The U.S. Departments of the Treasury and State and the Federal Bureau of Investigations (FBI) yesterday issued a joint advisory (the “Advisory”) on North Korean information technology (IT) workers informing the business community of the sanctions risks associated with recruiting and hiring individuals such as freelance developers and alerting the public to deceptive practices by such persons. The interagency guidance explains how the North Korean IT workers operate, identifies indicators that raise red flags, and suggests mitigation measures, such as due diligence to help employers from unwittingly hiring them.
The U.S. has identified North Korean IT workers as providing a significant source of revenue that supports North Korean regime, its entities, and weapons programs. Such personnel can be highly skilled and generate funding for North Korean nuclear/ballistic missile and weapons of mass destruction (WMD) programs in violation of U.S. and UN sanctions. Under Kim Jong Un’s regime, the Democratic People’s Republic of Korea (DPRK) has increased its efforts in education and training related to IT and cyber capabilities. North Korean entities that have been designated for U.S. sanctions dispatch IT workers who earn up to $300,000 individually or more than $3 million collectively each year. These workers usually target lucrative markets in North America, Europe, East Asia and elsewhere, often presenting themselves as South Korean, Chinese, Japanese or Eastern European workers.
Executive Orders (E.O.) 13722, 13810 were issued in 2016 and 2017 and impose sanctions on North Korea for its nuclear and missile programs, ballistic missile launches, and offensive cyber activities. This series of E.O.s blocks property or interests in property of North Korea or its nationals that are within the U.S. or are within the possession/control of U.S. persons and entities across a swath of industries including construction, energy, financial services, information technology, mining, and transportation. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) has promulgated the North Korean Sanctions Regulations, 31 C.F.R. part 510, (the “NKSR”) to implement the foregoing E.O.s and has the authority to enforce sanctions or investigate potential violations of its regulations. Any person found in violation of the sanctions may face civil penalties, such as the statutory minimum or twice the value of the transaction in question.
Under the International Emergency Economic Powers Act (IEEPA), the Department of Justice has the power to investigate and prosecute violations of North Korea-related executive orders and the NKSR. Any person who willfully violates them may face up to imprisonment of 20 years, fines up to $1 million or twice the amount of total gross, whichever is greater.
U.S. intelligence and UN reports indicate that North Korean IT workers are often employed for software development of varying complexity and commodity, such as mobile applications, virtual currency exchange programs, general IT support, and firmware development. To evade detection under U.S. sanctions, they pose as U.S. based or non-North Korean teleworkers, or even as subcontractors for non-North Korean entities. North Korean IT workers typically forge identification documents, and, in some instances, steal identities or pay non-North Korean third-party individuals to set up accounts and to allow access to their identities for a fee. North Korean IT workers often utilize online platforms for obtaining employment from unwitting employers in the U.S., Asia, and Europe by bidding for contracts. Although North Korean IT workers do not directly engage in malicious cyber intrusions, these contractors leverage the privileged access gained by employment to enable malicious cyber intrusions by subsequent North Korean actors.
Key Red Flags
Common North Korean “red flag” practices cited in the Advisory for freelance work and payment platform entities include logins into multiple accounts on the same platform or multiple logins in a single account from multiple IP addresses, multiple developers accounts receiving high ratings from a single client, and frequent transfer of payments through online payment planforms or China-based banks. For those engaging freelance developers, indications of North Korean IT workers include insisting on payment in virtual currency, incorrect or frequently changed contact information, and requests to communicate with clients on a platform other than the freelance website where the employer hired the IT worker.
Parties retaining the services of offshore and even off-site IT support are encouraged to carefully check identity verification documents and cross-check them against publicly available information on its previous employers and contracts, avoid cryptocurrency payments and require banking account information, and conduct video interview to verify the identity of the freelance developer. North Korean IT workers also have been known to falsify work agreements, invoices, client communications or other documents that satisfy know-your-customer and anti-money laundering (KYC/AML) requirements.
Importantly the Advisory also underscores the increasing focus on cryptocurrencies and cyber payments by US enforcement bodies. Given the ramp up of various sanctions programs in recent years rogue players are increasingly looking to crypto payments in an effort to circumvent sanctions. This increasingly prescient risk of importing North Korean services is just one example of the inherent compliance risks associated with utilizing such payments.
Given these risks, U.S. persons should continually evaluate their profile and develop and implement robust due diligence measures to improve Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance procedures, accounting for such risks. Yesterday’s Advisory also underscores the increasing reliance on cryptocurrency for illicit activities, as such parties may use them to circumvent or evade U.S. sanctions.
Special thanks to Jay Hyun Kim for his assistance on this post.