Mic Drop: Aidan Raney's secret mission. - Click Here

Summary6 min read

Click Here Podcast: "Mic Drop: Aidan Raney's Secret Mission"

Host: Dina Temple-Raston
Guest: Aidan Rainey, CEO of Farnsworth Intelligence
Release Date: March 7, 2025

Introduction

In the episode titled "Mic Drop: Aidan Raney's Secret Mission," Dina Temple-Raston delves into the clandestine world of North Korean cyber operations through an exclusive interview with Aidan Rainey, a 23-year-old intelligence analyst and CEO of Farnsworth Intelligence. The episode uncovers Rainey's daring undercover mission to infiltrate a North Korean scheme aimed at compromising U.S. companies.

Background: North Korean Laptop Farms

Rainey explains the sophisticated methods employed by North Korea to infiltrate American businesses. These operations, often referred to as "laptop farms," involve the recruitment of IT workers who respond to fraudulent job postings. Their primary objective is to secure employment, thereby enabling them to funnel their salaries back to North Korea to fund the nation's weapons programs.

Aidan Rainey [04:21]: "It's the difference between using a VPN and actually having a laptop in someone's home. If you're connecting from a US IP address, it looks a lot better."

These laptop farms typically employ Westerners, sometimes unwittingly, who become conduits for North Korean intelligence activities. The workers utilize multiple laptops, webcams, and KVM devices (keyboard, video, and mouse switches) to manage their operations remotely without revealing their true locations.

Rainey's Motivation and Decision to Go Undercover

When one of Rainey's clients, an energy company, discovered unusual ties between a job applicant and North Korea, Rainey became intrigued by the mechanics of these operations. Determined to understand the intricacies firsthand, he decided to pose as a potential laptop farm operator.

Aidan Rainey [01:16]: "Obviously this was a very calculated risk that I saw, but I knew that this information in the hands of the wider cybersecurity community would have much more impact."

Rainey's decision marked the beginning of a high-stakes intelligence operation aimed at exposing and documenting the tactics used by North Korean cyber operatives.

Initiating the Undercover Operation

To infiltrate the laptop farm network, Rainey utilized Fiverr, an online freelancing platform known to be exploited by North Korean recruiters to find suitable candidates. He reached out under his real identity, avoiding the need to create a completely fabricated persona.

Aidan Rainey [06:16]: "So Fiverr is an online freelancing platform. It's actually named after the slang for the word $5. We don't sell anything for $5 on Fiverr. Our services are much more expensive."

Within a day, Rainey connected with a recruiter named Ben, who appeared trustworthy and seemed unaware of Rainey's true intentions. Their interactions quickly moved to more secure communication channels like Telegram and Discord, culminating in a video call via Google Meet.

Aidan Rainey [07:05]: "I replied as myself. I didn't want to have to create a whole fake persona with a fake job history, fake LinkedIn, fake GitHub, and fake everything else. And so I just reached out as myself and they never batted an eye."

Discovering the Reality Behind "Ben"

As Rainey continued his interactions, he noticed inconsistencies in the identity of "Ben." Each subsequent conversation revealed slight differences in appearance and demeanor, suggesting that multiple individuals were involved in the operation.

Aidan Rainey [09:50]: "The second call, I started it by saying, hey, Ben. And it was a clearly different person. They turned their camera on only for a split second before turning it back off again."

Further investigation confirmed his suspicions. Rainey consulted a North Korean defector who verified the authenticity of the tactics used by the recruiters. Additionally, tracking IP addresses revealed connections to China, often using VPN programs favored by North Korean operatives to mask their locations.

Aidan Rainey [10:08]: "I could see people walking behind them, hovering over their shoulders at parts right. And so I knew that they were being monitored, or at least there was some sort of supervisor walking around."

Securing a Job Offer and Exposing the Scheme

Eager to experience the operation from the inside, Rainey agreed to participate when offered a job interview. Following the provided script, he successfully secured a job offer with a salary between $70,000 and $80,000 annually.

Aidan Rainey [11:19]: "They essentially said, you've got the job. You know, it was around 70 or 80k a year. We're going to send you a letter in the morning or an email with the offer and go through the background check process."

Upon receiving the job offer, Rainey immediately informed the company of his undercover mission, effectively halting the hiring process. This revelation, while initially causing frustration for the company, ultimately prevented a North Korean operative from being employed under false pretenses.

Aidan Rainey [11:34]: "I was like, I'm sorry, I can't. This is the situation. Here's what I'm doing. Please stop. Don't proceed."

Unraveling the Network and Its Aftermath

Rainey's undercover work continued as he maintained communication with the various "Bens" over several months. However, by early January, he chose to disclose his true identity, only to receive no response, indicating the network's disbandment or possible repercussions against the operatives.

