North Korean Fake IT Worker Network Infiltrates Western Firms and Funds Pyongyang
U.S. authorities and multiple security firms detailed a large North Korean scheme in which operatives use stolen or fabricated identities to win remote IT jobs at Western companies, then send the earnings back to Pyongyang in violation of sanctions. Research from IBM X-Force, Flare, Microsoft, LevelBlue, and others described a mature ecosystem of recruiters, facilitators, brokers, laptop-farm operators, and Western collaborators that helps workers pass interviews, receive corporate devices, mask their locations with VPNs, and clear payroll and compliance checks. Estimates cited across the reporting say more than 100,000 workers operating across dozens of countries may be generating roughly $500 million annually, while some cases also involved data theft, source-code exfiltration, extortion, and malware activity after hiring.
The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities tied to the operation, while U.S. courts sentenced three Americans, including a former Army soldier, for helping North Korean workers use false identities and laptop farms to obtain jobs at U.S. companies. Investigations also exposed operational tradecraft including use of Astrill VPN, NetKey/OConnect, IP Messenger, freelance platforms, AI-generated resumes and headshots, and U.S.-based hardware relays such as PiKVM-enabled laptop farms; one hired worker was removed within 10 days after suspicious logins from China and Missouri triggered detection. Researchers and federal advisories warned that remote hiring has become an insider-threat and sanctions-compliance risk, urging tighter identity verification, live skills testing, device and geolocation controls, least-privilege access, and joint oversight by HR, recruiters, and security teams.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
18 events from the most recent confirmed update back to the earliest known activity.
Nisos exposes DPRK cell behind 170,000 fraudulent job applications
On 2026-06-16, Nisos published research assessing with high confidence that a DPRK state-sponsored cell ran an industrial-scale employment fraud operation targeting U.S. companies. The report said that between December 2024 and September 2025, 22 operatives submitted more than 170,000 applications and secured 76 job offers using stolen identities, AI-assisted interviews, U.S.-based facilitators, Astrill VPN, PiKVM devices, and cryptocurrency payments.
Accidental infostealer infection exposes DPRK payment server data
Reporting on 2026-04-10 said a North Korean operator accidentally executed infostealing malware on their own computer, exposing data from an internal payment server including 390 accounts, chat logs, and cryptocurrency transaction records. Investigators said the leak revealed a scheme generating about $1 million per month and exposed weakly protected infrastructure tied to sanctioned DPRK-linked firms.
ZachXBT publishes findings on DPRK IT worker payment infrastructure
On 2026-04-08, ZachXBT published findings about DPRK IT workers and their payment infrastructure after an infostealer compromise exposed internal communications through luckyguys[.]site. The leak provided visibility into a large-scale but relatively low-sophistication ecosystem supporting fraudulent remote IT work.
North Korean facilitators begin recruiting Iranian IT workers
Flare researchers reported that much of the observed activity recruiting Iranian IT professionals into the DPRK remote IT worker fraud pipeline dated back to 2024. Internal documents showed recruiters targeting Iranians on LinkedIn and coaching them to obtain jobs under stolen or fabricated identities.
Researchers expose suspected DPRK applicant using AI-generated resume
Researchers reported that in June 2025 they exposed a suspected North Korean operative who tried to infiltrate a cybersecurity firm using a stolen identity and an AI-generated resume. Investigators linked the activity to a broader laptop farm operation using PiKVM and Tailscale for remote control.
Researcher reports identity-rental offer from suspected DPRK hacker
By 2026-03-26, cybersecurity engineer Toufik Airane reported that a suspected North Korean hacker had approached him offering up to $70,000 per month to use his identity for remote job interviews in exchange for a share of the salary. Airane said he captured screenshots from a video call and linked the individual to prior security-firm identification.
Federal court sentences three Americans for aiding DPRK IT worker scheme
A federal court in the Southern District of Georgia sentenced Alexander Paul Travis, Jason Salazar, and Audricus Phagnasay for helping North Korean IT workers secure remote jobs at U.S. companies using false identities and laptop farms. The sentencing was announced in a DOJ press release on Friday and included prison, probation, and forfeiture orders.
Three Americans plead guilty in DPRK IT worker fraud case
According to DOJ information cited in reporting, Alexander Paul Travis, Jason Salazar, and Audricus Phagnasay pleaded guilty in November to wire fraud conspiracy for helping North Korean IT workers obtain remote jobs at U.S. companies using false identities.
Suspected DPRK worker hired for Salesforce role at Western company
In August 2025, a suspected North Korean operative obtained a remote IT job at a Western company and was given access to sensitive Salesforce data after passing standard hiring checks. The case was later cited by LevelBlue as part of the broader DPRK remote worker scheme.
Flare and IBM X-Force publish DPRK infiltrator threat research
On 2026-03-18, Flare Research and IBM X-Force published findings describing a mature, multi-tiered North Korean fake IT worker ecosystem using false identities, collaborators, and DPRK-linked infrastructure such as RB Site, NetkeyRegister, NetKey/OConnect, and IP Messenger. The research detailed how the scheme places workers into Western companies to generate revenue and sometimes enable theft or extortion.
OFAC sanctions six people and two entities tied to DPRK IT worker scheme
In March 2026, the U.S. Treasury Department's Office of Foreign Assets Control sanctioned six individuals and two entities linked to North Korea's remote IT worker operation. The sanctions targeted a scheme using stolen identities, fake personas, and fraudulent documents to obtain jobs and funnel earnings back to the DPRK.
Company revokes suspected DPRK worker's access after anomaly detection
On 2025-08-25, the company terminated the suspected North Korean worker's access by revoking the employee's EntraID account after detecting suspicious login activity tied to China and an unmanaged device in St. Louis. The action ended the worker's access within 10 days of hiring.
