ST. LOUIS — The St. Louis Division of the FBI announced Wednesday that St. Louis area companies have been unknowingly paying for weapons of mass destruction in North Korea.
The scheme involves hiring Information Technology -- or IT workers -- who aren’t who they say they are. They give the wages they make posing as IT workers to the Democratic People’s Republic of Korea, according to Jay Greenberg, Special Agent in Charge of the St. Louis FBI Division.
And, there are thousands of them mostly based in China, he said.
“If you are hiring IT workers either for mobile application development or specific software development, and you do not have a robust background process to ensure who they are, more likely than not, you have some of these North Korean IT workers on your contractor payroll,” Greenberg said during a press conference Wednesday to announce how companies can protect themselves.
The FBI has already shut down more than a dozen websites that look like legit companies offering IT services to corporations looking to outsource technology experts. And they’ve seized about $1.5 million in wages that were headed to the DPRK.
The scheme usually begins when a legit company hires a fraudulent company that says it employs technology support workers. The workers often steal American identities and tell the legitimate company that has hired them to send the computer hardware they need to work remotely to an address in America.
Greenberg said that’s where there are middlemen involved, who might not know it.
The fraudulent workers pay American residents to essentially set up the computer equipment in their homes so it can appear that they are working remotely from home in the United States to the companies that hire them.
“So that's how these IT workers are able to then telework from China through a trusted device located here in St. Louis,” Greenberg said.
That’s ultimately how this scheme began to fall apart in 2019.
One of the so-called middlemen grew suspicious of the hardware in their house and called the feds, according to court documents unsealed this week.
That unidentified witness was paid $100 a month per laptop, and when he called the feds, he had four of them.
The witness told the FBI they met the fraudulent worker on a global freelancing platform based in the United States, which serves as an online marketplace where businesses advertise for independent professionals or freelance workers, who in turn can find work in a variety of industries, including software development and information technology, according to court documents.
The FBI has been publishing notices about the scam for years. Thankfully, company leaders at Bayer Corporation read them, said Scott Baucum, a vice president for the pharmaceutical giant.
So when one of the fraudulent companies offered IT workers, the company passed on the opportunity and called the FBI.
Baucum joined Greenberg for the announcement Wednesday.
“If you're in high technology, you need to be paying attention to these kinds of threats,” he said. “You may, in fact, be a target.”
Greenberg said the investigation is far from over. There are other fraudulent companies offering fraudulent workers to corporations beyond the ones the FBI was able to shut down so far.
“There will be some additional steps that we would expect in the ongoing investigation, so stay tuned,” he said.
Here are some tips about how companies can protect themselves:
- Ask anyone providing IT services for your company to meet you in person, or, if they meet you via a video chat, make them appear on camera and ask them to hold up a passport or driver’s license
- Ask for repeated on-camera or in-person meetings with the people providing IT services
- Don’t rely on another company to vet its workers, vet the workers you are outsourcing yourself even if they work for a company that claims to conduct background checks on its employees
- Lock down remote access capabilities on any hardware you provide to technology workers
- Regularly geo-locate company laptop to verify it matches the logins of employee’s address
To report any suspicious activity, contact the FBI at www.ic3.gov
For additional information from the Cyber Threat Intelligence Integration Center in the Office of the Director of National Intelligence, please also see "North Korean Tactics, Techniques, and Procedures for Revenue Generation," found here https://www.ic3.gov/Media/Y2023/PSA231018?utm_medium=email&utm_source=govdelivery