North Korea News Podcast by NK News - Chandana Seshadri: How North Korean IT workers exploit remote hiring systems
Episode Date: October 9, 2025This week, Chandana Seshadri joins the podcast to discuss her RUSI Journal article, “How DPRK IT Workers Exploit Identity Management Vulnerabilities,” which documents how North Korean workers slip... through remote-hiring systems to earn hard currency and open doors for bigger cyber operations. The researcher highlights the case of Christina Chapman — a U.S. citizen who […]
Transcript
Discussion (0)
You're listening to an exclusive episode of the NK News podcast, available only to
subscribers. You can listen to this and other episodes from your preferred podcast player by
accessing the private podcast feed. For more detailed instructions, please see the
step-by-step guide on the NKNews website at NKNews.org slash private-feed.
Hello, listeners, and welcome to the NK News podcast.
I'm your host, Jack O'S Wetsuit, and today I'm recording this episode via Stream Yard.
It is Tuesday, the 3rd of September 2025.
And today I'm joined on the NK News podcast by Chandanaa Sashadri, non-resident fellow at the Stimson Center's 38 North and former research analyst at Rusei, specializing in the intersection of sanctions, financial crimes and cyber threats with a focus of course on North Korea.
Chandanah's recently published Rushi Journal article, how DPRK IT workers exploit identity management vulnerabilities, shows how North Korean information technology workers slip through.
through remote hiring systems to earn hard currency and open doors for bigger cyber operations.
This is a topic that you will have heard us mention in this shorter Tuesday episodes
with my in-house colleagues at MK News, but today we're going to do a really deep dive.
So welcome on the show, Chandana.
Thank you for having me. It's a pleasure to be here.
So if human resources is the new sort of front line against North Korean sanctions evasion,
what is the one stat or the one recent case that you would use to turn a skeptical CEO from
HR problem to national security threat in 60 seconds?
I think the most recent conviction of this US citizen called Christina Chapman.
I think that's one particular case that everybody should be looking into because it's the
first conviction case where it was discovered that she was running laptop farms for these
North Korean IT workers. And because of that, she was able to facilitate around jobs through 300
companies to these IT workers. So in 60 seconds, I think that's enough. But yeah. Yeah. And we're
definitely going to get into the details of, you know, what a laptop farm, how that works and
Christina Chapman. But yeah, that's a good case there. Now, you say at the start of your paper that this
is, quote, a strategic deployment of information technology workers to generate revenue for
North Korea's Weapons of Mass Destruction Program.
That's a big and a bold claim.
We're going to go through parts of that claim in this interview, but for now, could you
identify one red flag that you wish HR and hiring managers would learn to spot this year
to avoid being part of that program?
Definitely.
I think one strategy that these North Korean IT workers are employing is to specifically look
for remote work and when HR or any team are trying to hire.
people, they usually don't switch on their cameras when they're hiring anybody through remote work
because it's not necessary to see my face or your face as long as you do the work. So there are
these simple tricks that HR companies could improve by doing call calling or switching on asking them
to switch on cameras, etc. That's probably a very simple and easy thing that could be used as a
mitigation strategy. Very good. So switch on your cameras and have your interviewees switch on their
cameras too, yeah. And what would be one metric that a board of directors that a company should
look at monthly to sort of gauge identity risk exposure? I don't know if there is one exact metric
for that. It's a very tough question, but I think it's more on if they have good auditing systems
as to how many people have been hired quite recently and how many people have moved on, the
turnover rate, depending on how many remote workers have been hired and how long they stay in the
company doing the work, I think that's quite important. And one interesting thing about this case
is or the issue of North Korean IT workers is how they're getting paid. So if payment or salary is
happening via cryptocurrency or through dodgy accounts, etc, if there's a way to identify these
suspicions through auditing, I think that's where these boards or CEOs must have an understanding.
There's a way to report this. I think that would be one step to improve compliance or even just to have
an idea about this issue. Okay, good advice. All right. So let's now get into sort of drawing the
big picture of the threat. How big and how organized is the DPRK IT worker ecosystem today? And where
does it sit inside the wider North Korean cyber program and revenue generation? That is a good
question, but it's a very difficult question to address very linearly. So DPRK IT workers is not a very new
issue it's been going on for a while as remote work started or you know after COVID-19 uh you
suddenly started to see a lot of freelance opportunities remote work opportunities so you could
potentially say that the the magnitude or the impact kind of spread because of COVID or after COVID
but if you were to talk about personally as a DPRK financial crime researcher if I were to look at
the historic transition of how North Korean actors have improved their activities or come up
with new sophisticated ways, this seems like a very natural progression for them. But if you were
to put it into a structure as to where they actually sit, I think you could see that they do
come under the larger cyber network of DPRK actors, whether they are right at the top or right
at the bottom. It's a bit hard to say. You can to an extent. But I
I think there are a lot of overlaps between North Korean IT workers and North Korean cyber actors
who's actually responsible for what activity per se.
And then there is another aspect to North Korean IT workers,
whether they are malicious actors or whether they are only revenue generating actors,
what is their motivation or what is their, you know, purpose.
Like you initially mentioned, I have written it in the beginning as well.
Most of the revenue that is generated ends up in the weapons of mass destruction program.
or even to sustain their day-to-day living, et cetera.
