North Korean scammers are doing the architectural design now

“Plans are being used and being built,” says Michael “Barney” Barnhart, a leading expert on North Korean hacking and cyber threats who works for the company. Insider threat security company DTEX. Along with other DPRK researchers, who call themselves a coalition of “misfits,” Barnhart has seen this group of workers doing architectural work, and says other similar efforts have been discovered. “They’ll do CAD designs, they’ll do drawings,” he says. “It’s not virtual, these physical things are there.”

Barnhart – who had previously found North Korean animators who appeared to be working on them Amazon and Max offers– He says he also saw the creation of potential front companies to help run operations and provide a veneer of legitimacy. The findings raise questions about the quality of structural work and concerns about safety, if the structures are created in the physical world. “In some of our investigations, and these plans and the products they make for remodeling and demos, they don’t get good reviews,” Barnhart says. “We have indications that they are also being hired to do critical infrastructure.”

A long 24-minute screencast seen by WIRED shows how the freelancing process can work. In the video, a person signs up on a freelance website and creates a new profile in which he writes that he is a “USA licensed structural engineer/architect.” They select a profile picture from a folder containing potentially downloadable files, translate text between English and Korean, and access the Social Security Number Generator website during the registration process.

When their account is created, the video shows them starting to submit job applications online, with one message saying: “I can give you (sic) the specific permit drawing plan for your residential home design in a few days.”

Other screen recordings show workers having conversations with potential clients, and in at least one case there is a recording of an online call discussing potential work. The Kela researcher, who asked to remain anonymous for security reasons, says it appears some potential clients returned to the scammers, likely after the work was done. Researchers say some types of work appear to have prices ranging from a few hundred dollars to about $1,000 per job.

“This is an opportunistic nation,” says DTEX’s Barnhart. While many companies are beginning to realize that North Korean IT workers often apply for technology jobs remotely, using fake identities, deepfakes on video calls, and local workers to run their operations, they are constantly changing their methods. Barnhart says it appears that architectural work has been successful for alleged workers in the DPRK, and that evidence shows that an IT worker program can be more accurate than trying to recruit at companies.

“They’re moving to places we’re not looking,” Barnhart says. “They also do things like call centers. They do HR, payroll, accounting. And those are things that are just remote roles and not necessarily remote hires.”