Ontario architect's seal forged by remote worker believed to be North Korean fraudster

Matthew Pierce · CBC News

· Posted: Jul 04, 2025 1:13 PM EDT | Last Updated: 3 hours ago

An imposter, believed to beryllium North Korean, forged the authoritative seal of an Ontario architect, an probe by The Fifth Estate has found.

The Democratic People's Republic of Korea (DPRK) has successful caller years engaged thousands of distant workers whose intent is to make gross for the regime, according to an planetary advisory issued by the U.S. government. Their exploits person been elaborate successful indictments from the U.S. Department of Justice and reporting from astir the world. 

While they are best-known for high-value cryptocurrency hacks, these workers volition besides instrumentality existent jobs astatine existent companies nether mendacious identities. According to an FBI bulletin from January, this employment sometimes ends with the idiosyncratic stealing proprietary accusation oregon holding data and code hostage for ransom. 

"The menace posed by DPRK operatives is some existent and immediate," U.S. Attorney Leah B. Foley said successful an announcement on June 30. "Thousands of North Korean cyber operatives person been trained and deployed by the authorities to blend into the planetary integer workforce."

They besides masquerade arsenic licensed professionals connected freelance websites offering to bash things similar reviewing and approving engineering oregon architectural plans with forged stamps.

According to the Ontario Association of Architects, an architect's stamp — different known arsenic a seal — is "a practice to the public" that the nonrecreational is taking work for the papers and that it was prepared by them oregon nether their supervision and direction.

In Ontario, seals are issued by self-regulated bodies created and governed by specific legislation. For instance, Professional Engineers Ontario operates nether the authorization of the Professional Engineers Act.

In mid-May, a pseudonymous online researcher known lone arsenic Cookie Connoisseur posted a bid of nonrecreational stamps connected X bearing the names of engineers crossed the United States. Cookie Connoisseur claimed they were being used by North Korean distant workers.

Among them was the professional seal of Canadian designer Stephen Mauro, who is based in the Greater Toronto Area. His stamp appeared on a blueprint for a "boutique studio" designed by a institution called Global Creative Consultant Engineers (GCCE).

Speaking with The Fifth Estate, Mauro stated helium had ne'er heard of GCCE, had ne'er seen the drafting earlier and did not stamp it. He besides pointed out that the signature connected the seal did not lucifer his, and that the stamp itself contained insignificant differences from his official seal.

"The biggest happening is to find retired wherever these are being submitted successful Ontario," Mauro said, "to notify the municipalities that it's not an existent designer submitting these."

Remote freelance work

Searching online, The Fifth Estate was capable to locate a Facebook leafage for GCCE, which included an email code and telephone fig for a antheral named Faisal Hussain. When contacted by CBC, Hussain said helium was based successful Pakistan and confirmed the drawings were his.

When asked astir his narration with Mauro, Hussain initially stated "he is moving with maine arsenic teammate." In a consequent video call, Hussain said helium had hired Mauro via an online freelancing level and had ne'er seen his look oregon heard his voice.

"He's been moving with maine for 2 years and I didn't get immoderate contented from the city," Hussain said. He did not respond to questions astir which metropolis helium was referring to.

According to a 2022 U.S. government advisory connected North Korean IT workers, they "most commonly get freelance jobs done assorted online platforms."

The sentiment is echoed by cybersecurity adept Michael Barnhart, who works for the hazard absorption steadfast DTEX Systems.  

"Whatever the fashionable happening successful the big federation is what they're going for," Barnhart said, adding that he's seen logs of conversations wherever North Korean distant workers are asking an AI level for lists of fashionable freelance websites successful Canada and Japan.

Are the documents real?

In an effort to highlight North Korean distant workers' activities, Cookie Connoisseur, as good arsenic a fig of different accounts, regularly station files — videos, photos, chat logs — that they assertion originate from North Korean actors. 

Asked if they would beryllium interviewed for this story, Cookie Connoisseur referred The Fifth Estate to Barnhart, the cybersecurity expert. He said helium acts as the nationalist look of this loose corporate of online researchers. 

The U.S.-based Barnhart, who formerly led North Korea threat-hunting operations for a Google subsidiary called Mandiant, told The Fifth Estate that the members of the corporate enactment regular jobs and bash this probe successful their spare time.

Barnhart would not disclose however the corporate obtained the blueprint bearing the Ontario designer Mauro's seal. In an email to CBC, helium said the accusation had been corroborated by aggregate researchers successful the manufacture who had been tracking this peculiar North Korean "operator." 

He also noted that North Korean operatives work quality articles astir their work, and that arsenic a result, providing excessively overmuch accusation could divulge the researcher's methods. 

Alongside freelancing websites, North Korean distant workers besides prosecute successful what Barnhart called "spray-and-pray" occupation applications for positions astatine companies hiring distant workers. They use for hundreds of jobs a day, and anticipation that with specified a precocious volume, they volition get astatine slightest immoderate responses.

"If you're a Fortune 500 company, past I tin easy accidental you've astatine slightest been targeted," Barnhart said. "Whether you've hired them, that's a antithetic story."