“The plans are being used and being built,” says Michael “Barni” Barnhart, a leading authority in North Korean hacking and cyber threats, who works for insider threat security firm DTEX. Along with other DPRK researchers, who call themselves a “Misfit” alliance, Barnhart has seen this cluster of workers conducting architectural work and says similar other efforts have been detected. “They will do the CAD renderings, they’ll do the drawings,” he says. “It’s not like a hypothetical—those physical things do exist out there.”

Barnhart—who previously found North Korean animators appearing to work on Amazon and Max shows—says that he has also seen potential front companies set up to help run the operations and provide a veneer of legitimacy. The findings raise questions about the quality of the structural work and concerns about safety, if structures are created in the physical world. “In some of our investigations, these plans and these products that they’re making for these remodels and renderings, they’re not getting good reviews,” Barnhart says. “We do have indications that also they’re being hired to do critical infrastructure.”

One 24-minute long screen recording seen by WIRED shows how the freelance operation could work. In the video, a person signs up to a freelance work website and sets up a new profile where they write that they are a “licensed structural engineer/architect in the USA.” They pick a profile image from a folder of potentially downloaded files, translate text between English and Korean, and access a Social Security number generator website during the sign-up process.

When their account is created, the video shows them start to message online requests for work, with one message saying: “I can provide you [sic] permit drawing plan set for your residential home design within a few days.”

Other screen recordings show the workers having conversations with potential clients, and in at least one instance there is a recording of an online call discussing possible work. The Kela researcher, who asked not be named for security reasons, says it appeared some prospective customers returned to the scammers after likely having work completed. The researchers say some kinds of work appeared to be priced from a few hundred dollars up to around $1,000 per job.

“This is an opportunistic nation,” DTEX’s Barnhart says. While many companies have started to figure out that North Korea’s IT workers are often applying for remote tech jobs, using false identities, deepfakes on video calls, and local workers to run their operations, they are consistently changing their approaches. Barnhart says it appears that architectural work has been successful for the alleged DPRK workers and that evidence shows the IT workers program can be more subtle than trying to get hired at companies.

“They’re moving to places where we’re not looking,” Barnhart says. “They’re also doing things like call centers. They’re doing HR and payroll and accounting. Things that are just remote roles and not necessarily remote hires.”