Rainey shared his comprehensive findings with Google's Mandia, aiming to bolster other companies' defenses against similar threats. Despite the operation's success in exposing the scheme, Rainey grappled with the ethical and emotional implications of his mission.

Aidan Rainey [13:10]: "I find myself kind of dreading the idea that these people are in, you know, being hurt right now. It's something that I do dwell on."

He expressed concern over the potential consequences for the "Bens," fearing they might face severe repercussions for their involvement.

Reflections on the Operation

The episode highlights the blurred lines between intelligence work and personal ethics. While Rainey's mission successfully disrupted a North Korean cyber operation, it also left him unsettled by the human aspect of his targets.

Aidan Rainey [13:40]: "My concern is that because of that, they're going to get punished or something along those lines."

This introspection underscores the complex nature of cybersecurity and intelligence operations, where safeguarding national interests often intersects with moral dilemmas.

Conclusion

"Mic Drop: Aidan Raney's Secret Mission" offers a gripping glimpse into the shadowy realm of cyber espionage and the lengths to which intelligence professionals must go to protect digital frontiers. Through Rainey's firsthand account, listeners gain a nuanced understanding of North Korean cyber tactics and the personal challenges faced by those combating them.

Notable Quotes:

Aidan Rainey [04:21]: "It's the difference between using a VPN and actually having a laptop in someone's home. If you're connecting from a US IP address, it looks a lot better."
Aidan Rainey [07:05]: "I replied as myself. I didn't want to have to create a whole fake persona with a fake job history, fake LinkedIn, fake GitHub, and fake everything else. And so I just reached out as myself and they never batted an eye."
Aidan Rainey [13:10]: "I find myself kind of dreading the idea that these people are in, you know, being hurt right now. It's something that I do dwell on."

This episode serves as a testament to the intricate dance between cybersecurity measures and the human elements that drive them, revealing the unseen battles fought to maintain the integrity of our digital world.

