Privacy, Cyber & Data Strategy / Immigration Advisory | North Korean IT Remote Worker Fraud Scheme Data Security and Employment Law Impact

A years-long fraud scheme perpetrated by the Democratic People’s Republic of Korea (DPRK) continues to present U.S.-based companies with significant cybersecurity and employment risks. As first announced by the FBI in May 2022, the DPRK has been evading international and domestic sanctions by partnering with sympathetic unsanctioned nations to covertly enter North Korean information technology (IT) remote workers into the employ of U.S.-based companies and funneling the proceeds of that employment to the DPRK, including into its illicit weapons programs. As of May 2024, over 300 companies had fallen prey to the North Korean fraud scheme. 

On December 12, 2024, a federal court in St. Louis indicted 14 North Korean nationals for using fake identities to obtain IT jobs with U.S.-based companies. The FBI has stated that this indictment is “just the tip of the iceberg. … If your company has hired fully remote IT workers, more likely than not, you have hired or at least interviewed a North Korean national working on behalf of the North Korean government.” The indictment also revealed that the DPRK’s workers have recently become more aggressive and, in some cases, extorted their employers by accessing company information and threatening to post – or have actually posted – it to the dark web unless they receive payment. 

Given these developments, companies may be caught between two potentially competing areas of legal risk. On the one hand, companies may be feeling the pressure to tighten employment screening processes, especially considering guidance provided by the FBI and the New York Department of Financial Services (NYDFS), as described in further detail below. On the other hand, implementing changes to their employment processes could run afoul of established federal and state employment laws if such changes are not undertaken carefully. 

Tactics, Techniques, and Warning Signs

In May 2022, the U.S. Department of the Treasury, the U.S. State Department, and the FBI issued an advisory (the 2022 Guidance) describing the tactics, techniques, and procedures (TTPs) often employed by operatives in the IT worker fraud scheme as well as potential mitigation measures. Among the list of TTPs included:

• False Identities. Use of stolen or fabricated identities to secure jobs. This will sometimes be apparent by inconsistencies in name spelling, nationality, claimed work location, contact information, educational history, work history, and other details across a freelance developer’s multiple online profiles, social media profiles, external portfolio websites, payment platform profiles, and assessed location and hours.
• In-Person or Video Avoidance. Preference for text or audio communication to avoid detection. This may appear as an inability to reach them in a timely manner, especially through “instant” communication methods, including videoconferencing.
• U.S.-Based Facilitators. Collaboration with U.S. individuals to facilitate operations. For example, the FBI arrested a Nashville man in May 2024 for allegedly assisting the DPRK workers in using stolen identities to pose as U.S. citizens, hosting company laptops at his residences, downloading and installing software without authorization to facilitate access, and conspiring to launder money for the remote IT work. 

The 2022 Guidance also includes a lengthy list of warning signs that companies should consider when trying to identify a potential DPRK IT worker in its employment. Some of these notable warning signs include:

• Use of digital payment services linked to the People’s Republic of China.
• Inconsistencies in personal information across profiles.
• Requests for communication on separate platforms.
• Unusual payment requests or failure to meet benchmarks.
• Developers are logged into multiple accounts on the same platform from one IP address.
• Developers are logged into their accounts continuously for one or more days at a time.
• Direct messaging or cold calls from individuals purporting to be C-suite executives of software development companies to solicit services or advertise proficiencies. 

On November 1, 2024, the NYDFS issued an industry letter to all the entities it regulates, with steps to take to protect from foreign threat actors. These steps include the following:

• Raising awareness with senior executives, information security personnel, and human resources.
• Implementing technical and monitoring controls.
• Proceeding cautiously with all remote technology employees.
• Notifying law enforcement and regulators.Conducting due diligence during the hiring process.

New Employee Onboarding and Potential Consequences

Companies may wish to consider enhancements to their processes for hiring and onboarding new employees and revisit procedures designed to ensure compliance with relevant legal requirements, regulations, and recent guidance.

Under the Immigration and Naturalization Act and relevant Department of Homeland Security (DHS) guidance, U.S. employers must verify the identity and employment eligibility of all newly hired employees, typically during the onboarding process. This involves completing a Form I-9 and, for some employers, using the DHS E-Verify tool. Employers must examine documentation from the Form I-9 List of Acceptable Documents to confirm identity and work authorization, with both parties attesting under penalty of perjury to the veracity of statements made on the Form I-9. Compliance with nondiscrimination provisions, enforced by the Department of Justice (DOJ) Civil Rights Division’s Immigration and Employee Rights Section, is also required. Noncompliance can lead to investigations and penalties, including fines, back pay, and other consequences, based on violation severity and employer factors. 

Although it is critical to comply with the Form I-9 verification requirements during onboarding, it is also important to make sure that the verification process is conducted properly and not discriminate based on national origin or citizenship status, as outlined in 8 U.S.C. § 1324b, and interpreted by the DOJ. Some of the consequences for failing to do so include civil penalties, back pay and hiring orders, cease and desist orders, public notice, and monitoring and reporting. It is not uncommon for employers to be confused as to what actions might constitute discrimination. Some examples of employer actions that can constitute discrimination include:

• Overdocumentation. The company requests more or different documents of the worker for the Form I-9 than legally required.
• Specific Document. The employer requires a specific document (e.g., HR administration says: “show me your green card” or “show me your TPS receipt”).
• Improper Reverification. The company reverifies based on the expiration date on the Permanent Resident Card or List B identification document.
• Discriminatory Hiring Practice. The company turns away or fails to hire non-U.S. citizen unable to comply with company’s unlawful overdocumentation request.
• Discriminatory Recruiting Practice. Restricting job opportunities to specific nationalities – e.g., job posting includes “must be a U.S. citizen or green card holder to apply,” with no valid legal justification for the restriction. 