FBI warns DPRK IT workers are conducting data extortion
On 2025-01-23, the FBI issued updated guidance stating that North Korean IT workers were increasingly stealing proprietary information, exfiltrating code, and conducting data extortion against U.S.-based businesses. The notice also warned of AI and face-swapping use during interviews and urged stronger monitoring and hiring controls.
FBI posts wanted notice for 14 DPRK IT worker suspects
On 2024-11-19, the FBI published a wanted notice naming 14 individuals allegedly involved in a DPRK IT worker conspiracy that generated and laundered revenue for North Korea. The notice said the State Department's Rewards for Justice program was offering up to $5 million for information disrupting related financial mechanisms and solicited public tips.
FBI warns DPRK uses US-based facilitators in remote job fraud
On 2024-05-16, the FBI warned that North Korean IT workers were fraudulently obtaining remote jobs at U.S. companies with help from U.S.-based facilitators who handled laptops, internet access, financial accounts, and interviews. The notice recommended stronger identity verification and monitoring for unauthorized remote access.
US and South Korea issue updated DPRK IT worker advisory
On 2023-10-18, the United States and the Republic of Korea issued updated guidance on DPRK IT workers, adding new red flags such as suspicious interview behavior, mismatched online identities, and freight-forwarding addresses. The advisory warned of sanctions, theft, and reputational risks and recommended stronger due diligence and monitoring.
Investigation finds DPRK laptop farm using Raspberry Pi KVM devices
An investigation reported on 2023-05-08 found evidence that DPRK IT workers used Raspberry Pi-based KVM devices and mesh VPN technology to remotely access desktop systems in a laptop farm setup.
US agencies publish advisory on DPRK IT workers
On 2022-05-16, the U.S. Departments of State and Treasury, together with the FBI, published an advisory warning that DPRK IT workers were posing as non-DPRK nationals to obtain employment and evade sanctions. The advisory also outlined red flags and released related guidance for companies and platforms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
39 references tracked. Mallory keeps watching after this page renders.
Ambassador recall, remote work scams and the lives of North Korea’s elites | NK News
nknews.org
Open sourceNorth Korean IT Workers Try, Try, Try Again - BankInfoSecurity
bankinfosecurity.com
Open sourceNorth Korean IT Workers Try, Try, Try Again - GovInfoSecurity
govinfosecurity.com
Open sourceExposing DPRK Employment Fraud Operations
nisos.com
Open sourceInternet Crime Complaint Center (IC3) | Democratic People's Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and Generate Revenue
ic3.gov
Open sourceInternet Crime Complaint Center (IC3) | Additional Guidance on the Democratic People's Republic of Korea Information Technology Workers
ic3.gov
Open sourceOur investigation of the laptop farm identified that DPRK IT workers leverage Raspberry Pi-based KVM (Keyboard-Video-Mouse) devices to remotely access desktops and mesh VPN - Infosec.Pub
infosec.pub
Open sourcePublication of North Korea Information Technology Workers Advisory | Office of Foreign Assets Control
ofac.treasury.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean IT Worker Infiltration of Remote Hiring Pipelines
Reporting highlighted ongoing **North Korean IT worker** operations in which individuals use **stolen identities, falsified resumes, and AI-enabled deepfakes** to obtain remote roles at Western companies, creating direct insider-risk exposure once hired. The activity was described as affecting **thousands** of workers and **Fortune 500** employers, with claims of "**3,000 hands on keyboards**" and roughly "**30,000 different email addresses**" in use to support multiple personas, generating wages that can total **hundreds of millions of dollars annually** and help fund the North Korean regime. Recommended screening and verification measures focused on practical controls for remote hiring, including prompting candidates to **perform live actions on video** (e.g., wave), validating **IP address/geolocation consistency** with claimed location, and probing discrepancies in a candidate’s stated whereabouts. The reporting framed these checks as necessary to counter identity fraud and synthetic media used to pass interviews and onboarding, and to reduce the likelihood of granting network access to sanctioned or malicious actors operating under false identities.
May 8, 2026
North Korean IT Worker Scams Targeting Remote Hiring
North Korean operatives are exploiting remote hiring processes by using fake identities and proxy workers to secure employment with international companies, thereby circumventing sanctions and gaining unauthorized access to sensitive corporate environments. Legal expert Jonathan Armstrong emphasizes the importance of robust vetting practices, such as reverse-image searches, thorough reference checks, and monitoring for suspicious IP addresses, to detect and prevent these scams. HR departments are advised to be cautious of candidates who avoid video interviews or require extended preparation time, as these behaviors may indicate fraudulent intent. Organizations are urged to follow official guidance, such as that from the U.K. Office of Financial Sanctions Implementation, to avoid inadvertently violating sanctions, which can result in severe criminal penalties. Armstrong also recommends separating hiring decisions from background checks to minimize discrimination risks and preserve evidence. Structured interviews and due diligence are critical in identifying red flags and ensuring compliance, helping companies avoid becoming unwitting accomplices to North Korean cyber operations.
Mar 21, 2026
OFAC Sanctions Facilitators of North Korean IT Worker Fraud Using Cryptocurrency
The U.S. Treasury Department’s **Office of Foreign Assets Control (OFAC)** sanctioned **six individuals and two entities** for supporting North Korean government-directed **fraudulent IT worker schemes** that covertly place DPRK nationals into jobs at legitimate companies (including U.S. firms) using **stolen identities, fake personas, and fraudulent documentation**. U.S. officials said the program generated **nearly $800 million in 2024**, with wages largely diverted to fund the DPRK’s **WMD and ballistic missile programs**, and noted that some IT workers have also been linked to **malware introduction and data theft/extortion** inside victim environments.
Mar 21, 2026