State-sponsored cyber operatives are hijacking the verified identities of skilled remote professionals on platforms like Upwork and GitHub. Discover the sophisticated scheme, why authorities are linking these thefts to weapons programmes, and the vital red flag you must watch out for to avoid becoming an unwitting spy for a hostile regime.
State-sponsored hackers target high-value freelancers
A concerning new trend is sweeping across the freelance market: North Korean IT operatives have abandoned fabricated identities for a more insidious strategy. They are now recruiting real, verified freelancers to act as identity proxies on popular global platforms.
These operatives are specifically targeting high-value talent pools on sites like Upwork and GitHub to secure lucrative remote positions in fields such as software development, architecture, and IT consulting.
The attack begins with a job contact before quickly moving conversations to private messaging apps like Telegram or Discord. Here, the operative will coach the freelancer through the hiring process and identity verification. This is all a ruse to gain remote access to the freelancer’s computer.
The proxy scheme funding North Korea’s weapons
The core of the scheme is the use of remote-access software. The operative will ask the victim to install tools, such as AnyDesk or Chrome Remote Desktop. This simple action allows the hacker, based overseas, to work directly from the victim’s machine.
For all compliance and security checks, the system sees a legitimate account, a real, verified identity, and a local IP address—making the scam virtually undetectable. By relying on real identities and local connections, the operatives can bypass systems designed to flag high-risk geographies and VPNs.
The goal is sanctions evasion. The actual identity owners receive only a small portion of the pay—sometimes just a fifth. The vast majority of the funds—which can total millions of pounds—are channelled back to North Korea via both cryptocurrencies and traditional bank accounts. These proceeds are then allegedly used to finance the country’s illegal missile and weapons programmes.
This is not an isolated issue. US authorities recently arrested an individual for running a “laptop farm” that allowed North Korean workers to appear as US-based employees. A similar operation in Arizona funnelled over £14 million ($17 million) to the regime, highlighting the substantial financial scale of this identity theft operation.
How to protect your verified account
Platforms are struggling to keep pace. When an account is eventually suspended, the hackers simply instruct the recruit to open a new one, according to news reports, continuing the churn of legitimate looking, compromised identities. Because the identity is real and the connection is local, the platforms cannot easily spot who is actually behind the keyboard.
Experts advise that the most crucial security measure is to recognise the single, clearest warning sign.
Never agree to any request from a “client” or “subcontractor” to install remote-access tools that allow someone else to ‘work’ from your verified, professional account.
A legitimate hiring process for a technical or professional role will never require you to hand over complete control of your device or your identity. By refusing this request and reporting the profile, you can ensure your remote contracting career remains safe and your personal identity is not used to fund a hostile regime.
