North Korean operatives have posed as remote workers in Western companies under stolen or fabricated identities, primarily targeting

information technology Information technology (IT) is a set of related fields within information and communications technology (ICT), that encompass computer systems, software, programming languages, data processing, data and information processing, and storage. Inf ...

and technical roles. They generate revenue for the North Korean government, particularly to fund its weapons programs.

Operations

The operation emerged as part of North Korea's broader cybercrime strategy under

Kim Jong Un Kim Jong Un (born 8 January 1983 or 1984) is a North Korean politician and dictator who has served as supreme leader of North Korea since 2011 and general secretary of the Workers' Party of Korea (WPK) since 2012. He is the third son of Kim ...

, who made information technology a national priority after assuming power in 2011. The

COVID-19 pandemic The COVID-19 pandemic (also known as the coronavirus pandemic and COVID pandemic), caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), began with an disease outbreak, outbreak of COVID-19 in Wuhan, China, in December ...

significantly expanded remote work opportunities, which North Korean intelligence services exploited to scale up their operations. According to

South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia. It constitutes the southern half of the Korea, Korean Peninsula and borders North Korea along the Korean Demilitarized Zone, with the Yellow Sea to the west and t ...

's National Intelligence Service, the number of people working in North Korea's cyber divisions grew from 6,800 in 2022 to 8,400 in 2024, including IT worker infiltrators, cryptocurrency thieves, and military hackers. The operations are run out of North Korea's ''Department 53.'' It is behind front companies including ''Korea Osong Shipping Co''. and ''Chonsurim Trading Corporation'', that sent IT workers to Laos.

Recruitment and training

North Korean intelligence services, including the

Reconnaissance General Bureau The Reconnaissance General Bureau (; RGB), part of the General Staff Department, is a North Korean intelligence agency that manages the state's clandestine operations. Most of their operations have a specific focus on Japan, South Korea, and th ...

, recruit top graduates from prestigious institutions such as

Kim Chaek University of Technology Kim Chaek University of Technology () is a university in North Korea, on the banks of the Taedong River in Pyongyang. It is named after General Kim Chaek. The university's programs in nuclear reactors, nuclear electronics, nuclear fuel and nucle ...

and the University of Sciences in

Pyongsong Pyongsong (, , officially Phyongsong) is a city in North Korea, the capital city of South Pyongan province in western North Korea. The city is located about 32 kilometres northeast of Pyongyang, and was formally established in December 1969. It ha ...

. These operatives are trained in hacking techniques, foreign languages, and are promised higher wages and internet access as incentives.

Methodology

The scheme typically follows a standardized process: # Identity Theft: Operatives create fake profiles using stolen personal information, including

Social Security number In the United States, a Social Security number (SSN) is a nine-digit number issued to United States nationality law, U.S. citizens, Permanent residence (United States), permanent residents, and temporary (working) residents under section 205(c)(2 ...

s, addresses, and other credentials from real Americans. # Job Applications: Using platforms like

LinkedIn LinkedIn () is an American business and employment-oriented Social networking service, social network. It was launched on May 5, 2003 by Reid Hoffman and Eric Ly. Since December 2016, LinkedIn has been a wholly owned subsidiary of Microsoft. ...

and freelance sites like

Upwork Upwork Inc., formerly Elance-oDesk, is an American freelancing platform headquartered in Santa Clara and San Francisco, California. The company was formed in 2013 as Elance-oDesk after the merger of Elance Inc. and oDesk Corp. The merged compa ...

, operatives apply for high-paying, fully remote positions, with a focus on IT roles such as software engineering, web design, and full-stack development, though the scheme has expanded to other technical and some non-technical roles. # AI-Enhanced Interviews: Operatives use

artificial intelligence Artificial intelligence (AI) is the capability of computer, computational systems to perform tasks typically associated with human intelligence, such as learning, reasoning, problem-solving, perception, and decision-making. It is a field of re ...

tools, including

deepfake ''Deepfakes'' (a portmanteau of and ) are images, videos, or audio that have been edited or generated using artificial intelligence, AI-based tools or AV editing software. They may depict real or fictional people and are considered a form of ...

technology, to pass video interviews and coding assessments while impersonating their stolen identities. # Laptop Farms: After being hired, operatives request that company laptops be sent to addresses controlled by US-based facilitators, who maintain "laptop farms" containing dozens of devices that can be controlled remotely.

