North Korea’s Secret Army of IT Workers: The Global Scam Unveiled
In a digital age where remote work has become the norm, North Korea has weaponized the global tech job market. Thousands of North Korean IT specialists, operating under fake identities and elaborate cover stories, have infiltrated companies across the United States, Europe, and beyond. Their mission: to earn hard currency for the regime, evade international sanctions, and funnel millions—sometimes hundreds of millions—of dollars into Kim Jong Un’s nuclear and missile programs.
This clandestine operation, revealed through law enforcement actions, cybersecurity research, and rare first-hand accounts, exposes a sophisticated network that combines cybercrime, identity theft, and state-sponsored espionage. The scale and audacity of the scheme have shocked both industry insiders and government officials, raising urgent questions about the security of the global digital workforce.
How the Scam Works: Fake IDs, Laptop Farms, and Global Deception
At the heart of North Korea’s operation is a simple but effective strategy: impersonate skilled IT professionals from other countries to secure remote jobs with foreign companies. To do this, North Korean workers use a combination of stolen and fabricated identities, AI-generated documents, and digital subterfuge. They create convincing LinkedIn and GitHub profiles, forge academic records, and even use deepfake technology to pass video interviews.
Once hired, these operatives rarely work from within North Korea itself. Instead, they are stationed in countries like China, Russia, and Southeast Asia, where internet access is less restricted and surveillance is easier to evade. Some even operate from Africa or the Middle East. To further mask their origins, they use VPNs (virtual private networks), remote management tools, and accomplices in the West who act as intermediaries—receiving company laptops, setting up remote access, and handling payroll.
One notorious tactic is the use of “laptop farms”—physical locations in the U.S. or Europe where dozens of computers are set up and remotely controlled by North Korean workers abroad. These setups make it appear as if the workers are logging in from legitimate domestic locations, bypassing basic security checks.
According to the U.S. Department of Justice, more than 80 Americans have had their identities stolen for use in these scams, with hundreds of companies—ranging from tech startups to defense contractors—unknowingly employing North Korean operatives. The FBI has seized hundreds of computers, dozens of web domains, and millions of dollars in cryptocurrency linked to these operations.
The Human Side: Life as a North Korean IT Worker Abroad
Rare testimony from defectors like “Jin-su” reveals the personal cost and daily realities of this shadowy work. Jin-su, who spoke to the BBC, described using hundreds of fake IDs to apply for remote jobs, often juggling multiple positions at once and earning up to $5,000 a month—of which 85% was sent back to the regime. “We know it’s like robbery, but we just accept it as our fate,” he said. “It’s still much better than when we were in North Korea.”
Most North Korean IT workers operate in teams, closely monitored by government minders. While they enjoy more freedom and access to Western media than their compatriots at home, the risk of defection is high and the consequences for themselves and their families are severe. Despite the dangers, few choose to escape, as the money they keep—though a fraction of their earnings—can be life-changing by North Korean standards.
Why Remote IT Jobs? The Perfect Cover for Sanctions Evasion
North Korea’s economy is crippled by international sanctions, particularly those targeting its weapons programs. Traditional sources of foreign currency—such as laborers sent to work in Chinese factories or Russian construction sites—are drying up. In this context, remote IT work offers several advantages:
- High Pay: Skilled IT workers can earn up to $300,000 a year, far more than manual laborers abroad.
- Low Visibility: Remote work rarely requires in-person meetings, making it easier to hide true identities.
- Global Reach: The internet allows North Korean operatives to target companies worldwide, from the U.S. and Europe to New Zealand and the UAE.
- Access to Sensitive Data: Once inside, these workers can steal intellectual property, corporate secrets, and even sensitive defense information.
According to United Nations estimates, North Korean IT workers generate between $250 million and $600 million annually for the regime. This money is laundered through a web of intermediaries, cryptocurrency transactions, and shell companies, making it difficult for authorities to trace.
Inside the Tactics: AI, Deepfakes, and Social Engineering
North Korean IT operatives are not just skilled coders—they are also masters of deception. Cybersecurity researchers have uncovered detailed interview scripts, forged resumes, and AI-edited photos used to pass as Western professionals. Some even pay real people in Europe or the U.S. to “rent” their identities, offering a cut of their earnings in exchange for access to legitimate documents and bank accounts.
Microsoft’s Threat Intelligence team has tracked these activities under the codename “Jasper Sleet.” They report that North Korean workers use AI to generate fake personas, modify images for employment documents, and even alter their voices during interviews. Facilitators help them bypass employment verification, receive hardware, and set up remote access. Defense evasion tactics include using VPNs, virtual private servers, and remote management tools to mask their true locations.
One hiring manager, Rob Henley of Ally Security, described the challenge of detecting these fakes: “Initially it was like a game to some extent, like trying to figure out who was real and who was fake, but it got pretty annoying pretty quickly.” He resorted to asking candidates to show daylight during video calls—a simple trick that often exposed those working from the wrong time zone.
