A misconfigured North Korean Internet cloud server has provided a fascinating glance into the world of North Korean animation outsourcing and how foreign companies might be inadvertently employing North Korean companies on information technology (IT) projects. The incident also underlines how difficult it is for foreign companies to verify their outsourced work is not potentially breaking sanctions and ending up on computers in Pyongyang. The story begins in late 2023 with the discovery of a cloud storage server on a North Korean Internet Protocol (IP) address. The server, which appears no longer in use, had been incorrectly configured, making the daily flow of files into and out of this server viewable by anyone without a password. North Korea employs such servers because the average IT worker inside the country does not have direct access to the Internet. Typically, an organization might have just one or two computers with Internet access; workers need approval to use them and are monitored while they do so. The cloud server in question was discovered by Nick Roy, who runs the NK Internet blog. Together, throughout January this year, we observed files. Each day, a new batch of files would appear that included instructions for animation work and the results of that day’s work. The identity of the person or persons uploading the files could not be determined. Often the files contained editing comments and instructions in Chinese, presumably written by the production company, along with a translation of those instructions into Korean. This suggests a go-between was responsible for relaying information between the production companies and the animators. The identity of the North Korean partner was never revealed in any of the documentation observed, but it is likely the April 26 Animation Studio, also known as SEK Studio. The Pyongyang-based organization is North Korea’s premier animation house, producing series for domestic television broadcasts, including the popular “Squirrel and Hedgehog” series. It has previously worked on several international projects, including some with South Korean companies during the “Sunshine Policy” era in the early 2000s. However, in 2016, the studio was sanctioned by the US Department of Treasury as a North Korean state-owned enterprise. The US government has twice laid additional sanctions on Chinese companies that have worked with the studio or acted as a go-between, once in 2021 and again in 2022. For example, in the communication below, the animator is being asked to improve the shape of the character’s head. Together with researchers from Mandiant, a computer security company owned by Google, access logs for the server were also examined. They revealed several logins from Internet addresses associated with virtual private network (VPN) services, but among those that were not VPN-related was an IP address in Spain and three in China. Two of the Chinese addresses were registered to Liaoning Province, which neighbors North Korea and includes the towns of Dandong, Dalian and Shenyang. All three cities are known to have many North Korean-operated businesses and are main centers for North Korea’s IT workers who live overseas.