Job hunting is notoriously grueling—sifting through roles, tweaking cover letters, enduring endless interviews. But for North Korea’s state-backed IT workers, this process is a finely tuned engine of deception. According to leaked data obtained by cybersecurity researcher SttyK and reported by WIRED, thousands of these operatives use fake identities to secure remote tech jobs, funneling an estimated $250–600 million annually to fund the regime’s weapons programs. The cache, comprising emails, spreadsheets, chat logs, and screen recordings from Google, GitHub, and Slack, offers a chillingly detailed look at how these scammers operate with corporate precision.

Article illustration 1

The data, spanning dozens of gigabytes, reveals a highly organized structure: IT workers are divided into 12 groups of about a dozen members each, overseen by a "master boss." Spreadsheets meticulously track job applications, budgets, and earnings, with tabs for analysis and summaries. One sheet lists potential roles—like "React and Web3 developer" positions—alongside application statuses, company contacts, and freelance platform links. Another logs hardware inventories, noting specifics like monitor sizes and hard drive serial numbers, while analysis pages categorize work types (AI, blockchain, bot development) and track payment trends across regions. "It’s professionally run," says Michael Barnhart of DTEX, who reviewed the data. "Everyone has to make their quotas. Everything needs to be jotted down.

North Korea’s IT workers, often based in China or Russia, infiltrate Fortune 500 firms, crypto startups, and small businesses using stolen or fabricated identities. Their earnings directly support ballistic missile and WMD development, as highlighted by the US Treasury. The leaked data includes fake IDs, cover letter templates, and manuals for creating online accounts—tools that exploit vulnerabilities in global hiring systems. Alarmingly, these operatives rely heavily on US-based services like Google Workspace, GitHub, and Slack for coordination. GitHub suspended three accounts after WIRED’s inquiry, citing "spread and inauthentic activity" policies, while Google and Slack emphasized their cooperation with law enforcement but declined to comment on specific cases.

The operation’s sophistication mirrors North Korea’s hacking groups, which have stolen billions in crypto. Researchers note patterns like reused resume content, AI-assisted image manipulation, and templated portfolio websites. Evan Gordenker of Palo Alto Networks’ Unit 42 team observed one worker generating 119 identities via misspelled Google searches for name generators. "It’s a lot of copy and paste," Gordenker notes, underscoring the tedious yet systematic nature of the fraud. Slack logs reveal strict oversight: a "Boss" account demands 14-hour workdays, while screen recordings track activity—even capturing Counter-Strike gameplay during downtime.

Beyond the mechanics, the data humanizes the scammers. Slack channels show birthday celebrations, volleyball tournaments, and motivational memes, while emails indicate English-language communication to blend in and hone skills. This duality—mundane office routines funding geopolitical threats—highlights the blurred lines in modern cyber conflict. For developers and recruiters, it’s a stark reminder: verify identities rigorously, as these operatives turn everyday tools into weapons. As sanctions tighten, their adaptability ensures this digital siege will only evolve.

Source: Based on reporting from WIRED and analysis by cybersecurity researcher SttyK.