Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

The Pervasive Threat of Fake North Korean IT Workers: How to Protect Your Company

2:58 AM   |   14 July 2025

The Pervasive Threat of Fake North Korean IT Workers: How to Protect Your Company

The Pervasive Threat of Fake North Korean IT Workers: How to Protect Your Company

In the increasingly complex landscape of global cybersecurity threats, a particularly insidious problem has emerged and proliferated: the infiltration of hiring pipelines by individuals posing as legitimate IT workers, often linked to or operating on behalf of the North Korean regime. This isn't a fringe issue; it's a widespread challenge that has impacted companies of all sizes, from startups to Fortune 500 giants. If your organization is involved in hiring, especially for remote technical roles, the chances are high that you have already encountered or will encounter these sophisticated imposters.

The scale of this problem is alarming. According to Mandiant Consulting CTO Charles Carmakal, dozens of CISOs at Fortune 500 companies have admitted to having a 'North Korean IT worker problem.' Even major tech players like Google are not immune. Iain Mulholland, Google Cloud's senior director of security engineering, confirmed that Google has seen such applicants in their own pipelines. Snowflake CISO Brad Jones echoed this sentiment, stating his company has encountered applicants fitting this profile with various indicators of compromise (IOCs).

The financial implications are substantial. The Department of Justice reported that these types of scams, primarily originating from or funneling money back to Pyongyang, have cost American businesses at least $88 million over six years. This figure likely represents only a fraction of the true cost, considering undetected cases and the potential damage from intellectual property theft or extortion.

Beyond the financial drain, the risks posed by these fake workers are profound. Once embedded within a company, they gain insider access to sensitive systems, proprietary source code, customer data, and other valuable information. This access can be leveraged for various malicious purposes, including direct data theft or, in increasingly common scenarios, extortion. Fraudsters may steal corporate data and then threaten to leak it publicly unless a ransom is paid, creating a devastating one-two punch of infiltration and blackmail.

Initially, the focus was heavily on US-based companies, but as awareness grows and defenses strengthen in the States, these fraudulent job seekers are expanding their horizons, increasingly targeting European employers and likely other regions as well. The shift highlights the adaptive nature of these threat actors and the global reach of the problem.

The Modus Operandi: How Fake IT Workers Operate

The tactics employed by these fake IT workers are constantly evolving, becoming more sophisticated over time. However, several common patterns and indicators have been observed by security experts and hiring professionals:

Thick Resumes, Thin Digital Footprints

One of the most frequently cited red flags is the discrepancy between an applicant's resume and their online presence. Rivka Little, Chief Growth Officer at Socure, a company specializing in identity verification, described encountering resumes that were incredibly impressive – claiming experience at major tech companies, attendance at prestigious universities, and involvement in high-profile projects. Yet, these 'beefy resumes' were often paired with 'shallow' LinkedIn profiles, sometimes showing only a handful of connections. This lack of a robust professional network, which is standard for experienced tech professionals, is a significant warning sign.

Remote Work Preference and Evasion of In-Person Interaction

Almost universally, these fraudulent applicants target remote work positions. Remote roles offer anonymity and eliminate the need for physical presence, making identity verification significantly harder. A strong indicator of a potential scammer is an applicant who makes excuses or outright refuses requests for in-person meetings, whether for interviews, onboarding, or picking up equipment. As Netskope CISO James Robinson noted, requiring candidates to come to the office to pick up their computer can be a simple yet effective deterrent; fraudulent applicants will often simply pass on the job rather than comply.

Identity Discrepancies and Use of VPNs

Beyond the resume/LinkedIn mismatch, deeper identity checks often reveal inconsistencies. Socure's team noted oddities such as newly created email addresses, phone numbers that didn't align with the claimed geographic location, and the use of VPNs to mask their true location during video calls or technical tests. While VPN use isn't inherently suspicious, especially for remote workers, it becomes a red flag when combined with other indicators.

Deepfakes and AI Assistance

The use of advanced technology by scammers is also on the rise. Some cases have involved the use of deepfake videos during interviews to impersonate legitimate individuals or create convincing, albeit fake, personas. Vidoc Security Lab co-founder Dawid Moczadło shared his experience of almost being fooled by a deepfake applicant, even as a cybersecurity expert. This highlights the increasing sophistication and the difficulty in relying solely on visual cues during remote interviews.

Furthermore, applicants may use AI tools like ChatGPT to generate responses to technical questions or interview prompts. While not word-for-word copies, the answers can be clearly derived from AI-generated content, indicating a lack of genuine understanding or personal experience. Rivka Little's team at Socure tested this by feeding interview questions into ChatGPT and comparing the output to applicant responses, finding a clear correlation.

The Human Element: Affable but Fake

Perhaps most unsettling is the fact that these imposters can be surprisingly convincing on a personal level. Little described one suspected fraudster as 'affable, a nice guy... making jokes.' This underscores that these are not necessarily socially awkward individuals but sophisticated actors capable of maintaining a facade and building rapport, making them harder to spot based solely on personality or communication skills.

