News release
Advisory on North Korean information technology (IT) workers
July 16, 2025
-
Ottawa, Ontario
From: RCMP National Headquarters
On this page
Content
The Royal Canadian Mounted Police, Public Safety Canada, Global Affairs Canada, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), and the Canadian Centre for Cyber Security are issuing this advisory to alert Canadians and Canadian businesses of the risks posed by IT workers deployed by the North Korean government. Employing these individuals could result in legal consequences under Canadian sanctions, expose your organization to data theft and corporate espionage, and indirectly contribute to North Korea’s weapons of mass destruction and ballistic missile programs, which are prohibited by the United Nations (UN) Security Council.
State-affiliated IT workers from North Korea (Democratic People’s Republic of Korea or DPRK) seeking employment are known to pose as legitimate freelancers based in other nations offering IT development services to a wide range of sectors, which include but are not limited to: mobile/web application development (including in gaming and online gambling), general IT support, graphic animation, database and online platform development, and hardware and firmware development. By doing so, North Korean IT workers seek to gradually access and establish networks in key sectors, gain transferable skills, and to facilitate future malicious cyber activities.
North Korean IT workers are usually competent, highly qualified, and skilled in the services they provide. To hide their identity, these individuals could use virtual private networks (VPNs) and servers (VPSs) which encrypts their online traffic, Voice Over Internet Protocol (VOIP) and encrypted messaging applications, AI-enabled deepfake technologies which disguise appearances, and pay nationals of other countries (also referred to as proxies) to use their personal information and/or accounts on employment platforms.
Advice to Canadians and Canadian businesses
In response to its aggressive actions and illicit weapons programs, Canada has implemented sanctions against North Korea under the United Nations Act and the Special Economic Measures Act. As a result of these sanctions, it is prohibited for any Canadian, including Canadian businesses abroad or person in Canada, to conduct activities specified in the regulations under these Acts. Furthermore, every person or entity referred to in section 5 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) shall:
- report transactions suspected to be related to the commission of a money laundering, terrorist financing, or sanctions evasion offence to FINTRAC.
- implement the Ministerial Directive on the Democratic People’s Republic of Korea (updated March 2025) issued in response to North Korea's failure to address the significant deficiencies in its anti-money laundering and combatting the financing of terrorism (AML/CFT) regime, and the risk that North Korea may be facilitating sanctions evasion, to ensure the safety and integrity of Canada’s financial system.
These prohibitions may impact Canadian individuals and entities who are seeking the types of services described in this advisory.
Contravening sanctions is a criminal offence, subject to fines and/or imprisonment. Under the United Nations Act, the maximum penalty on summary conviction is a $100,000 fine or a 1-year prison term, or both. Convictions on indictment may result in a maximum 10-year prison term. Under the Special Economic Measures Act, the maximum penalty on summary conviction is a $25,000 fine or a 1-year prison term, or both. Conviction on indictment may result in a maximum 5-year prison term. Possible contraventions are investigated and enforced by the Royal Canadian Mounted Police and the Canada Border Services Agency.
Through privileged access to companies’ networks and critical infrastructure, North Korean IT workers may insert passive malware and backdoors in program codes that can collect information, monitor traffic, or facilitate future exploitation, thereby exposing companies to the risk of corporate espionage and data theft.
Small businesses and start-ups can be more attractive targets for North Korean IT workers, who seek to exploit these businesses’ need for qualified, relatively inexpensive labour, and the lack of dedicated resources for screening candidates during the hiring process.
Businesses are encouraged to share information with the Government of Canada, including on suspicious persons, account holders, financial transactions, and cyber and other incidents, via the contacts listed under “Resources”.
Red flags of potential North Korean IT workers
Identifying characteristics of North Korean IT workers posing as legitimate IT professionals can include:
- Frequent money transfers through online payment platforms
- Requests for payment in cryptocurrency
- Multiple log-ins into a single account from various IP addresses associated with different countries
- Inconsistencies in personal information, such as name, language(s) spoken, nationality, education and work history, location, professional and social media profiles
- Unwillingness or inability to provide documentation and identification in a timely manner
- Unwillingness or inability to participate in voice or video conferences
- Use of AI-enabled deepfake technology during meetings
- Bids or fees that are lower than comparable competitors’
- Agreeing or requesting to begin working without first securing a signed contract or payment security
Mitigation and due diligence measures
Below are some ways to verify the identity of freelance IT professionals and reduce the risk of employing illicit cyber actors:
- Avoid making any payments in cryptocurrency or money transfers to a variety of different bank accounts associated with one individual
- Scrutinize documentation for inconsistencies and signs of forgery
- Conduct in-person or video interviews and use a variety of communication methods
- During remote meetings or interviews, employ strategies to detect AI-enabled deepfake technology
- Conduct background/reference checks and credential verification, including to educational institutions and previous employers listed.
Background
For decades, the North Korean government has emphasized the importance of science and technology – including information technology – to national development. This focus was further strengthened in 2019, when Pyongyang reformed its education system to foster sci-tech talent. Given its multiple nuclear tests since 2006, the United Nations has adopted successive sanctions on North Korea to curtail its weapons of mass destruction and ballistic missile programs. In 2011, Canada imposed additional sanctions against North Korea under the Special Economic Measures Act to reinforce the message to the North Korean government that its aggressive actions are unacceptable. Despite international efforts, North Korea uses increasingly sophisticated tactics to evade sanctions, and continues to fund its weapons programs via illicit activities, including through payment remitted by IT workers located domestically and overseas. According to security firms, North Korea may also be responsible for cryptocurrency thefts amounting to billions of dollars since 2021 through hacking related service providers and infrastructure. The U.S. has further assessed that funds gained via these means directly support North Korea’s weapons programs. North Korean IT workers have also used their access to corporate systems for cyber espionage, money laundering, or to acquire sensitive materials for state-run enterprises.
Resources
More information on North Korean IT workers can be found in advisories published by the governments of:
For cyber security advice and guidance, please refer to the Canadian Centre for Cyber Security’s website:
For reporting of suspicious transactions and implementing the Ministerial Directive:
- FINTRAC guidance related to the Ministerial Directive on the Democratic People’s Republic of Korea issued on December 9, 2017 (updated March 2025)
- Reporting suspicious transactions to FINTRAC
- Reporting transactions which violate sanctions to FINTRAC
For more information on fraud, scams and cyber-fraud and to report fraud and cybercrime incidents, please refer to the Canadian Anti-Fraud Centre’s website.
For more information about Canadian sanctions related to North Korea, please refer to Global Affairs Canada’s website.
You can also contact Global Affairs Canada at the following address:
Global Affairs Canada
Sanctions Operations Division
125 Sussex Drive
Ottawa, Ontario
Canada K1A 0G2
E-mail: sanctions@international.gc.ca
All suspected sanctions violations must be reported to the RCMP National Security Information Network by phone at 1-800-420-5805 or at rcmp.ca/report-it. Service is available in Canada’s both official languages.
Associated links
- False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation
- Science and Technology Education in North Korea Enters the 21st Century
- September 2023 letter to the UN Security Council Committee
- What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners?
- North Korean Hackers Stole $600 Million in Crypto in 2023
- Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises
- Digital Press Briefing With Anne Neuberger Deputy National Security Advisor For Cyber And Emerging Technologies (audio without transcript, 23:11)
- 11 Jen Easterly Nathaniel Fick Anne Neuberger Eric Rosenbach, Special Competitive Studies Project (YouTube, 45:35)