The United States Department of Justice (DOJ) has intensified its nationwide crackdown on schemes involving North Korean information technology (IT) workers who fraudulently obtained employment at U.S. businesses. Over the past few years, the U.S. government issued multiple advisories to detect and combat the North Korean remote IT workers’ attempts to infiltrate U.S. businesses, the latest of which came in July this year.
The North Korean IT worker schemes have coincided with the rise in remote work and are designed to evade the existing U.S. sanctions regime by using remote IT work to fund illicit programs in North Korea, including its weapons program. In some cases, their fraudulent employment enables data extortion and exfiltration of the victim companies’ proprietary and sensitive data. Hundreds of companies in the U.S. have unwittingly hired North Korean Remote IT workers. Spanning across multiple jurisdictions, the scheme involve actors in the U.S. and abroad and present urgent challenge for organizations to reassess their remote hiring, outsourcing, and cybersecurity practices.
North Korean remote IT workers employ a number of strategies to elude detection. For example, many pose as an American using stolen identities and fake job site profiles. During the interview stage, they may utilize AI-generated deepfakes to impersonate their fraudulent identity in real time. When hired, these IT workers request work laptop delivery to fronts in the U.S. that may serve as “laptop farms,” where U.S. facilitators enable remote access to these laptops. More recently, North Korean remote IT workers and their facilitators have further evolved these schemes by creating shell companies with websites and financial accounts for appearance of affiliation with legitimate U.S. businesses.
Legal and Cybersecurity Implications
The evolving tactics of the North Korean remote IT workers raise serious concerns for U.S. organizations who may fall victim to unwittingly supporting North Korea as the U.S. continues to maintain comprehensive trade and economic sanctions against North Korea under the International Emergency Economic Powers Act (IEEPA) and accompanying executive orders and regulations, broadly prohibiting transactions that transfer property and interests in property in the United States to any persons acting on behalf of Government of North Korea.
Beyond financial gains, the North Korean remote IT workers may share access to virtual company infrastructure with proprietary and sensitive information, enabling a range of malicious cyber activities. In a January 2025 FBI Public Service Announcement, the agency warned that these North Korean remote IT workers have extorted companies by withholding stolen proprietary data and/or software code until ransom demands are met. In some cases, North Korean remote IT workers have gone as far as publicly releasing the stolen code online.
Countermeasures
Keeping apprised of common red flags and incorporating necessary updates to the remote workforce employment and management processes are crucial. The following are examples of such red flags to identify North Korean remote IT workers:
- Employment and document inconsistencies that may be evident of stolen or forged identity documents.
- Communication anomalies such as use of virtual phone numbers for the employee and their references or email addresses with suspicious patterns.
- Upon employment, unwillingness to appear on camera, inability to answer basic questions about their location or background, or anger or aggression if repeated prepayment requests are denied.
- Technical indicators such as installation of remote access software on company devices or multiple logins into one account in a short period of time from various IP addresses in different countries.
Relatedly, the below proactive efforts can help organizations mitigate the risks associated with the North Korean remote IT worker scheme:
- Implement multi-layered identity verification protocols during interviewing, onboarding and throughout the employment of remote workers. Scrutinize all documentation, verify employment and education history, and require in-person meetings.
- Cross-check systems to flag applicants with the same resume content, contact information and/or payment methods, which may suggest fraudulent activities.
- Mandate third-party vendors to adopt a multi-layered verification process. Regularly audit these vendors to confirm they comply with sanctions regulations and the internal security policies.
- Train HR staff, hiring managers and development teams to recognize the tactics used in these schemes and how to respond to them. Training should cover both pre-hire and post-hire protective measures.
- Explore imposing additional due diligence requirements to account for the utilization of front companies and/or fraudulent websites by North Korean remote IT workers and their U.S.-facilitators and any other increasingly sophisticated cyber tactics.
- Continue to look for areas for improvement in network traffic monitoring capabilities to detect suspicious activities.
- Keep up good cybersecurity hygiene such as limiting privileges for installing remote desktop applications and maintaining robust access control to sensitive data.
- Enable immediate response to suspected cybersecurity incidents including suspending any access to company platforms and quarantining any devices, conducting a comprehensive forensic investigation, and coordinating with external authorities.
Special thanks to Summer Associate Audrey Faulks (New York) for her assistance in the preparation of this content.