Loading summary

Transcript56 lines

[00:03]
Dena Temple Rastin
From Recorded Future News and prx, this is Click Here.
[00:14]
Aidan Rainey
I'll just record my microphone. Then on the recording, I'll clap for you too so we can sync it. There you go.
[00:22]
Dena Temple Rastin
But don't we have to clap together?
[00:24]
Aidan Rainey
Aiden, you're right.
[00:26]
Dena Temple Rastin
Three, two, one, one, clap. Okay, that's pretty close.
[00:31]
Aidan Rainey
Yeah, pretty close. Good enough.
[00:40]
Dena Temple Rastin
From Recorded Future News, this is Click Here's Mic Drop. A longer listen to one of our favorite interviews of the week. I'm Dena Temple Rastin. In Tuesday's episode, we focused on a North Korean scheme to infiltrate US Companies. Pyongyang has dispatched a secret army of IT workers who respond to help wanted ads and get themselves hired so they can send their paychecks back to the Supreme Leader. And today we're talking with Aidan Rainey, an intelligence analyst who decided to go undercover and get on the inside of this program and then tell the world what he found.
[01:16]
Aidan Rainey
Obviously this was a very calculated risk that I saw, but I knew that this information in the hands of the wider cybersecurity community would have much more impact.
[01:31]
Dena Temple Rastin
Stay with us. Click Here is brought to you by Progressive Insurance. Do you ever think about switching insurance companies to see if you could save some cash? Progressive makes it easy to see if you could save when you bundle your home and auto policies. Try it@progressive.com Progressive Casualty Insurance Company and affiliates. Potential savings will vary. Not available in all states. I'm Dena Templewost and this is Click Here's Mic Drop. So the name of your company is Farnsworth Intelligence, right?
[02:15]
Aidan Rainey
Yeah. Yeah.
[02:17]
Dena Temple Rastin
Aiden Rainey is a 23 year old CEO of a cybersecurity company. It does sound very Yale, don't you think?
[02:24]
Aidan Rainey
I think it does, yeah. Although sometimes I get the Futurama comment that it sounds like the name of the character from that show.
[02:33]
Dena Temple Rastin
Have you a name? Hubert Farnsworth, at your service. Farnsworth, you say? Aidan is an open source intelligence guy and his clients are in a roster of different industries.
[02:43]
Aidan Rainey
I have a lot of clients who don't necessarily know anyone who can help them, but they know I'm somebody who can help them in those type of situations.
[02:56]
Dena Temple Rastin
Last year, an energy company that was one of Aydin's clients had a situation. It had just discovered one of its job applicants seemed to have ties to North Korea. Now, in Tuesday's episode, we explained that North Korea has been doing a lot of this lately. Sometimes these candidates are real life North Koreans using identities they bought on the Dark Web. And other times these guys are Westerners. Who have no idea that they're being used by Pyongyang to get hard currency into the country. North Korea uses the money they make in these scams to fund their weapons program. Typically, these Westerners just set up loads of laptops and these North Korean IT workers use them to mask their identities and the fact that their IP addresses aren't in the us. The operation itself is known as a laptop farm. And so if I were walking into a laptop farm, would it be like a giant room with tons of laptops?
[03:52]
Aidan Rainey
Yeah, I would say you'd see multiple desks and they'd just be covered in laptops. Some of the type of equipment you'd see is like, you'd see quite a few different webcams because they have to have multiple of them for the different meetings they have to take. You'd probably see quite a few keyboards. You might even see a little device that acts as what's called a kvm. So they can remotely control the devices without even connecting to them. They just have to plug something in.
[04:22]
Dena Temple Rastin
Got it. And so if I'm using a laptop farm, I have a laptop wherever I am, and I'm sort of using it almost the same way you'd use a VPN to make it look like you're somewhere else.
[04:33]
Aidan Rainey
Yeah, exactly. The difference is that it's in someone's home. And so if you're connecting from a US IP address, it looks a lot better.
[04:42]
Dena Temple Rastin
Often the North Korean IT workers who are on the other end are operating out of China or Russia, Basically anywhere that has a decent Internet connection and is willing to turn a blind eye to the sanctions against North Korea. And when Adin had a client targeted by this worker scam, it made him curious. He thought to himself, how does all this really work? And one way to get to the bottom of it, he decided, is by becoming part of it himself. So he did this very spy versus spy thing. He posed as someone eager to run one of those laptop farms.
[05:18]
Aidan Rainey
And so we performed a human operation, a human intelligence operation.
[05:22]
Dena Temple Rastin
That's when we come back. Hi, I'm Morgan Sung, host of Close All Tabs from kqed, where every week we reveal how the online world collides with everyday life. Know what's true or not, because you don't know if AI was involved in it.
[05:45]
Aidan Rainey
So my first reaction was, haha, this is so funny. And my next reaction was, wait a minute, I'm a journalist. Is this real? And I think we will see a.
[05:53]
Dena Temple Rastin
Twitch streamer President, maybe within our lifetimes, you can Find close all tabs wherever you listen to podcasts. When Aiden decided to go undercover as essentially a laptop farmer, he started with a platform called Fiverr to try to get himself hired.
[06:17]
Aidan Rainey
So Fiverr is an online freelancing platform. It's actually named after the slang for the word $5. We don't sell anything for $5 on Fiverr. Our services are much more expensive.
[06:30]
Dena Temple Rastin
Okay, I'm glad to hear that. But for the purposes of posing as a laptop farmer, Fiverr was perfect. Adin had heard North Korean IT workers use this site to recruit people who can help them pose as legitimate job candidates. So he reached out to someone he thought might be one of these North Korean recruiters, and he told them he was interested in the lap farm business.
[06:54]
Aidan Rainey
I said, hey, a friend showed me this, told me about this, and I'm interested and why don't you tell me more? That was the pretext. That was the lie that got me in the door.
[07:05]
Dena Temple Rastin
So tell me about their vetting process for you.
[07:08]
Aidan Rainey
I don't think there was one. I don't think they really care about the people that they get involved in this because they know that they're relatively untouchable and all they care about is we need identity documents and we need a person, and I don't care. They don't care who it is as long as they get the money.
