RED FLAG INDICATORS

RED FLAG INDICATORS

RED FLAG INDICATORS

Freelance work and payment platform companies should be aware of the following activity that may be indications or behaviors of DPRK IT workers who may be using their platforms.

Multiple logins into one account from various IP addresses in a relatively short period of time, especially if the IP addresses are associated with different countries;
Developers are logging into multiple accounts on the same platform from one IP address;
Developers are logged into their accounts continuously for one or more days at a time;
Router port or other technical configurations associated with use of remote desktop sharing software, such as port 3389 in the router used to access the account, particularly if usage of remote desktop sharing software is not standard company practice;
Developer accounts use a fraudulent client account to increase developer account ratings, but both the client and developer accounts use the same PayPal account to transfer/withdraw money (paying themselves with their own money);
Frequent use of document templates for things such as bidding documents and project communication methods, especially the same templates being used across different developer accounts;
Multiple developer accounts receiving high ratings from one client account in a short period, with similar or identical documentation used to establish the developer accounts and/or the client account;
Extensive bidding on projects, and a low number of accepted project bids compared to the number of projects bids on by a developer; and
Frequent transfers of money through payment platforms, especially to PRC-based bank accounts, and sometimes routed through one or more companies to disguise the ultimate destination of the funds.

Companies employing freelance developers should be aware of the following activity that may be indications or behaviors of DPRK IT workers.

If a freelance software development website or payment platform account has been shut down or the worker contacts the employer requesting use of a different account, especially if registered to a different name;
Use of digital payment services, especially PRC-linked services;
Inconsistencies in name spelling, nationality, claimed work location, contact information, educational history, work history, and other details across a developer’s freelance platform profiles, social media profiles, external portfolio websites, payment platform profiles, and assessed location and hours;
Surprisingly simple portfolio websites, social media profiles, or developer profiles;
Direct messaging or cold-calls from individuals purporting to be C-suite level executives of software development companies to solicit services or advertise proficiencies;
Requests to communicate with clients and potential clients on a separate platform than the original freelance platform website where the client found the IT worker;
An employer proposes to send documents or work-related equipment such as a laptop to a developer, and the developer requests that items be sent to an address not listed on the developer’s identification documentation. Be particularly suspicious if a developer claims they cannot receive items at the address on their identification documentation;
Seeking payment in virtual currency in an effort to evade KYC/AML measures and use of the formal financial system;
Requesting payment for contracts without meeting production benchmarks or check-in meetings;
Inability to conduct business during required business hours;
Incorrect or changing contact information, specifically phone numbers and emails;
Biographical information which does not appear to match the applicant;
Failure to complete tasks in a timely manner or to respond to tasks;
Inability to reach them in a timely manner, especially through “instant” communication methods; and
Asking co-workers to borrow some of their personal information to obtain other contracts.

Overview of DPRK IT Worker Operations

Table of Contents