Talented North Korean coders and developers have, for years, been getting hired for remote jobs at Western tech firms. Thousands of these so-called IT workers have earned billions for North Korea’s authoritarian regime by developing apps, working on cryptocurrency projects, and infiltrating Fortune 500 companies—when they get paid, they send their earnings home. But the scale and scope of these fraudulent job schemes likely extends beyond most people’s understanding.
New analysis of exposed online accounts and files linked to suspected Democratic People’s Republic of Korea (DPRK) digital laborers shows that at least one group has been working in a very different field: architecture and civil engineering. Over recent years, the cluster of workers has been masquerading as freelance structural engineers and architects, according to a report shared with WIRED by cybersecurity firm Kela, which dug into one network it links to North Korea.
Files linked to the alleged North Korean operatives show 2D architectural drawings and some 3D CAD files for properties in the United States, Kela researchers say. In addition to the plans, the scammers were also seen claiming to advertise a range of architectural services and using, or creating, architectural stamps or seals, which can act as legal certification that drawings follow local building regulations.
“These operatives are active not only in technology and cybersecurity but also in industrial design, architecture, and interior design, accessing sensitive infrastructure and client projects under fabricated identities,” Kela writes in a blog post. The United Nations estimates that thousands of IT workers raise between $250 million and $600 million for North Korea each year, with money being used to support the country’s nuclear weapons programs and sanctions evasion efforts.
Kela’s security researchers focused on a GitHub account linked to one suspected North Korean IT network, before analyzing further accounts and profiles. The GitHub profile, plus some connected personas and some architectural work, was first identified by DPRK researchers on X earlier this year. Github, which is owned by Microsoft, did not respond to WIRED’s request for comment about the account or suspected links to North Korea.
The GitHub account publicly listed a series of Google Drive files that could be downloaded by anyone and contained a treasure trove of information linked to the potential scammers. The files included details of work being pursued by the DPRK-linked accounts, duplicate and false CVs, images that could be used as profile pictures, and details of the personas used to find work.