[07:27]
Dena Temple Rastin
So who did you tell him you were?
[07:28]
Aidan Rainey
I replied as myself. I didn't want to have to create a whole fake Persona with a fake job history, fake LinkedIn, fake GitHub, and fake everything else. And so I just reached out as myself and they never batted an eye.
[07:48]
Dena Temple Rastin
A day later, he got a response. The person on the other end of the email called himself Ben. And it appears this Ben had no suspicions about Aiden at all.
[08:00]
Aidan Rainey
I don't even think they. They minded that I was an intelligence analyst because I had all of this software development background. And so in a way, I also think they thought I was a big catch.
[08:14]
Dena Temple Rastin
Ben said he'd love to work with eight, and in no time at all, they were chatting over Telegram and Discord to go over the logistics. They even had a video phone call over Google Meet.
[08:25]
Aidan Rainey
When I got into this Google Meet call, I was not expecting them to show their face at all.
[08:31]
Dena Temple Rastin
But Ben popped up on the screen. He was wearing a tracksuit and had a fake office background as his video chat wallpaper. Aiden recorded one of these sessions he had with him and shared it with us.
[08:43]
Aidan Rainey
Will I just be doing one job? Are you going to do the Overemployed thing where you, like, do multiple remote jobs, I think it's fine working on more than two jobs. So, for example, if you're as a contractor, it's not a problem. And then how is it going to work for when I have to pay you? So I think we agreed 35% to you and the last me.
[09:10]
Dena Temple Rastin
Ben said he could keep 35% of each salary to be sent using a crypto wallet or PayPal. He explained he would create a resume and a LinkedIn account for Aidan and apply for jobs on Aiden's behalf. He even gave him interview responses so that he could be prepared as the job interviews came up. And the thing about talking with Ben was that there seemed to be many Bens. Each time Aiden spoke to Ben, either by chat, messenger or video chat, it seemed like he was talking to a different person. In fact, someone who talked or looked totally different.
[09:50]
Aidan Rainey
The second call, I started it by saying, hey, Ben. And it was a clearly different person. They turned their camera on only for a split second before turning it back off again.
[10:03]
Dena Temple Rastin
But the times the Bens did keep their cameras on, it was clear they weren't alone.
[10:08]
Aidan Rainey
I could see people walking behind them, hovering over their shoulder at parts right. And so I knew that they were being monitored, or at least there was some sort of supervisor walking, walking around.
[10:17]
Dena Temple Rastin
And to confirm his suspicions that he was in fact talking with North Koreans, Aiden ran his findings past a North Korean defector.
[10:25]
Aidan Rainey
Look at the footage, listen to their voices, look at their appearances, the clothing they were wearing, all the ttps, so the. All the different details of the case, and basically confirm whether this matches what they know.
[10:40]
Dena Temple Rastin
For North Koreans, that appeared to pass muster. Aiden was also able to track IP addresses associated with the Bens, and those seemed to confirm his suspicions as well. He could see they were communicating with him from China and using a VPN program popular among North Koreans. But he wanted to do more than just gather data. He wanted to see what it would be like to actually be one of these proxies applying for jobs. So when the Bens told him last October that they'd managed to land him a job interview, Aiden readily agreed. Then they sent him prepared responses, which he followed. And it worked. The company called Aiden and told him the job was his.
[11:19]
Aidan Rainey
They essentially said, you've got the job. You know, it was around 70 or 80k a year. We're going to send you a letter in the morning or an email with the offer and go through the background check process.
[11:31]
Dena Temple Rastin
That's when he told the company what he was really up to.
[11:35]
Aidan Rainey
And I had to tell them right then and there. I was like, I'm sorry, I can't. This is the situation. Here's what I'm doing. Please stop. Don't. Don't. Proceed.
[11:43]
Dena Temple Rastin
What was their reaction?
[11:45]
Aidan Rainey
Oh, they were a little upset, but.
[11:51]
Dena Temple Rastin
This was a glass half empty, half full situation for the company. After all, if he hadn't been an undercover applicant, they might have actually gone ahead and hired a North Korean.
[12:02]
Aidan Rainey
From their point of view, I did waste their time and, well, I'm sure looking at it from now they're going to understand that, like I, we wasted an hour or two of your time, but we saved so many companies, maybe millions of dollars from the data we collected.
[12:17]
Dena Temple Rastin
As for the Benz, Aiden told them he didn't get the job so he could keep talking to them, which he did for a few more months. But by early January, he decided to come clean. He told them that he, too was working undercover, but he never got a response. Aiden shared his findings with Google's Mandia, hoping what he learned would help them help other companies. But here's the thing about intelligence work. You pull a thread and it unravels in ways you don't quite expect. Aiden went in to expose his scheme to document tactics to help companies protect themselves. But when it was all over, what stayed with him. What lingers even now isn't the mechanics of the operation. It's the people, the bends. So do you still think about the bends?
[13:11]
Aidan Rainey
Yes. I mean, I find myself kind of dreading the idea that these people are in, you know, being hurt right now. It's something that I do dwell on.
[13:23]
Dena Temple Rastin
A little bit, because the bends, whoever they really were, weren't just faceless operators behind a screen. They were watching him. And they were being watched.
[13:34]
Aidan Rainey
My concern is that because of that, they're going to get punished or something along those lines.
[13:40]
Dena Temple Rastin
And that's the part that sticks. The weight of what might come next for the Bens. From a court of future news, this has been Click Here's Mic Drop. It was written and produced by Erica Gaeda, Megan Dietre, Sean Powers and me, Dina Temple Rested. It was edited by Karen Duffett. We'll be back on Tuesday with an all new episode of Click Here. Have a great weekend.
[14:18]
C
If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.