North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say | WIRED Skip to main content Save Story Save this story Save Story Save this story For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence , spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows. In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime. The findings and security lapse— detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing. North Korea’s internet is a small—and fragile —space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes . When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says. Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.” Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show Invincible , which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show Iyanu: Child of Wonder , produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan. Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says. Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says. Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment. “We do not work with North Korean companies, or Chinese companies on Invincible , or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on Invincible ,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X , the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate. Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says. While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio . Originally set up in the 1950s , the studio has worked on hundreds of international TV shows and movies. However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says . The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists . In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home. “The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers. However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.” You Might Also Like In your inbox: Will Knight's AI Lab explores advances in AI Unmasking the paramilitary agents behind Trump’s immigration crackdown Big Story: Opposing ICE might save the country—or ruin your life Porn stars are embracing AI clones WIRED@Night: Hear Andy Greenberg discuss the facts and fiction of crypto Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe. He graduated from the University of Sheffield with a degree in journalism and now lives in London. Send tips to [email protected] . ... Read More Senior writer X Topics Amazon Prime HBO anime north korea cybersecurity Iranian Hackers Breached Kash Patel’s Email—but Not the FBI’s Plus: Apple makes big claims about the effectiveness of its Lockdown Mode anti-spyware feature, Russia moves to implement homegrown encryption for 5G, and more. Andrew Couts Hackers Are Posting the Claude Code Leak With Bonus Malware Plus: The FBI says a recent hack of its wiretap tools poses a national security risk, attackers stole Cisco source code as part of an ongoing supply chain hacking spree, and more. Andrew Couts Iranians Don’t Have a Missile Alert System, So Volunteers Built Their Own Warning Map The crowdsourced website and app Mahsa Alert provides citizens in Iran with crucial information amid the country’s ongoing war with the US and Israel—and an internet blackout. Matt Burgess A $20 Billion Crypto Scam Market Faces a New Government Crackdown The Telegram-based Xinbi Guarantee black market sells services that help prop up scam operations. British officials just hit the highly lucrative marketplace with sweeping sanctions. Matt Burgess Men Are Buying Hacking Tools to Use Against Their Wives and Friends In Telegram groups, men are sharing thousands of nonconsensual images of women and girls, buying spyware, and engaging in doxing and sexual abuse. Matt Burgess The Hack That Exposed Syria’s Sweeping Security Failures When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity. Danny Makki A Mysterious Numbers Station Is Broadcasting Through the Iran War First heard as US and Israeli strikes on Iran began, the shortwave broadcast has since been traced to a US military base in Germany—but its purpose and its operator remain unclear. Ruchi Kumar GPS Attacks Near Iran Are Wreaking Havoc on Delivery and Mapping Apps Delivery apps are glitching and navigation routes are changing abruptly thanks to electronic warfare disrupting the satellite signals that power everything from missiles to your ride home. Carla Sertin A Hacker Accidentally Broke Into the FBI’s Epstein Files Plus: A porn-quitting app exposed the masturbation habits of hundreds of thousands of users, Russian hackers are trying to take over people’s Signal accounts, and more. Maddy Varner CBP Facility Codes Sure Seem to Have Leaked Via Online Flashcards The Quizlet flashcards, which WIRED found through basic Google searches, seem to include sensitive information about gate security at Customs and Border Protection locations. Sammy Sussman Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild A powerful iPhone-hacking technique known as DarkSword has been discovered in use by Russian hackers. It can take over devices running iOS 18 that simply visit infected websites. Andy Greenberg US Takes Down Botnets Used in Record-Breaking Cyberattacks The Aisuru, Kimwolf, JackSkid, and Mossad botnets had infected more than 3 million devices in total, many inside home networks, according to the US Justice Department. Andy Greenberg