North Koreans Exploit Social Media's Vulnerabilities to Dodge Sanctions

2

North Korea operatives have sought to use U.S. technology and social media networks to evade U.S.-led sanctions and generate income, taking advantage of many of the same shortcomings that allowed Russians to interfere in the 2016 election.

Cloaking their identities, the North Koreans have been able to advertise jobs and find clients on job-search exchanges such as Upwork and

Freelancer.com
.

They have developed software using the Microsoft-owned site Github, communicated over the Slack messaging service and asked for payments via

Paypal
.

They have burnished their fake credentials with profiles on LinkedIn and touted fake operations with

Facebook

pages.

In short, North Korea has exploited the kinds of vulnerabilities that have brought heightened political scrutiny to the technology platforms, suggesting how easy it is for Pyongyang to use tools of the digital economy to avoid sanctions aimed at halting information-technology trade with the country.

These details come from a Wall Street Journal investigation into a North Korean business based in China that has been building mobile games, apps, bots and other products for clients in the U.S. and elsewhere. Customers said they had no idea they were dealing with North Koreans.

“It never crossed my mind” that North Koreans operated an IT business online, said Donald Ward, an Australian entrepreneur, when shown that a programmer he hired to redesign a website, who he thought was Japanese, was actually part of a North Korean crew operating in northeastern China, near the city of Shenyang.

RUSSIA

MONGOLIA

Shenyang

north

korea

Beijing

Pyongyang

SOUTH

KOREA

china

JAPAN

500 miles

500 km

The Journal discovered the Shenyang business after reviewing computers and other devices belonging to a North Korean operative arrested in Malaysia for suspected involvement in last year’s murder of North Korean leader Kim Jong Un’s half-brother. A car that ferried the alleged killers away from the Kuala Lumpur airport was registered to the North Korean operative, according to Malaysian investigators. The operative, who denied wrongdoing, was deported.

The operative’s electronic devices showed he had communicated with the Shenyang group about money-making ventures for North Korea, using vocabulary found only in the north’s dialect of the Korean language.

For North Korea, finding new business ventures has been crucial since the United Nations last year tightened sanctions and banned the country’s coal exports in a bid to curb Pyongyang’s nuclear-weapons and missile programs. The U.S. Treasury Department warned in July that North Koreans working abroad were selling IT services and hiding behind front companies and the anonymity provided by freelancing websites. The report offered few specifics. The Treasury on Thursday sanctioned two Russian and Chinese technology firms as revenue-generating fronts for North Korea.

Interviews with clients, plus records on Freelancer.com, help detail at least tens of thousands of dollars earned by the Shenyang group. In total, North Korea may be pulling in millions from software development with numerous fake social-media profiles, say experts who track North Korean activity. The group took payment from clients and subcontracted the jobs to programmers world-wide who say they were cut out without compensation.

“It’s a big chunk of change” for North Korea, said Andrea Berger, a North Korea specialist at the James Martin Center for Nonproliferation Studies in Monterey, Calif.

A man called Ri Kwang Won appears to be at the heart of the operation in Shenyang. Among other indications, his name appeared in the cellphones and computers of the North Korean operative arrested in connection with the killing in the Kuala Lumpur airport. That operative reached out to Mr. Ri about a plan, which didn’t get off the ground, to hack software for medical imaging from a U.S. company and resell it to hospitals elsewhere.

The Malaysia-based operative’s phones included an email address saved under Mr. Ri’s name—multicpu@outlook.com—from which the Journal was able to identify more than 50 fake social-media profiles and websites set up by Mr. Ri and his group, providing a clearer picture of their activities.

Saved in a computer of the arrested operative was a Chinese phone number for Mr. Ri. A man who answered a call to that number identified himself as Ri Kwang Won, speaking in Chinese with a Korean accent. He acknowledged being involved with software for medical imaging, as well as with an internet television business called Everyday-Dude.com, but declined to answer further questions.

A Facebook page for Everyday-Dude.com, showing packages with hundreds of programs, was taken down minutes later as a reporter was viewing it. Pages of some of the account’s more than 1,000 Facebook friends also subsequently disappeared.

