North Korean Operatives Hijack Freelancer Identities to Evade Sanctions via Crypto Payments

North Korean operatives have diversified their tactics to defraud victims by exploiting freelancing and code-hosting platforms such as Upwork, Freelancer, and GitHub, according to cybersecurity researchers. These Democratic People’s Republic of Korea (DPRK) IT workers impersonate legitimate users and evade international sanctions by using verified accounts belonging to real people, as reported by Heiner García Pérez of SEAL Intel.

The hackers initiate contact by posting job offers or approaching candidates on these platforms, then shift conversations to encrypted channels like Telegram or Discord. There, they provide detailed instructions on setting up remote access software—such as AnyDesk or Chrome Remote Desktop—and passing identity verifications. This allows operatives to bypass geographic filters, identity checks, and VPN detection systems that would normally block users from sanctioned countries.

García Pérez emphasized that these actors are organized, coordinated, and share operational playbooks, indicating a repeatable, state-backed system. In one instance, an IT worker stored AI-edited portraits in a Google Drive folder labeled "My Photo," alongside folders with other individuals' names, suggesting the management of multiple personas by the same operator. Documents recovered included instructions on accessing Upwork, profit-sharing agreements, and Korean-language folders targeting the domestic IT ecosystem.

Payment flows are a key component, with operatives convincing victims to route earnings through cryptocurrencies, PayPal, or traditional bank accounts. In most cases, the real identity owners receive only about 20% of total earnings, while operatives retain 80%. This model has been linked to funding North Korea's missile and weapons programs, as noted by the United Nations. Recent U.S. arrests, such as Matthew Isaac Knoot and Christina Marie Chapman, highlight similar operations that funneled over $17 million to DPRK through "laptop farms" using stolen identities.

Recruitment often targets vulnerable individuals in the United States, Europe, and parts of Asia, with a focus on low-income or disabled persons in regions like Ukraine and the Philippines. García Pérez observed that operatives use job-matching portals, online communities for disabled people, and even friendship websites like InterPals to recruit collaborators. Despite increased awareness, detection remains challenging because the identity proxies make accounts appear legitimate, with local IP addresses and verified details.