Freelancers, gig workers and remote contractors have become the main weapon in global espionage and revenue-generation for North Korea, in particular. Cybersecurity research and government advisories now warn that Reconnaissance General Bureau-affiliated operatives have infiltrated global freelance marketplaces and remote work pipelines to gain access to corporate systems, steal data from them and funnel millions to fund illicit programs run by North Korean regime. Wikipedia +2 and KELA Cyber Threat Intelligence both report similar trends.
How It Works
At its core, this scheme begins on job platforms like Upwork and Freelancer.com as well as developer-oriented forums like GitHub where job hunters or purported freelancers receive outreach from profiles posing as legitimate recruiters or under fabricated identities; or post themselves under multiple identities themselves. Victims may simply be asked to give remote-access to their personal computers; in other instances they apply for roles with code that contain malware enticements.
TradingView +2 ESET
Once inside a company–often a technology firm, startup, or global enterprise–the worker may function as an innocent remote employee while at the same time aiding data exfiltration, installing trojans, or providing proxy machine access from another remote server. One major intelligence advisory concluded that thousands of North Korean IT operatives have infiltrated various countries such as China, Russia, Southeast Asia etc. In one major intelligence advisory, North Koreans posed as employees from different nationalities to gain entry. For security experts this can provide peace of mind +1
Why freelancers and gig-economy platforms are at risk

Remote hiring boomed during the pandemic, relieving physical constraints and verification opportunities. According to a Canadian security advisory, these schemes often use identity obfuscation techniques like VPNs, rented laptops, stolen or synthetic identities, deep-fake headshots and “proxy” workers with login credentials for credential holding purposes (rcmp.ca +11).
Freelancers may be exploited in two ways.

Direct Recruitment as Proxy Workers – To facilitate North Korean recruitment of proxy workers, freelancers or candidates are recruited as proxy workers who allow someone else to use their machine or identity; often in exchange for receiving only a share of wages while the remainder goes directly into North Korean coffers.
TradingView
Victims of Malware Traps – When applying for roles and downloading what appears to be legitimate code samples, but which contain malware which steals credentials or allows remote access, some developers fall prey to malware traps that target them with the threat of theft of credentials or remote access.
ESET Freelancers may become entry points for cyberespionage, sanctions-evasion or data theft by regimes subject to stringent economic controls.

What freelancers should watch out for

If you are working as a freelancer abroad or receiving offers from unknown recruiters, watch for these warning signs:

When the recruiter demands access to remote desktop software rather than offering genuine employment terms, this can be seen as unethical behavior.

A worker is instructed not to submit to video interview or behind-the-scene verification, according to The Guardian +1. Payment may then be requested through non-standard channels like crypto wallets or money transfer services in sanctions-sensitive locations.

Identity or Portfolio of Hirer can’t be verified (mismatched resumes, fake headshots and inconsistent geolocation details)
Not only companies must adhere to stringent hiring protocols; freelancers should do the same. When considering offers from potential clients and payment terms. As well as any requirements for remote-access software.

Hire of unwitting proxy can expose companies to malware, data exfiltration, sanctions liability and reputational risk; while freelancers often don’t realize they have been compromised until after compromise. Furthermore, such schemes help fund North Korea’s weapons and missile programs while bypassing sanctions and exploiting remote labour markets as tools of state-sponsored crime (AP News).
Final Thoughts
If you work as a freelancer or operate in the gig economy, North Korea’s actors have become increasingly sophisticated at employing deception for profit and espionage, using ageing but effective deceptive practices to recruit individuals into its network of agents and proxies – unwittingly or intentionally. Vigilance, identity verification and safe remote working practices matter even more in today’s connected freelancing ecosystem.