Microsoft suspends 3,000 Outlook and Hotmail accounts linked to North Korean IT workers

Microsoft has suspended 3000 Outlook and Hotmail accounts tied to a North Korean scheme involving DPRK nationals posing as remote workers under false identities.

U.S. officials have long warned that North Korea uses illicit earnings from crypto hacks, fraud, and IT operations to bypass international sanctions and maintain its military programs. Authorities are now cracking down on what they are calling a global criminal operation that secretly funnels millions to Kim Jong Un’s authoritarian regime.

Microsoft shuts down 3,000 North Korea-linked email accounts

Microsoft has suspended over 3,000 email accounts in a sweep of the international scheme operated by North Korean IT workers posing as remote tech professionals.

Microsoft’s actions follow a coordinated operation involving the U.S. Department of Justice, FBI, and other federal agencies. Together, they have begun dismantling a sophisticated conspiracy code-named “Jasper Sleet” by Microsoft Threat Intelligence. It’s an operation that exploits freelance job markets and tech firms worldwide.

The operation not only defrauds employers but is also believed to directly fund North Korea’s nuclear weapons program.

According to Microsoft’s Threat Intelligence team, the scheme involves trained IT professionals from the Democratic People’s Republic of Korea (DPRK) who assume false identities to secure remote employment with foreign companies, especially in the United States.

Many of these workers are highly skilled, with some employers unknowingly praising them as top performers.

“These aren’t hackers breaking into systems,” Microsoft’s Threat Intelligence Center (MSTIC) said. “They’re skilled developers, quality assurance engineers, and IT support specialists who pass interviews, complete real work, and blend in—except for one critical detail: they’re working for the DPRK.”

In many cases, accomplices who are sometimes American citizens facilitate access by renting out their identities or operating what authorities describe as “laptop farms.”

Laptop farms are physical locations where laptops issued by unsuspecting employers are shipped and maintained. At least 29 of these sites have been searched by law enforcement, with laptops installed with remote-access software or physically rerouted to China or Russia.

The Department of Justice recently detailed the case of a Maryland-based nail salon employee who will be sentenced in August. The man was found to have held 13 jobs simultaneously on behalf of North Korean IT workers, earning nearly $1M in remote salary payouts.

According to the United Nations’ estimates, the North Korean IT worker program generates up to $600M annually. This revenue often ends up supporting cybercrime operations and the country’s nuclear ambitions.

Microsoft fights back with AI and detection tools

In a blog post this week, Microsoft detailed the suspension of 3,000 consumer email accounts, primarily Outlook and Hotmail, that were being used by the North Korean operatives.

“Beyond the 3,000 consumer email accounts that were recently taken down, in our efforts to disrupt the actor activity and protect our customers from this threat, Microsoft has continued to takedown persona accounts as they are identified and track the actor’s use of AI,” Jeremy Dallman, the senior director at Microsoft’s Threat Intelligence Center, said.

Microsoft has observed that North Korean workers are becoming increasingly sophisticated. They now leverage AI tools to fix grammatical errors in resumes and cover letters, enhance their photos to appear more professional or Westernized and use FaceSwap technology to impose their images on stolen identity documents.

Some are even experimenting with voice-changing software to help facilitators pass job interviews on their behalf. While Microsoft hasn’t observed the use of combined AI-driven voice and video deepfakes in real-time interviews yet, the company warned that it may only be a matter of time.

“If successful, this tactic could allow the North Korean IT workers to do interviews directly and no longer rely on facilitators standing in for them,” Microsoft said.

These enhanced AI tactics allow the operatives to better mask their origin, making it more difficult for employers to identify red flags. Common methods include recycling names, email addresses, and profile templates across various job platforms like LinkedIn, GitHub, and freelance marketplaces.

To detect and defend against these tactics, Microsoft has deployed a custom machine-learning solution that flags suspicious activity using what it calls an “impossible time travel” analysis which includes monitoring for logins across geographically implausible locations within narrow time frames, such as access from the U.S. followed closely by China or Russia.

Microsoft is also bolstering its identity protection tools and urging companies to adopt strong authentication protocols and real-time risk detection systems. The tech firm has collaborated with U.S. government agencies to share intelligence and build technical solutions that can be applied across the cybersecurity industry.

The company has pledged to maintain pressure on the evolving threat. “Jasper Sleet is constantly changing and evolving their profiles,” Dallman said. “We’re watching how they adapt, especially with AI, and working to stay one step ahead.”

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now