Income

According to US government estimates, a typical team of North Korean IT workers can earn up to $3 million annually. Individual workers can earn an average of $300,000 per year, with the funds being funneled directly to North Korea's government and weapons programs. Some operatives work multiple jobs simultaneously to maximize earnings.

Notable cases

Christina Chapman case

In 2025, Christina Chapman, a 44-year-old American citizen from

Arizona Arizona is a U.S. state, state in the Southwestern United States, Southwestern region of the United States, sharing the Four Corners region of the western United States with Colorado, New Mexico, and Utah. It also borders Nevada to the nort ...

, pleaded guilty to charges related to operating a laptop farm that facilitated North Korean operatives for three years. Chapman's operation involved over 300 American companies and generated more than $17 million for the North Korean government.

KnowBe4 incident

In July 2024, KnowBe4, a Florida-based cybersecurity training company, discovered that a new hire identified as "Kyle" was actually a North Korean operative who had passed background checks and ID verification.

Impact

According to

Mandiant Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireE ...

(now part of

Google Cloud Google Cloud Platform (GCP) is a suite of cloud computing services offered by Google that provides a series of modular cloud services including computing, data storage, data analytics, and machine learning, alongside a set of management tools ...

), nearly every Fortune 500 company chief information security officer interviewed about the issue has admitted to hiring at least one North Korean IT worker. SentinelOne, a cybersecurity firm, reported receiving approximately 1,000 job applications linked to North Korean operatives. North Korean operatives generally target software engineer, front-end developer and full-stack developer jobs, though the scheme extends to roles beyond traditional IT. Beyond salary payments, impact includes: * Data Theft: Operatives often steal sensitive company data and intellectual property * Malware Installation: Some plant malicious software for future access or

ransomware Ransomware is a type of malware that Encryption, encrypts the victim's personal data until a ransom is paid. Difficult-to-trace Digital currency, digital currencies such as paysafecard or Bitcoin and other cryptocurrency, cryptocurrencies are com ...

attacks * Compliance Violations: Unknowingly employing North Korean operatives violates

international sanctions International sanctions are political and economic decisions that are part of diplomatic efforts by countries, multilateral or regional organizations against states or organizations either to protect national security interests, or to protect i ...

While initially focused on US companies, the scheme has expanded globally.

CrowdStrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of seve ...

reports tracking similar operations in the

United Kingdom The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Northwestern Europe, off the coast of European mainland, the continental mainland. It comprises England, Scotlan ...

Poland Poland, officially the Republic of Poland, is a country in Central Europe. It extends from the Baltic Sea in the north to the Sudetes and Carpathian Mountains in the south, bordered by Lithuania and Russia to the northeast, Belarus and Ukrai ...

Romania Romania is a country located at the crossroads of Central Europe, Central, Eastern Europe, Eastern and Southeast Europe. It borders Ukraine to the north and east, Hungary to the west, Serbia to the southwest, Bulgaria to the south, Moldova to ...

, and other European nations, as well as organizations in South Asian countries.

Government response

The

FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...

State Department The United States Department of State (DOS), or simply the State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. Equivalent to the ministry of foreign affairs o ...

, and Treasury Department have issued joint advisories warning companies about the threat, and initiated multiple prosecutions. In December 2024, the Justice Department indicted 14 North Koreans for generating at least $88 million over six years. The

Department of Justice A justice ministry, ministry of justice, or department of justice, is a ministry or other government agency in charge of the administration of justice. The ministry or department is often headed by a minister of justice (minister for justice in a ...

announced indictments in January 2025 against two Americans for operating a six-year scheme that placed North Korean operatives in over 60 US companies, generating more than $800,000 in revenue. The U.S. Treasury’s

Office of Foreign Assets Control The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the United States Department of the Treasury, United States Treasury Department. It administers and enforces economic and trade economic sanctions, ...

(OFAC) announced sanctions in January 2025 against two individuals and four entities involved in North Korea's illicit remote IT worker schemes that generate revenue for the country's weapons programs. The sanctioned entities include two front companies (Korea Osong Shipping Co. and Chonsurim Trading Corporation) that sent IT workers to Laos, Chinese company Liaoning China Trade Industry Co. for supplying technological equipment, and individuals Jong In Chol and Son Kyong Sik who ran the front operations.

References

{{Reflist Crime in North Korea Cybercrime North Korea Identity theft Telecommuting Money laundering 2010s crimes 2020s crimes