A fascinating case landed on my desk this week – a DOJ indictment that reads like a “what not to do” guide in operational security. North Korean IT workers, supposedly masters of hacking (thanks Russia), managed to steal nearly a million dollars through remote work fraud while breaking almost every rule of covert operations.

DPRK IT workers were aided in this fraud by both U.S. and foreign facilitators… These U.S.-based enablers provided a U.S. address for victim companies to send laptop computers and other devices…

“A U.S. address” it says. Let’s talk about hubris.

The operators ran multiple corporate infiltration schemes through a residential address in New York. Imagine running a nation-state operation and deciding to create one giant flashing neon sign above your physical single point of failure. This isn’t just bad tradecraft – it’s the kind of mistake that makes you question everything you think you know about DPRK tunneling maps.

The money flows were equally amateur hour stuff. They channeled $677,440 through a single Chinese bank account. One account. For perspective, even standard money laundering operations typically split flows across dozens of accounts. This wasn’t sophistication – this was counting on no one paying attention.

And here’s where it gets more fascinating: lazy remote work patterns. Anyone who’s managed remote teams knows the chaos of real remote work. People log in from coffee shops, airports, their kid’s soccer practice (hello Wiz staff, I see you on those Virginia country club tennis courts). There’s a natural entropy to human movement. These North Korean elite IT operatives? Static locations. Rigid patterns. It’s like they were trying to create the most obvious automated behavior signature possible.

The tooling choices then read like a “most obvious remote access tools” list – Anydesk and TeamViewer installed immediately after device receipt like a “yoo hoo over here” move. No attempt to mimic natural software deployment patterns or vary toolkits for obscuring plausible indicators of compromise. They might as well have named their front companies “This is Definitely Not North Korea LLC” – though Taggcar Inc. and Vali Tech Inc. weren’t much better. Taggcar? Was that someone trying to transliterate 탁차 (takcha)?

What keeps me up at night isn’t the sophistication, given it wasn’t sophisticated, it’s how long it ran despite being about as subtle as a disco ball at a funeral. The operators moved $866,255 through this scheme not because they were hot shots, but because IT isn’t regulated enough with basic quality controls, meaning Americans are often allowed to have gaping holes in obvious places.

Think about it: simple shipping address correlation would have caught this. Simple location variance monitoring would have spotted the automated patterns. Simple contractor vetting would have raised red flags. We’re not talking about advanced AI-powered detection systems – we’re talking about the security equivalent of people doing the job of paying attention, seeing if someone’s wearing a name tag that says “HELLO I AM [PRAWO JAZDY].”

If you don’t know the Prawo Jazdy story, well have I got 2009 fraud news for you!

The real lesson here isn’t about super scary hacker North Korean tradecraft. It’s about our willful blind spots in the age of lowered integrity. We pour money into flashy systems that sell us on detection of sophisticated zero-day exploits but somehow miss dozens of corporate devices being shipped into the same residential address. We’re looking for a microsecond of advanced persistent threats while missing persistent amateur hour.

Here’s the final rub: the operation was vulnerable to a single knock-knock joke. One physical location. It’s the police, that’s who. All their operational security reduced to hoping no one would notice steady streams of corporate laptops arriving at a New York address. This is the hubris that happens when basic controls are so lacking that sophistication becomes unnecessary.

In the end, this case serves as a reminder that sometimes the biggest threats aren’t the most interesting ones. Sometimes they’re just the ones willing to walk through the front door we left wide open, a single guy awkwardly carrying dozens of laptops with TeamViewer already in an install queue.

And if you think these North Koreans are being Captain Obvious about being a threat to America, don’t get me started on the South Africans painting giant swastikas on everything.

The next time someone tells you about spooky scary politically-motivated threats from wealthy elites, remember this case. Sometimes the call is coming from inside the house – specifically, from a house in New York with a suspiciously large collection of corporate laptops. This type of fraud is easily preventable with basic controls:

• Track shipping addresses for corporate devices and do a little satellite checking
• Monitor for natural location variance in remote work patterns (e.g. encourage rather than restrict workers moving around their neighborhood and with family routines)
• Implement basic contractor vetting beyond paper verification
• Watch for systematic rather than human-pattern remote access (e.g. late night IP packets used to be an anomaly that set off alerts, now it might be a reassurance to reset a clock)
• Cross-reference contractor details across business units

The DOJ says at least 64 American organizations were caught up in the North Korean infiltration including a financial institution and Bay Area tech firms, from April 2018 [pre-COVID!] through August 2024. In the end, this case demonstrates a need for some basic due diligence in our lives.

Reference: United States v. Jin Sung-Il et al.