Facebook said it had no knowledge of North Koreans using its platform but is committed to rooting out profiles using false names. It suspended numerous North Korea-linked accounts identified by the Journal, including one that Facebook said appeared not to belong to a real person. After it closed that account, another profile, with identical friends and photos, soon popped up.

LinkedIn confirmed that profiles identified by the Journal were fake and said at least two had been restricted. Upwork, which runs a site where freelance programmers gather, said it prohibits use by North Koreans and is dedicated to fighting fraud. Several Upwork accounts traced to the Shenyang crew now are offline.

Freelancer.com, the operator of a similar business, said it was investigating suspect accounts but didn’t see ties to North Korea. It closed one account for spamming. Slack, the messaging service through which the North Korean crew communicated, said it takes appropriate action when notified of problems. Paypal and

Twitter

declined to comment. Github didn’t respond to requests for comment.

Aerial view of an overpass in Shenyang, Liaoning Province in northeast China in July

Aerial view of an overpass in Shenyang, Liaoning Province in northeast China in July


Photo:

Yan Bo/Zuma Press

Not much is known about Mr. Ri or when he arrived in Shenyang, a gritty Chinese city of 10 million near the North Korean border that U.S. officials have described as a hub of illicit North Korean activity. Mr. Ri’s modus operandi appears to have often involved impersonating others online to create social-media profiles through which to market business services.

A representative of the Chinese Foreign Ministry said, “We are not aware of the details you described.”

Qian Dongguang, a Chinese citizen of ethnic Korean descent, said he came into contact with Mr. Ri in 2016, when Mr. Ri persuaded him to help set up a company to sell what Mr. Ri called North Korean medical imaging software.

“They told me it’s important and that I need to keep it secret,” said Mr. Qian. He said Mr. Ri and others with him were North Korean.

They took his identity without his knowledge and started building an online presence, Mr. Qian said, setting up accounts under his name on Freelancer.com and Upwork and using the accounts, which included Mr. Ri’s email, to bid for programming jobs.

The group also set up profiles for Mr. Qian on Facebook and LinkedIn, describing him as a computer programmer who attended the elite Tsinghua University in Beijing. In fact, he took culinary studies at a college in South Korea before bouncing around in odd jobs such as being a driver.

Mr. Ri appears to have used his own email to open a Facebook account in the name of Pro Dos, with an Asian woman as its profile picture.

He also set up a Twitter account, @multicpu, in which, in an exchange with a U.S. programmer, he identified himself alternately as Qian Dongguang or Pro Dos.

Ranga Bandara, a Sri Lankan programmer, said he was contacted on Freelancer.com by “Qian Dongguang” about developing an app for Siteabook, an Indian competitor to

Amazon.com Inc
.

’s Goodreads book site. Mr. Bandara said he believed he was dealing with Pro Dos, whom he believed to be a Chinese programmer. He said he built the app and is still owed $800.

The Indian owner of Siteabook, Manikandan Krishnan, said a subcontractor had hired people he thought were Chinese programmers.

By this year, Mr. Ri’s group had begun impersonating SQ Technologies Inc., a Boston-based company with an app for information about health issues. SQ was co-founded by Fah Sathirapongsasuti, a Thai citizen living in the U.S. who has degrees from Harvard and Stanford universities, and who eventually shut down the company.

The North Korean group copied SQ Technologies’ website with a slightly different URL and set up a group in Slack impersonating SQ executives, according to interviews with programmers the group hired. Mr. Ri’s email is used extensively in the fake SQ, and fake SQ pages also used pictures of Ri’s group. The group also set up fake profiles on Upwork and LinkedIn, pretending to be programmers from the U.S., Japan and elsewhere.

As business rolled in, the North Korean group searched for coders to handle app development, graphic design and other tasks. “SQ Technology is a no B.S company,” said a hiring post on Freelancer.com. Some clients and programmers who agreed to do work for the group said they had researched it online and felt reassured by seeing so many Facebook, LinkedIn and other profiles.

