North Korean IT workers, known for infiltrating technology companies to generate revenue for their government, have expanded their operations into the architecture and civil engineering sectors. A new report from cybersecurity firm Kela reveals that these state-sponsored operatives are using fake identities to secure freelance architectural design work for properties located in the United States.
The findings indicate a significant shift in tactics, raising concerns about building safety, intellectual property theft, and the funding of North Korea's weapons programs. The workers have been found creating detailed construction plans, including 2D drawings and 3D CAD files, for various American residential and commercial projects.
Key Takeaways
- New research shows North Korean IT workers are fraudulently obtaining freelance jobs in architecture and civil engineering.
- Operatives use fake profiles, resumes, and forged professional credentials to target US companies and individuals.
- Discovered files include architectural plans for decks, houses, swimming pools, and other structures in the United States.
- Experts warn that work performed by these unqualified individuals poses significant safety risks for any resulting physical structures.
- Revenue generated from these schemes is believed to fund North Korea's sanctioned weapons programs.
A New Field for State-Sponsored Fraud
For years, thousands of skilled North Korean IT professionals have operated under false pretenses, securing remote work at Western companies. Their primary goal is to earn foreign currency, which is then sent back to support the regime in Pyongyang. This activity has traditionally focused on software development, cryptocurrency, and mobile app creation.
However, recent analysis shows a deliberate expansion into industrial design and construction. According to a report by cybersecurity firm Kela, at least one network of North Korean operatives has been successfully masquerading as freelance structural engineers and architects.
Funding a Sanctioned Regime
The United Nations has estimated that thousands of North Korean IT workers collectively generate between $250 million and $600 million annually for the Democratic People's Republic of Korea (DPRK). This income is considered a critical financial lifeline that helps the country evade international sanctions and fund its nuclear and ballistic missile programs.
The Kela report details how these groups advertise a wide range of architectural services online. They claim to be licensed professionals capable of delivering legally certified drawings that comply with local building codes. In some cases, they have been observed using or creating fraudulent architectural stamps and seals to lend legitimacy to their work.
"These operatives are active not only in technology and cybersecurity but also in industrial design, architecture, and interior design, accessing sensitive infrastructure and client projects under fabricated identities," Kela stated in its findings.
How the Operation Was Uncovered
Kela's investigation began with a single GitHub account linked to a suspected North Korean IT network. This account inadvertently exposed a large cache of files stored on Google Drive, which were publicly accessible. The trove of data provided an inside look at the group's methods and activities.
The exposed files included:
- Multiple versions of fake resumes (CVs) tailored for different job applications.
- A collection of images used for profile pictures on freelance websites.
- Detailed notes on the various personas and identities being used.
- Spreadsheets containing hundreds of email addresses associated with the operation.
A researcher from Kela, who remained anonymous due to the sensitive nature of the work, described the volume of data as "really massive." The files confirmed that the operatives were actively seeking and performing work through popular freelance platforms.
Evidence of Architectural Work
Among the documents were numerous architectural plans and design files. These included 2D drawings and 3D CAD models for projects such as a custom treehouse, a farmhouse, residential decks, and swimming pools. Correspondence found in the files also showed communications with potential clients, including a request to redraw existing plans for a restaurant patio.
While it is difficult to confirm if all discovered plans were executed, experts believe many were. Michael Barnhart, a leading researcher on North Korean cyber threats at security firm DTEX, affirmed that similar schemes have resulted in real-world construction.
"The plans are being used and being built," Barnhart stated. "They will do the CAD renderings, they’ll do the drawings. It’s not like a hypothetical—those physical things do exist out there."
The Tools and Tactics of Deception
The North Korean operatives employ a sophisticated system to create believable American identities. A 24-minute screen recording discovered by researchers documented the entire process of one worker setting up a fraudulent profile on a freelance website.
In the video, the individual:
- Creates a profile claiming to be a "licensed structural engineer/architect in the USA."
- Selects a profile picture from a folder of pre-collected images of other people.
- Uses an online tool to generate a fake Social Security number for verification purposes.
- Translates text between Korean and English to craft professional-sounding messages.
Once the profile was active, the video showed the worker immediately messaging potential clients. One message read, "I can provide you [sic] permit drawing plan set for your residential home design within a few days." Other recordings captured conversations with clients, including at least one live online call discussing project details. It appeared that some clients were repeat customers, suggesting they were satisfied with the initial work they received.
Low-Cost Bids Attract Clients
The fraudulent services were offered at competitive prices, often ranging from a few hundred dollars to approximately $1,000 per job. This pricing strategy likely made them an attractive option for individuals and small businesses looking to save on design costs.
The use of forged credentials is also a key tactic. A document found in the data cache listed websites that could be used to generate fake engineer and architect seals. This aligns with a July report from Canadian broadcaster CBC, which found that the official seal of a Toronto-based architect had been altered and used by suspected North Korean workers on plans he did not create.
Safety Concerns and Expert Warnings
The infiltration of the architectural sector raises serious safety questions. If buildings and structures are constructed based on plans designed by individuals without proper qualifications or knowledge of local building codes, the risk of structural failure is significant.
Michael Barnhart noted that the quality of the work is often subpar. "In some of our investigations, these plans and these products that they’re making for these remodels and renderings, they’re not getting good reviews," he said. The concern is amplified by evidence that these operatives may also be targeting more critical projects.
"We do have indications that also they’re being hired to do critical infrastructure," Barnhart added, highlighting a potentially severe national security risk.
As companies become more adept at spotting fake IT professionals, North Korean networks are diversifying their efforts to find less scrutinized avenues for generating income. Barnhart explained that they are moving into any role that can be performed remotely.
"They’re moving to places where we're not looking," he concluded. "They're also doing things like call centers. They're doing HR and payroll and accounting. Things that are just remote roles and not necessarily remote hires."