Security BSides Las Vegas 2025

Act I: /r/paycheck: The pandemic and the rise of overemployment schemes.

So we had a global pandemic. We all went home. Employers everywhere touted how productive and amazing teams were working remotely. We bought ring lights. We arranged books we never read by color on bookshelves behind our desks. We realized we could get jobs at four different firms simultaneously and outsource our work overseas to four different people. We touched grass and made sourdough loaves. This is where we start our story.

In this section:

1. Rational actors and their convert subcontractors. Discussion of the abuses seen in remote work pre-pandemic, typically through illicit subcontracting, which is still endemic in tech. We’ll discuss the economics of the incentive model in the world of contractors. This laid the groundwork for various forms of workforce infiltration, including my friend Ben.
2. Exploit hiring practices with this one weird trick. We will document the rise of overemployment or job stacking, which exploits weaknesses in typical corporate management styles. The combination of manager’s inability to identify low-performers, and HR’s requirements over progressive discipline pretty much guarantee 9-12 months of income for little effort. This realization is not lost on North Korea.

Act II: My friend Ben: Understanding the threat of workforce infiltration.

(CFP NOTE: This is a TLP:CLEAR discussion. This part of the talk is where I have to be very careful about how I handle public and nonpublic intel – there’s a TLP:RED analogue of this I can’t give in a venue like bslv. I want to be clear with the committee that everything in this section is the result of direct experience or public intel, and I will be changing some details to prevent jeopardizing ongoing LE operations or revealing information that needs to stay confidential.)

1. Meet Ben, senior software engineer. “Ben” is a persona. “Ben” has stolen identity of a real person, including name, address and social security number. I will be highlighting what I know about this persona, including:
a. Common failures in background check and job history reporting.
b. Fabulist resumes that don’t quite seem too good to be true, but good enough to make him stand out from the crowd.
c. Location discrepancies – Ben always seems to move right after he gets a job and fills out the payroll paperwork.
d. What Ben’s like as a co-worker. I discuss how his co-workers and manager saw him as staff member and teammate. Something was always a bit “off” but work was getting done.

2. Meet Ben, DRPK-affiliated actor. Ben may have eventually run into issues due to some his work style quirks, but unbeknownst to him, a team responsible for managing Insider Risk was on the hunt for his workplace predecessors, the subs and stackers.
a. In this section, I’ll talk about how Ben was found, via technical means used to identify people subcontracting their work, or job stackers who allowed sensitive data to cross outside of organizational boundaries.
b. Once Ben is identified for who he is, my teams made uncovering OSINT about him a full-blown sport. I’ll describe how we learned more about him, his interests and how we found other alternate identities.

3. Ben’s supporting cast: In this section, I will provide a technical overview of:
a. Laptop farms and how they operate
b. The use of on-shore sketchy datacenters for VPN tunneling
c. The type of people who operate laptop farms and how they’re recruited.
d. What we learned doing OSINT on a domestic-side farmer who doesn’t seem to have DRPK-level training in opsec.

4. So you’ve met your own Ben, now what? Safely eradicating DRPK actors. This is where I want to equip people to handle situations like this, based on what I have learned directly and through discussions with industry peers hunting DRPK. This includes equipment bricking and recovery, working with your hapless contract hire firm, and coordinating with internal partners on response.

Act III: Trust Issues: Helping people bring their authentic selves to work.

(This is where I’m going to switch to direct actions organization can take to reduce their risk in this space.)
1. Hiring, identity proofing, authentication tips. We will talk about typical processes for establishing a person’s identity and why most are not strong enough to prevent impersonation. We will discuss ways to improve processes, the cost / friction these methods introduce and how to navigate this in your organization.

2. Technical indicators: These are much weaker indicators for DRPK, but can prove valuable in identifying stackers and subs. This includes things like remote access tooling, abnormal collaboration patterns, peer network topologies and hunting for out of band equipment, such as IP-based KVMs.

3. Presentation wrap-up, attendee to-do list. This is where I answer the questions like “where do I get started?” and “what’s the most effective methods for improving our processes?” This includes:
a. Equipment shipping logistics red flags
b. Supplier engagement
c. Internal stakeholder education and partnership.