From the U.S. to Europe: Shifting Targets and Evolving Methods
As U.S. companies and law enforcement have become more vigilant, North Korean operatives have shifted their focus to Europe, where hiring processes and identity checks are often less stringent. Google’s Threat Intelligence Group and other cybersecurity experts warn that European tech firms are now prime targets, especially those with “bring your own device” (BYOD) policies and fast-tracked hiring pipelines.
In these environments, North Korean workers can blend in as normal remote employees, using their own hardware to access company systems. Once inside, they may steal data, threaten to leak sensitive information, or demand cryptocurrency payouts if terminated. The use of AI-generated identities and deepfakes makes detection even harder, as traditional red flags—such as inconsistent resumes or poor English—are increasingly masked by technology.
The Role of Western Facilitators: Enablers and Middlemen
North Korea’s IT worker scheme relies heavily on a network of enablers in the West. These facilitators—sometimes unwitting, sometimes complicit—provide critical support by:
- Receiving and setting up company laptops for remote access
- Opening bank accounts and shell companies to receive salaries
- Supplying fake passports, local phone numbers, and references
- Coaching operatives on cultural cues and hiring strategies
Several Americans have been indicted for operating “laptop farms” or acting as financial intermediaries. In one case, a U.S. citizen was charged with running a laptop farm from his home, allowing North Korean workers to control dozens of computers and launder their salaries. Others have been prosecuted for helping steal and transfer cryptocurrency, with millions of dollars seized by the Department of Justice.
Despite these crackdowns, the sheer scale and adaptability of the operation mean that many facilitators remain active, and new ones are recruited through social media and online forums.
Beyond Salaries: Espionage, Data Theft, and Cybercrime
While the primary goal of North Korea’s IT worker scheme is to earn foreign currency, the risks go far beyond lost salaries. Once inside a company, these operatives can:
- Steal intellectual property and trade secrets
- Access sensitive defense contractor data, including export-controlled information
- Plant malware for future ransomware or espionage campaigns
- Collect internal information for use by North Korean hacking groups like the infamous Lazarus Group
In several documented cases, North Korean IT workers have used their access to steal cryptocurrency, extort employers, or facilitate larger cyberattacks. The Lazarus Group alone is believed to have stolen more than $3 billion in crypto since 2007, including a record $1.5 billion heist in 2025.
How Companies Can Protect Themselves: Lessons and Recommendations
The North Korean IT worker scam has exposed serious vulnerabilities in the way companies hire and manage remote employees. Experts recommend a multi-layered approach to defense:
- Stricter Vetting: Verify digital footprints, check references, and use video calls to confirm identities.
- Monitor for Anomalies: Watch for suspicious IP addresses, shared phone numbers, and use of remote management tools.
- Limit BYOD Risks: Enforce endpoint security, restrict access for personal devices, and segment sensitive systems.
- Educate Staff: Train HR and IT teams to recognize red flags and coordinate on identity verification.
- Respond Quickly: If a North Korean IT worker is identified, restrict response to a trusted group, analyze links to collaborators, and preserve evidence for law enforcement.
Authorities also urge companies to be wary of unusually low contract bids, requests for payment in cryptocurrency, and applicants who avoid video interviews or provide inconsistent documentation.
The Bigger Picture: Sanctions, Cyberwarfare, and the Global Response
North Korea’s use of IT workers abroad is part of a broader strategy to evade sanctions and fund its weapons programs. According to the United Nations, cyberattacks now generate about half of North Korea’s foreign currency income and 40% of its weapons of mass destruction funding. The regime’s ability to adapt—shifting from manual labor to high-tech remote work, and from the U.S. to Europe—underscores the challenge facing international regulators.
Governments in the U.S., Japan, South Korea, and Europe have issued warnings, tightened enforcement, and prosecuted both foreign enablers and domestic collaborators. Freelancer platforms and tech companies are being urged to strengthen identity verification and monitor for suspicious activity. Yet, as one expert noted, “North Korea’s attempts to infiltrate Western companies for profit and espionage will continue. The crackdown will disrupt operations, but North Korea is expected to adapt.”
In Summary
- North Korea has deployed thousands of IT workers abroad using fake identities to infiltrate companies and earn hard currency for the regime.
- These operatives use AI, deepfakes, and sophisticated social engineering to pass as legitimate remote workers, often with help from Western facilitators.
- Once inside, they can steal data, intellectual property, and even facilitate cyberattacks, with salaries and stolen funds funneled back to North Korea’s weapons programs.
- Law enforcement in the U.S. and other countries have seized millions in assets, prosecuted enablers, and warned companies to strengthen hiring and cybersecurity practices.
- The operation has shifted focus from the U.S. to Europe as enforcement tightens, with companies worldwide urged to remain vigilant against this evolving threat.