OFAC Sanctions

Compounding this risk, employers should also be cognizant of the consequences of directly or indirectly providing aid or money, in any form, to the DPRK. As a sanctioned entity, the DPRK is listed on the Office of Foreign Asset Control (OFAC) Specially Designated Nationals and Blocked Persons list (SDN List). As the federal government reminded the market in the 2022 Guidance, OFAC has authority “to impose financial sanctions on any person determined to have … [m]aterially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, the Government of the DPRK or the Workers’ Party of Korea.” Indeed, OFAC has a long history of imposing severe sanctions on those who aid the DPRK in any respect, and employers should take this enforcement risk into consideration when evaluating how to implement appropriate, risk-based controls to address sanctions risks. 

OFAC’s sanctions regime imposes a strict liability standard for acts of non-compliance. As described in a 2021 OFAC guidance, a strict liability standard “means that, in many cases, a U.S. person may be held civilly liable for sanctions violations even without having knowledge or reason to know it was engaging in such a violation.”

Key Takeaways for Employers

Employers may wish to review their policies and procedures to re-align their practices with the apparently dueling compliance risks associated with the DPRK IT remote worker fraud. By working to strike a balance between protecting the business from this fraud scheme while properly vetting new hires as part of their onboarding process, employers can strive to comply with the DHS and DOJ requirements as well as the FBI and NYDFS guidance. Primarily, companies should review their policies and procedures to: 

• Implement Robust Onboarding Processes. Develop detailed onboarding procedures that include thorough verification of identity.
• Use Form I-9 and E-Verify. Ensure compliance with Form I-9 requirements and use the E-Verify system to confirm employment eligibility in a nondiscriminatory manner and separate from other processes.
• Regular Compliance Audits. Conduct regular audits of the onboarding and verification processes to ensure compliance with legal requirements.
• Monitor for Red Flags. Establish systems to monitor for red flags, such as inconsistencies in documentation or unusual access patterns.
• Provide Training on Compliance. Educate HR and hiring managers on Form I-9 compliance with identity and antidiscrimination laws.

If an employer is at risk of hiring DPRK remote IT workers, it should consider potential mitigation measures, as balanced against potentially countervailing employment legal risks. These could include:

• Closely scrutinize identity verification documents submitted for forgery, potentially reaching out to local law enforcement for assistance. Reject low-quality images submitted to provide verification of identity.
• Verify documents submitted as part of proposal reviews and due diligence contracting procedures, such as independently verifying invoices and work agreements by contacting the listed clients using contact information given in business databases and not the contact information provided on the submitted documentation.
• Verify the existence of any websites provided to establish accounts, with enhanced scrutiny of any accounts that have utilized defunct websites to establish the accounts.
• As part of initial due diligence contracting processes and refresh policies, require submission of a video verifying identity or conduct a video interview to verify identity.
• Regularly use port checking capabilities to determine if the platform is being accessed remotely via desktop sharing software or a VPN or VPS, particularly if usage of remote desktop sharing software or VPN services to access accounts is not standard practice.
• Automatically flag for additional review the following:
  • Client and developer accounts that use the same or similar documentation to establish the accounts or that use the same digital payment service accounts.
  • The use of the same or similar document templates for bidding and project communication across different developer accounts.
  • Multiple developer accounts receiving high ratings from a single client account in a short period, especially if similar or identical documentation was used to establish the accounts.
  • Developer accounts with high bidding rates as well as accounts with a low number of accepted project bids compared with the number of project bids. Additionally, flag accounts with a high number of project bids relative to the number of account logins.
• Do not allow any activity in newly established accounts prior to full account verification.
• Provide extra scrutiny to newly established accounts.
• Conduct video interviews to verify a potential freelance worker’s identity.
• Conduct a preemployment background check, drug test, and fingerprint/biometric login to verify identity and claimed location. Avoid payments in virtual currency and require verification of banking information corresponding to other identifying documents.
• Use extra caution when interacting with freelance developers through remote collaboration applications, such as remote desktop applications. Consider disabling remote collaboration applications on any computer supplied to a freelance developer.
• Verify employment and higher-education history directly with the listed companies and educational institutions, using contact information identified through a search engine or other business database, not directly obtained from the potential employee or from their profile.
• Check that the name spelling, nationality, claimed location, contact information, educational history, work history, and other details of a potential hire are consistent across the developer’s freelance platform profiles, social media profiles, external portfolio websites, payment platform accounts, and assessed location and hours of work. Be extra cautious of simple portfolio websites, social media profiles, or developer profiles.
• Be cautious of a developer requesting to communicate on a separate platform outside the original freelance platform website where a company initially found the IT worker.
• If sending a developer documents or work-related equipment such as a laptop, only send to the address listed on the developer’s identification documents and obtain additional documentation if the developer requests that the laptop or other items be sent to an unfamiliar address. Be suspicious if a developer cannot receive items at the address on their identification documentation.
• Be vigilant for unauthorized, small-scale transactions that may be fraudulently conducted by contracted IT workers. In one case, DPRK IT workers employed as developers by a U.S. company fraudulently charged the U.S. company’s payment account and stole over $50,000 in 30 small installments over a matter of months. The U.S. company was not aware the developers were North Korean or of the ongoing theft activity because of the slight amounts.

Alston & Bird’s interdisciplinary team of immigration, labor and employment, cybersecurity, and sanctions lawyers will continue to monitor these developments. 

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team or one of the attorneys on our Immigration team.