said Green. “That is our software.”

    These incidents appear minor and are focused on revenue generation, but they are still warning signs, said Barnhart. 

    “You can do all the right things to verify workers but the second you outsource something” there can be lapses in policies and procedures, said Barnhart. “They love to do these things through a third party.”

    In a statement, Upwork told Fortune fraud prevention and compliance with U.S. and international sanctions are critical priorities. The company said it has invested in industry-leading security and identity verification measures. 

    “It represents a challenge that affects the entire online work industry, and Upwork is at the forefront of combating these threats,” the company said. “Any attempt to use a false identity, misrepresent location, or take advantage of Upwork customers is a strict violation of our terms of use, and we take aggressive action to detect, block, and remove bad actors from our platform.”

    An Upwork spokesperson told Fortune the web developer profile who was hired to work on Grayber’s campaign has been deactivated from the platform. 

  • The way Trump handled the cases of two Russian women exposes weaknesses in the U.S. immigration policy

    The way Trump handled the cases of two Russian women exposes weaknesses in the U.S. immigration policy

    On Monday, President Donald Trump met with Russian-American Ksenia Karelina, a former ballerina who was arrested during a family trip to Russia last year for donating roughly $52 to support Ukrainian aid in 2022. She was later sentenced to 12 years in a Russian penal colony for “high treason.”

    Of course, Karelina’s return to the U.S. is itself major news. Last month, after UFC CEO Dana White discussed Karelina’s plight with Trump, the Trump administration negotiated a prisoner swap in which Karelina was released in exchange for Arthur Petrov, a German-Russian national indicted last year for allegedly exporting sensitive U.S.-sourced microelectronics. The release of the “young ballerina” was apparently important enough for Trump to involve the CIA — and ultimately resulted in the release of an alleged material supporter of the Russian military.

    That Karelina is no criminal and deserves to be back in Los Angeles, where she works as an aesthetician, is without question. But her much-heralded meeting with Trump makes me wonder why the administration isn’t equally worked up about the liberty of another woman of Russian descent — one with a strikingly similar name.

    Kseniia Petrova, a Russian Harvard University scientist, has been stuck in a Louisiana immigration jail for more than two months now. And like Karelina, she is young (both women are in their early 30s) and has reportedly opposed Russia’s invasion of Ukraine. Indeed, both women fell afoul of Russian authorities within days of each other: Karelina made her donation on Feb. 24, 2022, the day Russia began its full-scale invasion; Petrova called for Russian President Vladimir Putin’s impeachment on her Facebook page on Feb. 27 and was arrested before she managed to escape to the country of Georgia and then the United States.

    Most importantly, neither has committed any crime under U.S. law. Yet while Trump has embraced Karelina, his administration has punished Petrova, a Russian national employed at Harvard on a J-1 visa.

    On Feb. 16, Petrova was detained upon returning to Boston from Paris and was later transferred to Immigration and Customs Enforcement custody in Vermont and then Louisiana. Her alleged offense? Failing to disclose on a customs form that she was carrying “samples of frog embryos she had carried from France at the request of her boss at Harvard” and purportedly lying about them, reported The New York Times. Petrova, in a statement provided by her legal team, denied providing any false information and took responsibility for not reviewing the requirements for customs paperwork.

    250505 kseniia petrova ksenia karelina seamless 2 up split 3x2 ac 659p c7c75c
    Kseniia Petrova (left) has been in ICE custody since February. Ksenia Karelina (right) was released from a Russian prison last month. (Courtesy Petrova’s attorney; AP)

    To the extent that the embryos were required to be disclosed — something her legal team has challenged — such a lack of disclosure is usually remedied by a $500 fine. Instead, the Trump administration has put her into deportation proceedings; Petrova, for her part, immediately claimed asylum, noting that if deported to Russia, she would face retribution for her political views.

    Since then, Petrova’s immigration case has been moving slowly with no resolution expected until 2026, according to her lead lawyer, Gregory Romanovsky. In the meantime, however, she has filed a federal lawsuit in Vermont seeking her immediate release and what Romanovsky describes as a “critical” hearing next week.

    And her lawyers believe they have powerful evidence and arguments for her release, including:

    • a declaration from the head of her lab at Harvard, a scientist in his 80s, who attests that it would not have occurred to him to declare the embryos;
    • an expert declaration from a former Customs and Border Patrol official confirming that, under applicable regulations, frog embryos would not count at “biological material” that would need to be disclosed; and
    • existing immigration law and regulations, which establish that customs disclosure failures — even if willful, which they maintain Petrova’s was not — are not a sufficient basis on which to revoke a visa.

    Still, that begs the question of why Petrova was really detained, especially since a loss in federal court would mean many more months in immigration jail. Romanovsky believes the Trump administration is using immigration as a means to punish any alleged or perceived wrongdoing, however minor, “because they can,” and said that despite public perception that the U.S. has lax immigration laws, in actuality, the Immigration and Nationality Act and related laws are “very harsh.”

    “The goal,” he alleged, “is to discourage people from coming to this country” and to prompt them to leave on their own.

    The fact that the Trump administration can’t appreciate the similarities between Petrova and Karelina underscores what we’re seeing across the country: a chaotic and seemingly careless approach to immigration that only weakens our nation.