Why This Threat is Particularly Challenging

Several factors contribute to the difficulty in combating the fake IT worker problem:

  • Remote Work Trend: The global shift towards remote and hybrid work models, accelerated by recent events, has opened up vast opportunities for attackers who prefer to operate without physical presence.
  • High Demand for Tech Talent: The competitive market for skilled IT professionals can sometimes lead companies to expedite hiring processes or overlook minor inconsistencies in an effort to secure talent quickly.
  • Siloed Information: As Netskope's James Robinson pointed out, the responsibility for hiring is typically split between HR and security teams. HR professionals are trained to assess talent and fit, not necessarily to detect sophisticated cyber fraud or identity theft. Security teams have investigative skills but may lack expertise in hiring processes and legal constraints around what can be asked during interviews. Bridging this gap is crucial.
  • Evolving Tactics: As companies improve detection methods, the attackers adapt their techniques, employing new technologies like deepfakes or refining their social engineering skills.
  • Organized Crime Involvement: While often attributed to North Korea due to the regime's use of cybercrime for funding, experts like Rivka Little warn that other organized crime rings will likely adopt similar strategies, seeing it as a viable 'way in' to corporate networks and funds.

Strategies for Detection and Prevention

Combating the fake IT worker problem requires a multi-layered approach involving collaboration between HR, security, and legal departments, as well as leveraging technology and external partnerships.

1. Enhance Identity Verification and Background Checks

Go beyond standard resume and reference checks. Implement robust identity verification processes early in the hiring funnel. This could involve:

  • Using specialized identity verification services (like Socure) that can cross-reference applicant-provided information (name, address, phone number, email) against a wide range of databases and look for inconsistencies or signs of synthetic identities.
  • Requiring document verification (e.g., government ID) through secure channels.
  • Performing thorough background checks, but be aware that sophisticated attackers may use stolen or fabricated identities that can sometimes pass basic checks.

2. Scrutinize Resumes and Online Profiles

Train hiring managers and recruiters to look for the tell-tale signs:

  • Resumes that seem 'too good to be true,' listing experience with every hot technology or major project.
  • Discrepancies between the depth of the resume and the breadth/activity of professional networking profiles (e.g., LinkedIn).
  • Generic or newly created email addresses.
  • Phone numbers or addresses that don't align with the applicant's claimed location or work history.

3. Implement Rigorous Interview Processes

Interviews remain a critical point for detection, but they need to be adapted to spot sophisticated fraud:

  • Technical Assessments: Use practical coding tests or technical challenges that require genuine skill, not just memorized or AI-generated answers.
  • Behavioral Questions: Ask detailed questions about past projects and experiences, probing for specifics that would be difficult for someone without genuine experience to answer convincingly.
  • Look for Delays and Inconsistencies: During video interviews, watch for significant delays in responses that might indicate someone is receiving instructions or translating questions/answers. Pay attention to environmental cues, although attackers are getting better at masking these.
  • Require In-Person Interaction (Where Possible): While challenging for fully remote roles, consider requiring candidates to visit an office for a final interview stage or for onboarding/equipment pickup. As Netskope found, this requirement alone can deter fraudulent applicants.

4. Foster Collaboration Between HR, Security, and Legal

This is perhaps the most crucial step. Security teams possess the threat intelligence and investigative skills, while HR understands the hiring process and legal boundaries. Legal ensures compliance with hiring laws and privacy regulations when conducting checks. Joint training sessions and established protocols for flagging suspicious applicants are essential. Netskope's approach of briefing the FBI with HR and legal present is a good example of this necessary partnership.

5. Leverage Threat Intelligence and IOCs

Security teams should actively collect and share Indicators of Compromise (IOCs) related to fake IT worker scams with HR and recruiting. These IOCs can include flagged email addresses, phone numbers, physical addresses, or even specific resume templates or phrases known to be used by scammers. Integrating this data into recruiting tools, as Snowflake does, can help automate the flagging of suspicious applications early on.

6. Train the 'Human Firewall'

As Snowflake's Brad Jones puts it, the people reviewing and interviewing candidates are the 'human firewall.' They need training to recognize the warning signs, understand the threat, and know when and how to escalate concerns to security or HR specialists. This training should cover not just technical red flags but also behavioral and identity-related indicators.

7. Secure Onboarding Processes

Even after hiring, vigilance is required. Double-check addresses before shipping equipment and only send devices to verified residential addresses. Implement secure multi-factor authentication for all corporate systems from day one. Monitor activity for new employees, especially those in sensitive roles, for any unusual behavior.

Looking Ahead: An Evolving Threat

The fake IT worker problem is not static. Attackers will continue to refine their methods, leveraging advancements in AI, deepfakes, and social engineering to bypass defenses. While North Korea has been a primary actor, the success of these campaigns means other state-sponsored groups or organized crime syndicates are likely to adopt similar strategies.

Companies must remain agile and proactive. This means continuously updating hiring and security protocols, investing in advanced identity verification technologies, and fostering a culture of security awareness across all departments involved in the hiring process. The cost of prevention is significantly lower than the potential cost of a successful infiltration, which can include massive financial losses, reputational damage, and the theft of invaluable intellectual property.

The narrative of the affable, seemingly qualified candidate who vanishes when asked for identity verification is a stark reminder that in the digital age, trust must be earned through rigorous verification, not assumed based on a polished resume or a convincing video call. By implementing comprehensive strategies and fostering collaboration, organizations can significantly reduce their risk of becoming the next victim of this pervasive and dangerous scam.

The Department of Justice's ongoing efforts to indict individuals involved in these schemes, such as the case involving a North Korean developer accused of fraud, underscore the seriousness with which governments are treating this issue. However, legal action after the fact does not prevent the initial infiltration. The primary defense lies with companies strengthening their hiring and security postures.

Ultimately, addressing the fake IT worker problem requires a fundamental shift in how companies approach hiring in the remote era. It's no longer just about assessing skills and experience; it's equally about verifying identity and assessing potential security risks from the very first interaction. Only through vigilance, collaboration, and the smart application of technology can businesses hope to stay ahead of this persistent threat.