So it's a bit hard to concretely say that, yes,
the money earned from this, North Korean IT worker A,
ends up going back to the regime into that particular account, etc.
But the idea behind all this is that it sits within the larger cyber network.
But if you want to go deep into the detail,
I think it will take a longer time to do the research around that specifically.
Right.
Now, we've talked about the Lazarus Heist before.
on this podcast, we'll see the massive theft of money,
first of all, from the, I think, the Bank of Bangladesh, if I'm not mistaken.
And then later on, through ATMs worldwide, just using people's stolen bank details.
Would you imagine just sort of in the real work-a-day world of North Korean IT work,
is that the people who did the Lazarus Heist would know some of the people who are doing
the IT work, remote work that we're talking about today.
Are they in the same ecosystem?
In if, let's take a bird's eye view of this ecosystem.
So if you go, if you zoom out completely, yes, they're all under the same network, technically speaking, because there are some certain very transferable skills that could be used to maintain certain IT systems or get a job to put your head down and do venial work.
But if I were to take a guess, whether they do know or there are certain actors who might do odd jobs here and there, be with the Lazarus group, if you say, or be a revenue raising activity that one random IT worker does.
potentially. But you can't concretely say that, yes, both these actors are the same. But there
could be overlaps in terms of their activities or their timing, what their boss asks them to do.
So in that sense, if you take a Zoom out view, yes, they're probably under the same network.
And as you point out, many of these skills are certainly transferable so they can be used across
multiple teams. Now, the United Nations panel of experts before it was shut down, estimated that
that illegal cyber operations provided about 40% of the revenue that North Korea needs for its weapons of mass destruction program.
Do we have any idea what portion IT workers likely contributed into that pot?
It's very difficult to give an estimate, but you can say I think the advisory is provided by the United States
around how much these IT workers are earning annually and individually is provided around 300,000 annually.
or something in that ballpark but to what percentage is the IT worker contribution to these
illegal cyber operation I think as a very murky figure it's very difficult to estimate and I know
it becomes a little difficult from addressing this issue the larger the estimate than most
probably law enforcement would have a better understanding or a prioritization or some kind of
motivation to do something about this but nonetheless I think there are other ways to look at
this issue. It's more got to do with given IT workers are actually infiltrating into systems.
The problem rise not in how much percentage of the illegal cyber operation is conducted by
them, but more on how much information they get access to. So this is private company information,
IP information, there could be legal repercussions, there could be reputational damages that could
be done with North Korean IT workers getting access to company information. And on top of this is how
illicit revenue they can generate simply through salaries. So addressing this issue more from a
broader perspective rather than a metric also helps in understanding this issue in a very, you know,
linear way that is required. Right. Given the difficulty of talking about numbers, where do we see
the center of gravity today in terms of this illegal fundraising? Is it likely to be in the simple
revenue extraction through invoicing in payroll or is it more in post-access monetization like code and
data exfiltration? Yeah, I think it's important to again go back to dividing whether these IT
workers are illicit actors with malicious intent or are they there just to do the job and gaining
a standard revenue. So if you look at it, if you were to understand this issue more from a
criminal mindset, you would realize that having a stable revenue is good because there is a
question to fall on for them, compared it to the other cyber activities that they're doing,
whether it's by bit hack or other crypto hacks, that they're, it's quite risky, very sophisticated.
So for them to fall back on this stable revenue that they're generating through incomes,
I think that's a strategy to work at. But I think it's more on understanding this issue broadly
and how they work with each other, the malicious actors, as well as the just the stable revenue that
they're earning.
Okay. Let's talk about identity management. In simple terms, where do today's identity verification and authentication processes fail companies, especially in the area of remote hiring? We've already mentioned the problem of turning on cameras. But what are some of the other issues where these systems fall down?
Yeah, I think that's a, that's one way as to how I wanted to approach this research
because I think that could be one way of bringing up or coming up with practical mitigation
strategies because there is no one way or one standard, golden standard way of hiring anybody.
Every company has their own.
If there ever was one, there certainly isn't one anymore.
No.
So there are no standardization CVs or even with remote workers.
every single recruitment company has their own policies.
Every company has their own policies to work with third-party recruiters.
It can keep going that way.
There are many, many methodologies.
But I'm not saying that there should be one single methodology.
But I think it's more got to do with how robust this methodology is
and how is it possible for these methodologies to be audited
or looked at it from a due diligence or compliance perspective.
I think that is more important.
So there are very obvious loopholes here because out of personal experience, not that I know any North Korean IT workers, but through my friends, the colleagues or others who've been hired doing remote roads, they are working in different companies in different geographic locations, but their own, they haven't been asked to show their passports or their national ID, for example, to verify whether they are real or not, or do they have the right to work or not.
So this is the most basic thing that anybody should be doing, and I'm not blaming HR here.
HR already has a whole load of issues that they need to worry about anyway.
Curious to hear the rest, become an NK News subscriber today for access to the full episode.
Head to NKNews.org slash join for more information.
If you're already a subscriber to NK News, you can listen to full episodes from your professional.
preferred podcast player by accessing the private podcast feed. For more detailed instructions,
please see the step-by-step guide on the NKNews website at nknews.org slash private dash feed.