Exclusive: The 23-year-old who infiltrated a North Korean laptop farm
Aidan Raney documented an operation to exploit U.S. businesses, one of the ways North Korea funds its weapons of mass destruction and ballistic missile programs.
While the U.S. is entrenched in a litany of domestic disputes, North Korea is growing more dangerous. Aidan Raney got a rare glimpse into a scheme to fund their weapons of mass destruction and ballistic missile programs, from his home in Wisconsin.
“I found myself using technology to escape,” Aidan tells me. Because by the time he was 18, Aidan had lost both of his parents, spent time in juvenile detention for truancy and theft, and was considering buying sleeping pills so that he would never have to wake up to another day.
A small community in Wisconsin helped him put his life back together. And some of the hacker skills he picked up in that dark chapter helped him pull off a bold effort to infiltrate a North Korean IT operation. In fact, I learned as I was writing this that Aidan did not plan to stop until the very moment I hit publish on this article. “I'm an analyst at heart, what can I say?”
The 23-year-old sent me a trove of images, audio, and video. He had the innocence and audacity of youth, despite his hardships. But was he legit? I contacted Michael Barnhart, North Korea Operations Manager at Google’s cybersecurity firm Mandiant, to see what he thought.
Michael recalled thinking, when Aidan had first reached out to him, “Okay, the North Koreans have finally got me. This is one of them pretending to be ‘Aidan.’” But the two kept talking. “He's got my trust now,” Michael told me.
The same guys pushing fake Viagra
In 2023, Aidan started Farnsworth Intelligence, an intelligence consulting company. Last August, a client reached out with a frantic request. “Hey Aidan, Need your help ASAP,” the energy company wrote. “We have a developer candidate that just disclosed to us that they were working with a North Korean!” Who were these people and how did they do it?
The Department of Justice says that thousands of North Korean IT workers have defrauded hundreds of American businesses — including Fortune 500 companies —using witting and unwitting Americans. The latest indictment was announced Thursday.
For Pyongyang, remote work through American proxies offers rewards beyond financing its WMD and missile programs: Laptop farms give North Korea a way to conduct espionage, insert malware into U.S. companies, and generate revenue for Kim Jong Un’s regime despite international sanctions. American HR and recruiting teams are clearly unprepared.
“These are the same guys that were pushing fake Viagra, fake counterfeit hundred dollar bills” in the 1990s, says Michael. Now they are also getting into extortion —threatening to sell company data to competitors, on the Dark Web, or to other advanced threat actors for cyberattacks. They have the placement and access, the skills and capability. It’s just a question if they will act on it, Sony-style. “They're positioning themselves where if they ever need to pull the plug, they can.”
Gaining ‘the Bens’ trust
The energy company Aidan was working with learned how the North Koreans contacted the applicant on Fiverr, a platform for freelance services. (The platform did not respond to my request for comment.) So in September, Aidan took similar steps — starting with making an account on Fiverr. Then he messaged the profile that the North Koreans had used to contact the applicant, “pretending to be a friend,” Aidan said.
Within a day, he was messaging with “Benjamin_Core.” It was all talk of opportunity. “What I would get from that, how much I make. Basically trying to convince me it's worth it.” But notably, without a reason as to why they were giving Aidan the opportunity.
“Ben” said he was in Poland, and was even complaining about the weather with a little coaxing from Aidan. The conversation eventually moved off of Fiverr to Telegram and Discord, with video calls on Google Meet. (Full disclosure/reminder: I did a journalist entrepreneurship training program with the Google News Initiative in 2024.)
Over time, Ben morphed into at least two other people without mentioning this inconvenient fact. Each Ben would speak and type differently, one with more broken English than the others. “If they were asking about something, oftentimes it was about something we had already talked about,” Aidan said. “Or something I asked just gets completely forgotten about.” They used cutesy photos of pigs and puppies for their avatars. Let them hereby be known collectively as the Bens.
