Have you accidentally hired a North Korean IT worker who’s spying on your company?

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Have you accidentally hired a North Korean IT worker who's spying on your company?

South Korea and the United States’s FBI are warning organisations that they might have inadvertently recruited a North Korean spy to work in their IT department.

The USA and South Korea first issued advice to companies in 2022 about the measures they should take to avoid hiring North Korean freelance coders and IT staff, warning of risks including the theft of intellectual property, data, and funds, as well as reputational harm and legal consequences.

Then firms and recruitment agencies were advised to be on the look out for suspicious behaviour, including accessing company systems from multiple IP addresses, working odd hours, and name spelling inconsistencies across different online platforms.

Sign up to our free newsletter.
Security news, advice, and tips.

Now, in an updated advisory, additional “red flags” have been listed which might indicate that your new hire is actually working for North Korea:

  • Unwillingness or inability to appear on camera, conduct video interviews or video meetings; inconsistencies when they do appear on camera, such as time, location, or appearance.
  • Undue concern about requirements of a drug test or in person meetings and having the inability to do so.
  • Indications of cheating on coding tests or when answering employment questionnaires and interview questions. These can include excessive pausing, stalling, and eye scanning movements indicating reading, and giving incorrect yet plausible-sounding answers.
  • Social media and other online profiles that do not match the hired individual’s provided resume, multiple online profiles for the same identity with different pictures, or online profiles with no picture.
  • Home address for provision of laptops or other company materials is a freight forwarding address or rapidly changes upon hiring.
  • Education on resume is listed as universities in China, Japan, Singapore, Malaysia, or other Asian countries with employment almost exclusively in the United States, the Republic of Korea, and Canada.
  • Repeated requests for prepayment; anger or aggression when the request is denied.
  • Threats to release proprietary source codes if additional payments are not made.
  • Account issues at various providers, change of accounts, and requests to use other freelancer companies or different payment methods
  • Language preferences are in Korean but the individual claims to be from a non-Korean speaking country or region.

Hmm.. I can easily imagine how I might trigger at least a couple of these red flags!

In addition, some sensible tips are provided for how recruiters can better vet candidates to prevent the unwitting hiring of North Korean IT workers.

I wonder how many organisations will actually go to all this effort.

If firms believe they have found a good candidate for a job, and the wannabe IT worker’s salary requirements aren’t out of orbit, I can imagine many companies might welcome them with open arms long before suspicions begin to rise that they might be exploiting their access to the company’s network and data.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.