The Federal Bureau of Investigation has seized 17 websites that it claims were used to recruit and hire thousands of phony information technology workers from North Korea.

The seizure, announced Wednesday, is part of a continuing effort to grab monies collected by the phony hires in a massive fraud effort to evade U.S. sanctions and send funds back to the country.

The announcement was issued jointly with two South Korean agencies. “The seizures announced today protect U.S. companies from being infiltrated with North Korean computer code and help ensure that American businesses are not used to finance that regime’s weapons program,” Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division said in a statement.

The phony tech hires created these websites that appeared to be legit companies that were used to conceal their identities and bolster their resumes. In reality, these individuals were working for China-based Yanbian Silverstar Network Technology and Russia-based Volasys Silver Star. Both of these companies have already been placed on U.S. Treasury sanctions lists back in 2018.

Other tactics were used to conceal their identities, such as proxy servers, phony social media profiles, and fake email addresses and Social Security numbers. Some of the workers hired website developers to build phony work portfolios too.

Jay Greenberg, a special agent in the St. Louis FBI office, told reporters this week that any company that hired freelance IT workers over the last few years “more than likely” hired someone involved in the operation. “It’s not a matter of if. It’s a matter of when,” he said. That office seized $1.5 million in funds collected by the phony workers over the past several years.

This is not a new problem. Both U.S. and South Korean agencies issued warnings back in 2022 about these tactics. What is new is the dimensions of the issue, plus details on the operation along with better due diligence measures that hiring companies can take to vet potential job candidates.

There are several telltale signs that a candidate may be a North Korean plant or another phony, including the inability to appear on camera for an interview, a reluctance to do in-person meetings or take drug tests, mismatched social media profiles or those without any profile portraits, repeated prepayment requests, and other clues that indicate Korean origins. That link also has numerous security suggestions to vet potential candidates better, along with other best security practices such as finding multiple logins for the same account from different IP addresses in a short time period.

“Employers need to be cautious about who they are hiring and who they are allowing to access their IT systems,” said U.S. Attorney Sayler A. Fleming for the Eastern District of Missouri. Otherwise, they might be inadvertently funding the North Korean government’s activities, or could hire a hacker that could steal private corporate data or initiate ransomware or other attacks.

Image: FBI