Revise that resume
In the first video call on Google Meet, Ben No. 1 wore a tracksuit with a Mizuno logo, Japanese sportswear. He had selected a fake office background for the call. But at one point, the backdrop was broken by a man in beige walking by. “I think they had people supervising them that were in the room,” Aidan says.
I shared this video with a North Korean defector who agreed. He said the setting was consistent with how the IT teams typically operate. The man’s hairstyle was a common North Korean style. His casual sportswear “typical” of a North Korean IT worker. His face looked distinctly East Asian, “but not Japanese or Chinese.” He said the man’s English was much better than most IT professionals, but “if he has been outside of North Korea for a while, it is possible.”
On the video call, Ben explained what lay ahead. He wanted to start looking for jobs for Aidan in software development. But first, he needed to get Aidan’s resume ready. They wanted to modify his work experiences so it matched their own, Aidan said. “They asked, ‘Can we set up your LinkedIn a certain way? Can we get into it?’”
Aidan didn’t want the North Koreans to be able to access his genuine accounts, so he suggested they set up a second LinkedIn page. “They didn't seem to be set off by that,” he said, as though it was a request that others had made before him. Here’s the fake LinkedIn profile the Bens made him.
Autism, anyone?
They filled a gap in Aidan’s resume with a position at Autism360. “I think that may have even potentially been like a sly insult from them,” Aidan told me. “I'm on the spectrum of high-functioning autism, so they may have noticed that.”
I called Autism360 to see if they knew the North Koreans were referencing the company. An automated voice greeted me multiple times in different ways, but wouldn’t connect me with a real human or let me leave a voicemail. I never received a response to my email.
Ben tried to minimize the resume changes, saying, “Most of the resume is correct.” He also asked Aidan to set up a laptop that he could access remotely.
North Korea’s tech preferences
On a second video call with Ben No. 2, who was thinner and had square glasses, Aidan fished for specifics. “How is this going to work when the company [that hires me] sends me a computer?” Wouldn’t the company notice if software was installed?
Ben said they could use WebEx, a Cisco communication and collaboration platform, which is allowed on most work laptops and has a plug-in to let others’ control someone’s device. Cisco did not immediately respond to my request for comment.
Aidan fooled the Bens with a Virtual Machine, which operated as an isolated computing system in the cloud but gave the appearance of being a real computer. The Bens accessed it through a popular remote desktop software called AnyDesk. But Aidan wanted their IP addresses, and got them to use different software. “I said that I didn't trust AnyDesk… and they just went along with it.” Once they switched to software called RustDesk, he got time stamps of when the men logged in and out, as well as their IP addresses.
Initially, their IP addresses tied back to servers in China, obscuring their footprint through a Virtual Private Network called Astrill, which has already been linked to North Korea. About a week later, the IP addresses were found in Russia. And they were using the same network as a group that was attacking Russian infrastructure — something the North Koreans have done in the past. Mandiant’s Michael Barnhart told me these findings are consistent with threat group UNC5267, where the North Korean government primarily sends its IT workers to live in China and Russia.
Aidan asked the Bens how he would pay them a cut for the work they would do. They didn’t want to set up a direct deposit, which would reveal a bank account. One of the Bens said they could use cryptocurrency, Payooner, or Paypal.
But what if Aidan was hired for multiple jobs and needed to be in more than one meeting at the same time, he asked. “I can help if you can't joining more than two meetings at the same time,” Ben wrote. “I can follow your time zone.”
Sometimes North Koreans will pretend to be the employee on camera, and do a urinalysis test too, Michael told me. The North Koreans have also used Artificial Intelligence — at least to enhance stock photography and create an applicant’s photo, according to one company that was targeted.
With the fake resume made and Aidan’s questions answered, the Bens started to apply for jobs. Aidan waited to see how they could fool a business. “How do they convince a company that I know how to code for something that I don't know how to code?”
