An imposter, believed to be North Korean, forged the official seal of an Ontario architect, an investigation by The Fifth Estate has found.

The Democratic People's Republic of Korea (DPRK) has in recent years engaged thousands of remote workers whose purpose is to generate revenue for the regime, according to an international advisory issued by the U.S. government. Their exploits have been detailed in indictments from the U.S. Department of Justice and reporting from around the world. 

While they are best-known for high-value cryptocurrency hacks, these workers will also take real jobs at real companies under false identities. According to an FBI bulletin from January, this employment sometimes ends with the worker stealing proprietary information or holding data and code hostage for ransom. 

"The threat posed by DPRK operatives is both real and immediate," U.S. Attorney Leah B. Foley said in an announcement on June 30. "Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce."

They also masquerade as licensed professionals on freelance websites offering to do things like reviewing and approving engineering or architectural plans with forged stamps.

According to the Association of Architects of Ontario, an architect's stamp — otherwise known as a seal — is "a representation to the public" that the professional is taking responsibility for the document and that it was prepared by them or under their supervision and direction.

In Ontario, seals are issued by self-regulated bodies created and governed by specific legislation. For instance, Professional Engineers Ontario operates under the authority of the Professional Engineers Act.

In mid-May, a pseudonymous online researcher known only as Cookie Connoisseur posted a series of professional stamps on X bearing the names of engineers across the United States. Cookie Connoisseur claimed they were being used by North Korean remote workers.

Among them was the professional seal of Canadian architect Stephen Mauro, who is based in the Greater Toronto Area. His stamp appeared on a blueprint for a "boutique studio" designed by a company called Global Creative Consultant Engineers (GCCE).

Speaking with The Fifth Estate, Mauro stated he had never heard of GCCE, had never seen the drawing before and did not stamp it. He also pointed out that the signature on the seal did not resemble his, and that the stamp itself contained minor differences from his official seal.

"The biggest thing is to find out where these are being submitted in Ontario," Mauro said, "to notify the municipalities that it's not an actual architect submitting these."

Remote freelance work

Searching online, The Fifth Estate was able to locate a Facebook page for GCCE, which included an email address and phone number for a man named Faisal Hussain. When contacted by CBC, Hussain said he was based in Pakistan and confirmed the drawings were his.

When asked about his relationship with Mauro, Hussain initially stated "he is working with me as teammate." In a subsequent video call, Hussain said he had hired Mauro via an online freelancing platform and had never seen his face or heard his voice.

"He's been working with me for two years and I didn't get any issue from the city," Hussain said. He did not respond to questions about which city he was referring to.

According to a 2022 U.S. government advisory on North Korean IT workers, they "most commonly obtain freelance jobs through various online platforms."

The sentiment is echoed by cybersecurity expert Michael Barnhart, who works for the risk management firm DTEX Systems.  

"Whatever the popular thing in the host nation is what they're going for," Barnhart said, adding that he's seen logs of conversations where North Korean remote workers are asking an AI platform for lists of popular freelance websites in Canada and Japan.

Are the documents real?

In an attempt to highlight North Korean remote workers' activities, Cookie Connoisseur, as well as a number of other accounts, regularly post files — videos, photos, chat logs — that they claim originate from North Korean actors. 

Asked if they would be interviewed for this story, Cookie Connoisseur referred The Fifth Estate to Barnhart, the cybersecurity expert. He said he acts as the public face of this loose collective of online researchers. 

The U.S.-based Barnhart, who formerly led North Korea threat-hunting operations for a Google subsidiary called Mandiant, told The Fifth Estate that the members of the collective work regular jobs and do this research in their spare time.

Barnhart would not disclose how the collective obtained the blueprint bearing the Ontario architect Mauro's seal. In an email to CBC, he said the information had been corroborated by multiple researchers in the industry who had been tracking this particular North Korean "operator." 

He also noted that North Korean operatives read news articles about their work, and that as a result, providing too much information could divulge the researcher's methods. 

Alongside freelancing websites, North Korean remote workers also engage in what Barnhart called "spray-and-pray" job applications for positions at companies hiring remote workers. They apply for hundreds of jobs a day, and hope that with such a high volume, they will get at least some responses.

"If you're a Fortune 500 company, then I can easily say you've at least been targeted," Barnhart said. "Whether you've hired them, that's a different story."