Microsoft Suspends 3,000 Accounts in Global North Korean Fraud Scheme

Microsoft has taken significant action against a global fraud scheme orchestrated by North Korean IT workers, suspending 3,000 Outlook and Hotmail accounts linked to these individuals. This move is part of a broader effort to disrupt a conspiracy that has infiltrated hundreds of Fortune 500 companies over recent years. The scheme, known as "Jasper Sleet" by Microsoft's Threat Intelligence arm, involves North Korean IT workers using fabricated or stolen identities to secure remote jobs in tech companies worldwide.

The Department of Justice has also played a crucial role in this coordinated takedown, seizing hundreds of laptops, 29 financial accounts, and shutting down nearly two dozen websites. Law enforcement searched 29 "laptop farms" across the U.S., where accomplices, including Americans, agreed to take care of laptops shipped by companies that had unwittingly hired North Koreans for remote jobs. These laptops were used to install software allowing the IT workers to log in from overseas or were shipped to other locations, including Russia and China.

Some Americans have also rented their identities for the IT workers to use in applying for jobs. A notable case involves a nail salon employee in Maryland who will be sentenced in August after being found to hold 13 jobs remotely that were handled by North Korean IT workers located in China. These jobs paid nearly $1 million.

The North Korean IT worker scheme is a sophisticated operation where trained workers from the Democratic People’s Republic of Korea (DPRK) are sent around the world to secure jobs in tech using fabricated or stolen identities. The workers are legitimate, with some companies reporting that the remote IT workers were among their most talented employees. The scheme generates significant revenue, estimated to be up to $600 million a year, according to UN estimates. The revenue and illicitly heisted crypto are used to fund DPRK authoritarian ruler Kim Jong Un’s nuclear weapons program.

Microsoft's efforts to combat this scheme include the use of advanced AI tools by the IT workers to eliminate grammatical errors, polish up photos, and experiment with voice-changing software. Jeremy Dallman, senior director of Microsoft Threat Intelligence Center, noted that Jasper Sleet is constantly changing and evolving their profiles across a wide variety of consumer email accounts. Microsoft has continued to take down persona accounts as they are identified and track the actor’s use of AI.

While Microsoft hasn't seen the IT workers using combined AI voice and video yet, the company warned that this technology could allow future threat actor campaigns to trick interviewers into thinking they aren’t communicating with a North Korean IT worker. If successful, this tactic could allow the North Korean IT workers to do interviews directly and no longer rely on facilitators standing in for them on interviews or selling them account access.

The IT workers often use the same names and email addresses repeatedly in crafting their fake personas, using fraudulent profiles on job-networking sites and open-source coding platforms. Microsoft reported that the IT workers have also started using AI tools like Faceswap to enhance their profile pictures and move them over to stolen employment and identity documents.

In addition to suspending accounts, Microsoft has launched an array of methods to detect IT worker activity through ID protection and other tools. The company has developed a custom machine-learning solution that uses "impossible time travel risk detections, most commonly between a Western nation and China or Russia" to identify suspect accounts. This comprehensive approach aims to protect customers from this evolving threat and disrupt the activities of the North Korean IT workers.