Tech Companies Have A Big Remote Worker Problem: North Korean Operatives

A growing number of the nation’s top tech firms have hired remote information technology workers, only to discover that the employees were actually North Korean cyber operatives.

Their goal? Cashing in on top tech salaries to funnel millions of dollars back to Pyongyang for its weapons program.

According to the nation’s top cyber experts, the scam is more widespread than previously understood and has recently hit many Fortune 500 companies. The problem is fueled by a lack of information security talent in the U.S. and the rise of remote work since the pandemic.

As these operatives evolve their methods using sophisticated AI tools and American accomplices, new hubs for these scams continue to pop up across the U.S., to the frustration of chief information security officers and tech executives throughout the corporate world.

While it's difficult to quantify how many companies have been targeted by the massive scam, more tech leaders are speaking out about their experiences, as law enforcement continues to crack down and shed light on how the expert operation is covertly conducted.

“I’ve talked to a lot of CISOs at Fortune 500 companies, and nearly every one that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen,” Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, said during a recent media briefing.

In almost a dozen interviews with top security experts across the cyber sector, the prolific scheme was cited as a major threat, with many admitting that their companies had fallen victim and were struggling to stop the spread. Iain Mulholland, Cloud CISO at Google Cloud, said during the same media briefing that Google had seen North Korean IT workers “in our pipeline,” but declined to specify if this meant the applicants had been caught in the screening process or had actually been hired.

Cybersecurity firm SentinelOne is among the companies that have gone public about accidentally hiring IT imposters. Brandon Wales, the former executive director of the Cybersecurity and Infrastructure Security Agency and current vice president of cybersecurity strategy at SentinelOne, said the “scale and speed” of the North Korean government’s use of this strategy to amass funding for its weapons program had not been seen before.

According to experts, the plot tends to follow a similar playbook: A North Korean operative will create a fake LinkedIn profile posing as an American job seeker, often using stolen information such as addresses and Social Security numbers from a real person. They will often apply for high-paying jobs en masse or get in touch with recruiters using a fake identity. Once they make it to the interview stage, they will use AI-generated deepfakes to look and sound like the person they are attempting to impersonate, often in real time.

“There are individuals located around the country who work in software development whose personas are being used,” said Alexander Leslie, threat intelligence analyst at cyber firm Recorded Future. “Their personally identifiable information has been stolen — Social Security records, passport information, ID information.”

After being hired, these North Korean operatives will use stolen credentials to cruise through the onboarding process and ask employers to send their work laptops to front addresses in the U.S. — which are often laptop “farms” with dozens of devices kept running by a few American individuals who are paid to join the scheme.

“In some cases, they have 90 of these laptops set up, and they're just plugging them in, keeping them powered on,” said Adam Meyers, senior vice president of counter-adversary operations at cybersecurity company CrowdStrike.

He noted that his team has been tracking the growth of North Korean operatives infiltrating U.S. companies since 2022. CrowdStrike introduced a program to track potential insider threats at various organizations, and within the first week, found 30 companies that had fallen victim to the scheme. These efforts have ramped up since early 2024, as AI technology has advanced and North Korean spies have gotten more sophisticated with their methods.

According to an advisory released by the FBI, State and Treasury departments, each worker can earn on average up to $300,000 annually.

“This money is directly going to the weapons program, and sometimes you see that money going to the Kim family,” Meyers added. “We're talking about tens of millions of dollars, if not hundreds.”

Law enforcement agencies are certainly paying attention, though these cyber efforts have become more widespread and harder to detect. In February, Christina Chapman, an American citizen, pleaded guilty after being arrested for working with North Korean operatives for three years to steal American identities and run a laptop farm to sustain the operation.

This particular scheme alone allegedly generated more than $17 million, which was funneled to the North Korean government, and involved North Koreans hired at more than 300 American companies. Often, these operatives work multiple jobs at different companies at the same time to maximize their earnings and further develop their IT personas.

“It's hard for us to say how many humans are actually operating these personas, but somewhere in the thousands of unique personas,” said Greg Schloemer, senior threat analyst at Microsoft. “So it's huge and it's everywhere.”

The Justice Department announced indictments in January against two Americans for helping run a separate scam operation for six years that allowed North Korean tech operatives to work for more than 60 U.S. companies and generate more than $800,000 in revenue.

Elizabeth Pelker, a special agent with the FBI, said during a panel at the recent RSAC Conference in San Francisco that when one scammer is hired, they can provide references for other operatives. Some companies have reported up to 10 scammers on their payroll posing as IT workers.

These fraudsters have also found ways to continue extorting these tech firms long after they’ve been found out and fired. Once inside company networks, they often plant malicious software to gain access to sensitive company data or intelligence, forcing companies to fork up massive ransom payments.

“This is very adaptive,” Pelker said. “Even if [the hackers] know they’re going to get fired at some point, they have an exit strategy for them to still … have some sort of monetary gain.”

While efforts by the federal government to stop these large-scale schemes have been somewhat successful, experts say prosecuting the laptop farm operators is key to knocking out the scammer nerve center.

“If the FBI goes and knocks on that door and puts that person in cuffs and takes all the laptops away, they've lost 10 to 15 jobs, and they've lost a person who they've already invested in that relationship with,” Schloemer said. “So yes, in some ways it's a drop in the bucket, but also it's actually pretty costly for the actor.”

North Korean operatives are now branching out beyond the U.S. Meyers said CrowdStrike is tracking similar IT worker schemes in the U.K., Poland, Romania and other European nations, while Leslie said Recorded Future sees the scam being used across organizations in South Asian nations.

Still, some companies are fearful of disclosing that they have hired North Korean workers due to the potential legal ramifications of paying agents of a government under heavy economic sanctions. Leslie said hiring a worker, even unknowingly, from North Korea opens companies up to major compliance risks.

“That North Korean IT worker has access to your whole host of web development software, all the assets that you've been collecting. And then that worker is being paid by you, funneled back into the North Korean state, and is conducting espionage at the same time,” Leslie said. “It imposes a significant financial and compliance risk.”

Often, companies targeted by the scheme remain silent out of shame. Wales said that SentinelOne has been open about its experience, in part because “we don’t want there to be a stigma to talking about this.”

“It is really important that everyone be open and honest, because that is the way that we're going to deal with this, given the scale of what we are facing,” Wales said.