A Florida marketing firm known as LinkedIn Lead Ninja was among those that hired the fake SQ Technologies. LinkedIn Lead Ninja was looking for programmers to help build a bot that would “scrape” LinkedIn to find marketing leads for clients. It said it hired the fake SQ Technologies on Upwork.

Mr. Ri’s group contacted a data expert from Pakistan on Upwork and offered him $3,500 a month to code for projects, including the LinkedIn Lead Ninja bot, according to the Pakistani man, Dharmindar Devsidas. Mr. Ri’s group also connected with programmers from South Korea, India and elsewhere, according to the programmers, using SQ Technologies profiles on Upwork and Freelancer.com.

Mr. Devsidas and programmers said they were interviewed via Slack by a person they believed was the SQ Technologies co-founder. They said they were enticed by promises of a work visa to move to the U.S. Mr. Devsidas signed a contract stipulating a 40-hour work week.

He began working on code for the LinkedIn Lead Ninja project using GitHub, which allows users to collaborate remotely. Work hours were tracked by an account Mr. Ri set up using his email address, according to screen shots provided by one programmer.

The programmers said they also worked on other projects, including a bot to facilitate bulk purchases on Canadian e-commerce platform

Shopify

; a website for a U.S. job-search company; and a graphic-design project for Mr. Ward, the Australian entrepreneur, who was trying to get a website built for a wholesale shopping firm. The jobs paid from a few hundred to thousands of dollars.

Some programmers grew suspicious. Mr. Devsidas said he was told by purported SQ Technologies executives not to communicate with other coders in Slack. He found the prohibition strange and decided to ignore it.

By this summer, Mr. Devsidas said, he had learned that, like him, other programmers weren’t getting paid. Programmers interviewed by the Journal said the same.

When Mr. Devsidas reported the alleged fraud to Slack, a customer-service representative suggested he contact local law enforcement, according to messages seen by the Journal. Slack declined to comment on the matter.

Mr. Devsidas reached out to Mr. Fah, the SQ Technologies co-founder, who was receiving angry emails from other unpaid workers. Mr. Fah said he reported the matter to the U.S. Federal Bureau of Investigation.

Mr. Fah tried to figure out who was behind the ruse. When he reached out to names affiliated with the fake SQ Technologies, he received a response from someone describing himself as Indian. The person said he couldn’t pay the programmers because he was “very poor,” and would shut down SQ Technologies’ activities.

When Mr. Fah said he was in touch with the FBI, the person wrote back, “Does FBI come to India as well? I don’t like it.”

A Journal inquiry to the person’s email wasn’t answered. The FBI declined to comment.

In the end, the North Korean group made thousands of dollars from LinkedIn Lead Ninja, paid via Paypal, without finishing the bot project, the Florida company said. Coders said they got nothing.

Dane Richardson, an executive at LinkedIn Lead Ninja, said the company was “shocked and astounded” to learn its programmers weren’t who it thought they were. LinkedIn Lead Ninja shut down work with the fake SQ Technologies without losing client data, said Mr. Richardson, whose title is “chief problem solver.”

Meanwhile, Mr. Ri in Shenyang appears to be multitasking with other businesses, including a reincarnation of Everyday-Dude.com, the subscription internet-television service, under a new name and marketing it through Facebook and LinkedIn pages.

The new page teased viewers with content related to European soccer clubs and the World Cup in Russia. By mid-July it was touting promotions such as a “15 Days Free Trial Version” that promised “The Joy of Anytime, Anywhere.” Facebook shut it down later in the month.

Later, a LinkedIn user—featuring the same photo as one on a shuttered Pro Dos Facebook page—began to look at a Journal reporter’s Linkedin profile.

The user claimed to have attended a university in Hong Kong. The university said it had never heard of the person.

Write to Wenxin Fan at Wenxin.Fan@wsj.com, Tom Wright at tom.wright@wsj.com and Alastair Gale at alastair.gale@wsj.com

2 COMMENTS

Comments are closed.