By Daniel Otis
July 22, 2025
(Graeme Roy/The Canadian Press)
Canadian authorities are warning businesses to beware of hiring North Koreans posing as remote IT workers. Employing such individuals could violate sanctions, compromise cybersecurity and help fund North Korean weapons programs.
“Despite international efforts, North Korea uses increasingly sophisticated tactics to evade sanctions, and continues to fund its weapons programs via illicit activities, including through payment remitted by IT workers located domestically and overseas,” the advisory stated. “North Korean IT workers have also used their access to corporate systems for cyber espionage, money laundering, or to acquire sensitive materials for state-run enterprises.”
The joint advisory was issued last week by the Royal Canadian Mounted Police, Public Safety Canada, Global Affairs Canada, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and the Canadian Centre for Cyber Security. They say that state-affiliated IT workers from North Korea are “known to pose as legitimate freelancers based in other nations.”
“North Korean IT workers are usually competent, highly qualified, and skilled in the services they provide,” the advisory said. “Small businesses and start-ups can be more attractive targets for North Korean IT workers, who seek to exploit these businesses’ need for qualified, relatively inexpensive labour, and the lack of dedicated resources for screening candidates during the hiring process.”
Authorities caution that hiring a North Korean IT worker could result in legal consequences, including fines and prison.
‘Designed to evade sanctions’
The Canadian advisory comes after the U.S. Justice Department announced criminal charges in two related cases.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” U.S. Assistant Attorney General John Eisenberg said in a recent statement.
“The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,” U.S. attorney Theodore S. Hertzberg added.
Canadian authorities say that North Korean IT workers have offered services that range from app development to graphic animation. They are known to use VPNs to hide their location, and AI tools to create emails, resumes, cover letters and deepfake videos that mask their identities during remote meetings and interviews.
Red flags to look out for include requests for payment in cryptocurrency, unwillingness to participate in real-time voice or video calls, inconsistencies in personal information such as education and work history, and fees that are notably lower than others. Canadian businesses are also urged to conduct background and reference checks by contacting educational institutions and previous employers when hiring remote IT workers.
‘The primary motivator behind this is the money’
Cybersecurity expert Matt Immler says AI technology has made it much easier for North Koreans to pose as legitimate freelance workers.
“The best place to identify this is in the initial hiring and during onboarding,” Immler told CTVNews.ca from Orlando, Fla. “It’s very difficult to start rooting out these folks once they’re actually involved in the company, once they are actually hired.”
Immler is the regional chief security officer for the eastern Americas at Okta, an IT security company. He says companies should also be on the lookout for candidates and new hires who try to avoid video calls, quickly change their address or request payment to different accounts.
“You’re looking also for things like a face that might appear digitized or looks a little off,” he added. “There’s a common test you can do where you ask a candidate, for instance, to put their hand up in front of their face. If I did that and I was using some sort of deepfake technology, it would screw the whole thing up.”
Other simple tests can include asking someone to drop their Zoom background, doing an on-camera ID verification, or requesting that they visit the office at least once after being hired.
It is unclear if any Canadian companies are unwittingly employing North Korean IT workers at the moment, although Immler suggests it is possible. The RCMP and Global Affairs Canada did not immediately respond to requests for comment.
“They’re typically [from] sanctioned countries that are looking to find ways to subsidize whatever their government is doing,” Immler said. “There are definitely espionage threats there, but the primary motivator behind this is the money.”
Canadian authorities say suspected sanctions violations should be reported to the RCMP, either by phone at 1-800-420-5805 or online at rcmp.ca/report-it, while suspicious transactions should be reported to FINTRAC.
“They should be reported so that law enforcement can do their job,” Immler said. “I don’t think any company should be afraid of reporting this sort of activity and making sure that those folks are rooted out the best they can.”
Daniel Otis
CTVNews.ca Journalist
Canadian authorities are warning businesses to beware of hiring North Koreans posing as remote IT workers. Employing such individuals could violate sanctions, compromise cybersecurity and help fund North Korean weapons programs.
“Despite international efforts, North Korea uses increasingly sophisticated tactics to evade sanctions, and continues to fund its weapons programs via illicit activities, including through payment remitted by IT workers located domestically and overseas,” the advisory stated. “North Korean IT workers have also used their access to corporate systems for cyber espionage, money laundering, or to acquire sensitive materials for state-run enterprises.”
The joint advisory was issued last week by the Royal Canadian Mounted Police, Public Safety Canada, Global Affairs Canada, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and the Canadian Centre for Cyber Security. They say that state-affiliated IT workers from North Korea are “known to pose as legitimate freelancers based in other nations.”
“North Korean IT workers are usually competent, highly qualified, and skilled in the services they provide,” the advisory said. “Small businesses and start-ups can be more attractive targets for North Korean IT workers, who seek to exploit these businesses’ need for qualified, relatively inexpensive labour, and the lack of dedicated resources for screening candidates during the hiring process.”
Authorities caution that hiring a North Korean IT worker could result in legal consequences, including fines and prison.
‘Designed to evade sanctions’
The Canadian advisory comes after the U.S. Justice Department announced criminal charges in two related cases.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” U.S. Assistant Attorney General John Eisenberg said in a recent statement.
“The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,” U.S. attorney Theodore S. Hertzberg added.
Canadian authorities say that North Korean IT workers have offered services that range from app development to graphic animation. They are known to use VPNs to hide their location, and AI tools to create emails, resumes, cover letters and deepfake videos that mask their identities during remote meetings and interviews.
Red flags to look out for include requests for payment in cryptocurrency, unwillingness to participate in real-time voice or video calls, inconsistencies in personal information such as education and work history, and fees that are notably lower than others. Canadian businesses are also urged to conduct background and reference checks by contacting educational institutions and previous employers when hiring remote IT workers.
‘The primary motivator behind this is the money’
Cybersecurity expert Matt Immler says AI technology has made it much easier for North Koreans to pose as legitimate freelance workers.
“The best place to identify this is in the initial hiring and during onboarding,” Immler told CTVNews.ca from Orlando, Fla. “It’s very difficult to start rooting out these folks once they’re actually involved in the company, once they are actually hired.”
Immler is the regional chief security officer for the eastern Americas at Okta, an IT security company. He says companies should also be on the lookout for candidates and new hires who try to avoid video calls, quickly change their address or request payment to different accounts.
“You’re looking also for things like a face that might appear digitized or looks a little off,” he added. “There’s a common test you can do where you ask a candidate, for instance, to put their hand up in front of their face. If I did that and I was using some sort of deepfake technology, it would screw the whole thing up.”
Other simple tests can include asking someone to drop their Zoom background, doing an on-camera ID verification, or requesting that they visit the office at least once after being hired.
It is unclear if any Canadian companies are unwittingly employing North Korean IT workers at the moment, although Immler suggests it is possible. The RCMP and Global Affairs Canada did not immediately respond to requests for comment.
“They’re typically [from] sanctioned countries that are looking to find ways to subsidize whatever their government is doing,” Immler said. “There are definitely espionage threats there, but the primary motivator behind this is the money.”
Canadian authorities say suspected sanctions violations should be reported to the RCMP, either by phone at 1-800-420-5805 or online at rcmp.ca/report-it, while suspicious transactions should be reported to FINTRAC.
“They should be reported so that law enforcement can do their job,” Immler said. “I don’t think any company should be afraid of reporting this sort of activity and making sure that those folks are rooted out the best they can.”
Daniel Otis
CTVNews.ca Journalist
No comments:
Post a Comment