North Korean IT Worker Scams Targeting Remote Hiring
North Korean operatives are exploiting remote hiring processes by using fake identities and proxy workers to secure employment with international companies, thereby circumventing sanctions and gaining unauthorized access to sensitive corporate environments. Legal expert Jonathan Armstrong emphasizes the importance of robust vetting practices, such as reverse-image searches, thorough reference checks, and monitoring for suspicious IP addresses, to detect and prevent these scams. HR departments are advised to be cautious of candidates who avoid video interviews or require extended preparation time, as these behaviors may indicate fraudulent intent.
Organizations are urged to follow official guidance, such as that from the U.K. Office of Financial Sanctions Implementation, to avoid inadvertently violating sanctions, which can result in severe criminal penalties. Armstrong also recommends separating hiring decisions from background checks to minimize discrimination risks and preserve evidence. Structured interviews and due diligence are critical in identifying red flags and ensuring compliance, helping companies avoid becoming unwitting accomplices to North Korean cyber operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Story first reported
Initial story creation
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean IT Worker Infiltration of Remote Hiring Pipelines
Reporting highlighted ongoing **North Korean IT worker** operations in which individuals use **stolen identities, falsified resumes, and AI-enabled deepfakes** to obtain remote roles at Western companies, creating direct insider-risk exposure once hired. The activity was described as affecting **thousands** of workers and **Fortune 500** employers, with claims of "**3,000 hands on keyboards**" and roughly "**30,000 different email addresses**" in use to support multiple personas, generating wages that can total **hundreds of millions of dollars annually** and help fund the North Korean regime. Recommended screening and verification measures focused on practical controls for remote hiring, including prompting candidates to **perform live actions on video** (e.g., wave), validating **IP address/geolocation consistency** with claimed location, and probing discrepancies in a candidate’s stated whereabouts. The reporting framed these checks as necessary to counter identity fraud and synthetic media used to pass interviews and onboarding, and to reduce the likelihood of granting network access to sanctioned or malicious actors operating under false identities.
May 8, 2026
North Korean Fake IT Worker Network Infiltrates Western Firms and Funds Pyongyang
U.S. authorities and multiple security firms detailed a large North Korean scheme in which operatives use stolen or fabricated identities to win remote IT jobs at Western companies, then send the earnings back to Pyongyang in violation of sanctions. Research from IBM X-Force, Flare, Microsoft, LevelBlue, and others described a mature ecosystem of recruiters, facilitators, brokers, laptop-farm operators, and Western collaborators that helps workers pass interviews, receive corporate devices, mask their locations with VPNs, and clear payroll and compliance checks. Estimates cited across the reporting say more than 100,000 workers operating across dozens of countries may be generating roughly **$500 million annually**, while some cases also involved data theft, source-code exfiltration, extortion, and malware activity after hiring. The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities tied to the operation, while U.S. courts sentenced three Americans, including a former Army soldier, for helping North Korean workers use false identities and laptop farms to obtain jobs at U.S. companies. Investigations also exposed operational tradecraft including use of **Astrill VPN**, **NetKey/OConnect**, **IP Messenger**, freelance platforms, AI-generated resumes and headshots, and U.S.-based hardware relays such as PiKVM-enabled laptop farms; one hired worker was removed within 10 days after suspicious logins from China and Missouri triggered detection. Researchers and federal advisories warned that remote hiring has become an insider-threat and sanctions-compliance risk, urging tighter identity verification, live skills testing, device and geolocation controls, least-privilege access, and joint oversight by HR, recruiters, and security teams.
Jun 23, 2026
North Korean Fraudulent Remote Employment Schemes Targeting US Architecture and Engineering Sectors
North Korean operatives have expanded their fraudulent remote employment schemes beyond traditional IT and software development roles to include architectural and civil engineering positions within US companies. According to research by cybersecurity firm Kela, North Korean workers have been creating fake profiles, résumés, and even using stolen Social Security numbers to secure freelance jobs in architecture and structural engineering. These operatives have produced 2D architectural drawings and 3D CAD files for properties located in the United States, indicating direct involvement in sensitive infrastructure projects. The workers have also been observed advertising a wide range of architectural services and, in some cases, creating or using architectural stamps or seals to falsely certify that their designs comply with local building regulations. This activity represents a significant evolution in North Korea’s strategy to generate revenue for its regime, moving beyond IT and cryptocurrency projects to infiltrate new sectors. The scale of these operations is believed to be extensive, with thousands of North Korean digital laborers having previously earned billions for the regime through similar schemes in the tech industry. The new focus on architecture and civil engineering raises concerns about the potential exposure of sensitive infrastructure information and the risk of compromised building designs. US companies are being targeted through freelance platforms and remote work arrangements, making it difficult to verify the true identities and locations of these workers. The use of stolen or fabricated documentation further complicates detection and prevention efforts. Cybersecurity experts warn that these schemes not only provide financial support to North Korea’s authoritarian government but also pose risks to national security and critical infrastructure. The operatives’ ability to access and potentially manipulate architectural plans could have far-reaching consequences if exploited for malicious purposes. Organizations are advised to strengthen their vetting processes for remote workers, particularly in fields related to infrastructure and design. Enhanced background checks, verification of credentials, and monitoring for suspicious activity are recommended to mitigate the threat. The expansion of North Korea’s remote employment schemes into new professional domains underscores the regime’s adaptability and the ongoing need for vigilance among US businesses. This development highlights the intersection of cyber-enabled fraud, insider threats, and geopolitical risk in the modern workforce. The findings serve as a warning to companies across multiple sectors to remain alert to sophisticated social engineering and employment fraud tactics originating from state-sponsored actors.
Mar 21, 2026