North Korean IT Worker Infiltration of Remote Hiring Pipelines
Reporting highlighted ongoing North Korean IT worker operations in which individuals use stolen identities, falsified resumes, and AI-enabled deepfakes to obtain remote roles at Western companies, creating direct insider-risk exposure once hired. The activity was described as affecting thousands of workers and Fortune 500 employers, with claims of "3,000 hands on keyboards" and roughly "30,000 different email addresses" in use to support multiple personas, generating wages that can total hundreds of millions of dollars annually and help fund the North Korean regime.
Recommended screening and verification measures focused on practical controls for remote hiring, including prompting candidates to perform live actions on video (e.g., wave), validating IP address/geolocation consistency with claimed location, and probing discrepancies in a candidate’s stated whereabouts. The reporting framed these checks as necessary to counter identity fraud and synthetic media used to pass interviews and onboarding, and to reduce the likelihood of granting network access to sanctioned or malicious actors operating under false identities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Nisos reports DPRK employment fraud targeting crypto companies
On 2026-05-07, Nisos published research describing North Korean employment fraud activity aimed at cryptocurrency companies. The report adds a new sector-specific targeting development to the broader DPRK remote worker scheme.
SentinelOne reports hundreds of fake personas applying for jobs
In 2025, SentinelOne reported seeing hundreds of fraudulent personas linked to North Korean job applicant activity. The finding showed the operation had scaled significantly and was using fabricated identities to target remote roles.
KnowBe4 says it hired a North Korean worker who deployed malware
In 2024, security awareness company KnowBe4 disclosed that it had hired a North Korean IT worker using a false identity. The worker reportedly loaded malware, demonstrating the insider-risk posed by the campaign.
FBI raids Arizona laptop farm tied to North Korean remote worker scheme
In 2023, U.S. federal authorities raided an Arizona "laptop farm" linked to North Korean IT workers. The operation was tied to laptops used for remote work at hundreds of companies, illustrating the scale of the scheme.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
DPRK Employment Fraud Targeting Crypto Companies - Nisos
nisos.com
Open sourceHow to spot a North Korean fake in a job interview - Help Net Security
helpnetsecurity.com
Open source1/12 Lots of people asking if I make every Asian male I interview insult Kim Jong Un - for the avoidance of doubt, I only ask someone to insult Marshal Kim when I'm already confident they're North Korean and trying to defraud. by @tanuki42_(tanuki42) | Twitter Thread Reader
archive.md
Open sourceDetecting DPRK IT Workers: High-Confidence Network & Identity Indicators (Q1 2026)
imper.ai
Open sourceNorth Korean IT Worker Unmasked After Refusing to Insult Kim Jong Un in Job Interview
cybersecuritynews.com
Open sourceHow to Spot a North Korean Job Candidate - GovInfoSecurity
govinfosecurity.com
Open sourceHow to Spot a North Korean Job Candidate - BankInfoSecurity
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Fake IT Worker Network Infiltrates Western Firms and Funds Pyongyang
U.S. authorities and multiple security firms detailed a large North Korean scheme in which operatives use stolen or fabricated identities to win remote IT jobs at Western companies, then send the earnings back to Pyongyang in violation of sanctions. Research from IBM X-Force, Flare, Microsoft, LevelBlue, and others described a mature ecosystem of recruiters, facilitators, brokers, laptop-farm operators, and Western collaborators that helps workers pass interviews, receive corporate devices, mask their locations with VPNs, and clear payroll and compliance checks. Estimates cited across the reporting say more than 100,000 workers operating across dozens of countries may be generating roughly **$500 million annually**, while some cases also involved data theft, source-code exfiltration, extortion, and malware activity after hiring. The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities tied to the operation, while U.S. courts sentenced three Americans, including a former Army soldier, for helping North Korean workers use false identities and laptop farms to obtain jobs at U.S. companies. Investigations also exposed operational tradecraft including use of **Astrill VPN**, **NetKey/OConnect**, **IP Messenger**, freelance platforms, AI-generated resumes and headshots, and U.S.-based hardware relays such as PiKVM-enabled laptop farms; one hired worker was removed within 10 days after suspicious logins from China and Missouri triggered detection. Researchers and federal advisories warned that remote hiring has become an insider-threat and sanctions-compliance risk, urging tighter identity verification, live skills testing, device and geolocation controls, least-privilege access, and joint oversight by HR, recruiters, and security teams.
Jun 23, 2026
North Korean IT Worker Scams Targeting Remote Hiring
North Korean operatives are exploiting remote hiring processes by using fake identities and proxy workers to secure employment with international companies, thereby circumventing sanctions and gaining unauthorized access to sensitive corporate environments. Legal expert Jonathan Armstrong emphasizes the importance of robust vetting practices, such as reverse-image searches, thorough reference checks, and monitoring for suspicious IP addresses, to detect and prevent these scams. HR departments are advised to be cautious of candidates who avoid video interviews or require extended preparation time, as these behaviors may indicate fraudulent intent. Organizations are urged to follow official guidance, such as that from the U.K. Office of Financial Sanctions Implementation, to avoid inadvertently violating sanctions, which can result in severe criminal penalties. Armstrong also recommends separating hiring decisions from background checks to minimize discrimination risks and preserve evidence. Structured interviews and due diligence are critical in identifying red flags and ensuring compliance, helping companies avoid becoming unwitting accomplices to North Korean cyber operations.
Mar 21, 2026
DPRK Remote IT Worker Scheme Uses Impersonated Real LinkedIn Accounts to Infiltrate Employers
North Korean (**DPRK**) operatives running the long-standing “remote IT worker” scheme have escalated their tradecraft by applying for remote roles using **real LinkedIn accounts of legitimate professionals they are impersonating**, rather than relying primarily on fully synthetic personas. Reporting attributes the finding to analysis shared by **Security Alliance (SEAL)**, noting that the hijacked/impersonated profiles can appear highly credible—sometimes featuring *verified workplace emails* and *identity badges*—making initial recruiter screening and identity verification more difficult. The operation’s objectives remain consistent: generate revenue for the regime (including via salary payments later moved through cryptocurrency laundering techniques such as **chain-hopping/token swapping** and use of **DEXs/bridges**) while also enabling **access to sensitive corporate environments** for espionage, persistence, and potential follow-on extortion. The activity is described as high-volume and is tracked under multiple names in the security community (including **Jasper Sleet**, **PurpleDelta**, and **Wagemole**), with prior research noting that once placed, these operators can obtain administrative access to codebases and blend in using living-off-the-land techniques within enterprise infrastructure.
Mar 21, 2026