How to Spot North Korean Scammers in the American Workforce: Look for Minions — WSJ

Robert McMillanAmerican tech companies have a serious problem with a despicable twist.The FBI believes thousands of North Koreans have infiltrated the U.S. workforce by assuming the identities of Americans to secure remote jobs. Many of them, investigators have found, are bound by a few defining characteristics: total devotion to Dear Leader Kim Jong Un, a penchant for stealing cryptocurrency and an obsession with Minions, the cuddly yellow agents of evil from "Despicable Me."The North Koreans' love of the animated movie franchise has become a recurring, if slightly baffling, joke among the security researchers who investigate them.Many of these fake workers use Minions and other "Despicable Me" characters in social-media profiles and email addresses. Some investigators initially thought their use of "Gru" was a reference to Russia's famed GRU, Russia's military intelligence agency. Instead it was a tribute to the Minions overlord, Felonious Gru Sr., the Steve Carell-voiced animated character who tries to steal the moon.Allusions to Minions and other characters are so ubiquitous that investigators pursuing suspected North Koreans view Despicable references as a sign they might be on the right track.Taylor Monahan, an investigator with the cryptocurrency company MetaMask, said she doesn't see the Minions obsession as some kind of social commentary or dark joke by Kim's underlings. She thinks they're just fans of the films. "How do you not love minions?" she said.Last year, Monahan was tracking down a North Korean worker who had been hired by more than one cryptocurrency company. To get hired for one of the jobs, the scammer showed off some software that he'd written on the code-sharing site, GitHub.His username was Grudev325."I love @Felonious Gru — Despicable Me," the North Korean told his boss, as he was angling for a job. He was fired within a month for poor job performance. Two years later, in a plot worthy of the animated franchise, Grudev325 went on to steal more than $62 million from the cryptocurrency project Munchables, Monahan said.The Munchables hack was a revelation, Monahan said. She had been tracing cryptocurrency funds stolen by fake workers for years, and she realized that a lot of them seemed to like the Minions. "This was the moment where I was like, 'Hold up. This is a pattern. They're not just randomly selecting movies out of a database.'"She'd investigate a theft, and then look at the GitHub page maintained by the project that had been robbed. "And then a Minion would show up," she said. "We kept seeing Minions pop up over and over again."Today she says she's seen dozens of Minions in GitHub and Telegram profiles and the icons that accompany them.In the movies, Gru is a clever but loving supervillain who nurtures adopted daughters and a gaggle of Minions who help him square off against other villains.Some researchers say the North Korean workers are particularly drawn to using the name Kevin as a pseudonym, after the golf-loving minion from the second movie. In May 2024, a North Korean engineer going by the fake name "Kevin Taylor" spent about 90 minutes of his workday researching Vector Perkins, the warmup suit-wearing supervillain rival."He read from the Fandom wiki, searched for Vector Perkins images, even checked out a Screenrant article about Vector's return in a short film," said Evan Gordenker, a consulting director with the security firm Palo Alto Networks.In informal chat messages between the workers that were viewed by The Wall Street Journal, they sometimes greet each other with the salutation, "Hey Minion." They refer to the boss as "Gru."North Korea has called the U.S.'s workforce infiltration allegations part of an "absurd smear campaign."In late 2024, an anonymous collective of security researchers investigating the North Korean problem uncovered a cache of images on an unsecured Google drive. Among them was a photo of an alleged North Korean IT worker standing in front of a large Minions promotional display created by a Laotian telecommunications company. He poses, back straight, for the photo as two children play with toy minions in the background."They love animation," said Michael "Barni" Barnhart, an investigator with the insider risk security company, Dtex.North Korea has long had a love affair with animation. One of the country's most famous exports is a show known as " Clever Raccoon Dog," which tells the story of a North Korean underdog at war with a dangerous wolf, who represents the U.S., according to Martyn Williams, who studies North Korea for the Washington-based think tank, the Stimson Center."Clever Raccoon Dog" has a niche fan base outside of North Korea, but "Despicable Me" is the bigger export, Williams said. The original film in the franchise grossed $1.2 billion worldwide.Kim's father, who once ordered the kidnapping of South Korea's most revered director, was reportedly a cinephile with more than 20,000 DVDs in his collection. But his tastes ran more toward James Bond and "Friday the 13th."It couldn't be determined whether Kim is a fan of either Minions or Gru.Write to Robert McMillan at [email protected]