Fooling a government contractor
By early October, the Bens had gotten Aidan a job interview. It was a public trust position with a government contractor, coding Geographic Information Systems (GIS) in a specific format.
They had prepared a whole backstory. “This fake experience I had with GIS, with all of these realistic-sounding projects, with all of the right buzzwords that made sense for the situation, all of the right technology stacks. It sounded very real. And then I was instructed to, during the meeting, get on the phone with them so they could listen in.”
Below is a screenshot of the Bens’ prepared responses on Discord and a recording of Aidan parroting the corresponding answers during the interview. The North Koreans also wrote him real-time answers through the Virtual Machine’s Notepad feature, Aidan said.
Afterward, Ben wrote, “You’ve done a really great job! I never knew you were such a good interviewee.”
The government contractor’s Talent Acquisition Lead must have liked the responses. Because they wanted to schedule a second interview on the same day. Aidan says the next interview was with a developer who managed the project. And he got a verbal job offer.
“Wow, sounds great!” Ben wrote. Then he tried to make sure Aidan would take the job. “Maybe you can sign the letter if you receive it. right?”
Of course, Aidan didn’t actually want the job. So he told the contractor what he was really doing and said they should have done a deeper background check on him. Then he told the North Koreans that the contractor never followed up, and that he had accepted another job that required him to move.
What can words buy you?
After that, he let the communication with the North Koreans diminish. He had sent the IP addresses and other details (available here) to his client. But he wasn’t ready to let the relationship fade completely. “I kept talking to them out of personal curiosity,” he told me. “I was really hoping they'd open up to me, if I just talked to them for a while.”
Now came exchanges around Halloween and Christmas. The Bens sent a GIF of a penguin in a sweater, saying, “I wish you have a nice rest with your family… Family is the best.”
Aidan really wanted the rapport to lead to conversation about how they missed their own families. “Over time, they kind of warmed up to me,” he says. But he never felt like they got close.
“They didn't want to really say much. And there was a lot of pausing in their responses, like where they were thinking about how to best respond.” And of course, they were likely under close surveillance.
But the Bens didn’t want to cut contact either. On Jan. 7, they were back to business, asking him how his new job was going. “Do they pay well?” On Jan. 8, “Once your account is raised, I can guarantee you'll get about 5K each month from that account.”
Lunching with the FBI
As Aidan communicated with the North Koreans, he was also trying to make contact with the FBI. A letter, double-enveloped and printed on high quality paper, finally got the Wisconsin field office’s attention.
Eventually, three agents met Aidan at a restaurant. They asked him about himself with an affable skepticism, saving talk on the North Koreans for once they got inside their black SUV. “They basically said, ‘Hey, why did you do this?’” Aidan says they didn't seem interested in his findings, as if they already knew the drill.
A little bit of heartbreak
In 2022, the FBI had warned of North Korea’s IT operations. They also said that some workers were subjected to human trafficking, including working long hours, being under constant surveillance, and living in unsafe conditions.
These details are not lost on Aidan. He had previously helped to identify and map networks of human trafficking with The Traverse Project, a nonprofit organization that relies on data intelligence. He himself had been in unsafe living conditions after his stepfather and mother died — sleeping against a tree stump one night, covered in leaves for warmth. At a treatment facility, he had met a woman who had been trafficked and was addicted to opioids. “You don't belong here,” she had told him. It was a turning point in his life.
The FBI agents expressed some concern for Aidan’s safety, but said he could share whatever he wanted. We published when he felt ready. And I asked him what it felt like to have spent the past few months chatting with the North Koreans.
“When it started, this was just another case,” he told me. “I didn't really get emotionally attached. I didn't let myself do that.” But over time, the Bens got to him, albeit not in the way they had intended.
Aidan was reading deeply into their winks and emojis, their simple sentences. “I would just think about these people that I'm talking to,” he said. “It was kind of heartbreaking to know that that's their life. And I almost felt a little bad for making light of this situation because in reality, it could affect them. And that does get to me.”