How to Protect Your Business From North Korean IT Worker Scams

North Korean IT Worker Schemes are on the rise. These scams see IT workers from the Democratic People’s Republic of Korea (DRPK) secure illegitimate employment at firms, often technology and IT organisations. This tactic is used to steal funds, data and extort victims in order to fund the DPRK regime. 

In 2024, cybersecurity firm KnowBe4 confirmed it had been targeted by such a scheme when the company was duped into hiring a fake IT worker from North Korea.

KnowBe4 detected unusual activity on its network which alerted it to the nation-state IT worker. The company was able to prevent illegal access and any data compromise.

This case demonstrated the high level of sophistication of North Korean attackers in creating a believable cover identity, capable of passing an extensive interview and background check.

KnowBe4 has since launched a complimentary training module which addresses critical security risks in employee onboarding processes.

Until recently, these tactics have primarily focused on the US. However, the Google Threat Intelligence Group (GTIG) has observed DPRK IT workers are increasingly targeting European organisations as awareness of the threat through public reporting and recent charges brought by US authorities has disrupted their operations in the US.

Tactics deployed in these schemes are also evolving. While they initially focused on gaining employment to divert salaries to the DPRK regime, the fake IT workers are also using their access to deploy malware, steal data and extort victims.

In January 2025, the FBI confirmed it has observed North Korean IT workers engaging in this tactic and exfiltrating stolen proprietary data and code from their former employers.

This information is then held ‘hostage’ until the ransom demand is met. In some cases, this sensitive data has been publicly released when the victim organisations have refused to pay the ransom.

Rafe Pilling, Director of Threat Intelligence, Secureworks Counter Threat Unit, recently noted, “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.”

These North Korean IT workers create fake worker profiles, often with the assistance of AI as was used in the KnowBe4 case, to get through the hiring process and obtain employment as remote workers, often in high-paying technical roles.

AI enables these cybercriminals to fabricate profiles photos, use deepfakes in video interviews and overcome language barriers with the assistance of AI writing tools.

The IT worker will likely apply for hundreds of jobs using multiple fake IDs. GTIG recently identified one individual operating 12 personas across the US and Europe.

Once a job offer has been made, the IT worker will then engage a facilitator to help pass the necessary background checks.

A facilitator is also used to receive the corporate laptop and create a bank account once the IT worker has been hired.

This facilitator will assist in the laundering of money and allowing it to be sent to the IT worker.

If this worker has been given privileged access to the network, they can also begin working to steal data, deploy malware or conduct cyber espionage. 

This North Korea IT worker threat is not just contained to the cybersecurity team, businesses must also look to strengthen hiring practices to thwart the threat before it gains access to the organisation. It is essential that companies at high risk to this threat adopt security-minded hiring processes.

• Educate HR teams, hiring managers, and development teams regarding the North Korean IT worker threat.
• Implement identity-verification processes during the interview process. Verify candidates’ identities by checking documentation for consistency, including their name, nationality, contact details and work history.
• Conduct in-person or video interviews and monitoring for suspicious activity during calls. Complete as much of the hiring and onboarding process as possible in person.
• Be cautious of candidates’ requests to change their address during the onboarding process and to route paychecks to money transfer services.
• Continue verification of remote workers through the onboarding and employment process. AI and deepfake tools are often used to obfuscate the identities of these IT workers.
• Restrict use of unauthorized remote access tools and limit access to non-essential systems. Employ data monitoring practices to detect any suspicious activity carried out by North Korean IT workers using their privileged access.

ADVERTISEMENT

North Korean IT worker schemes have evolved into a significant threat where fraudulent candidates, boosted by AI-enabled profile fabrication, gain illegitimate access to high-paying technical roles within organisations.

These schemes facilitate the misappropriation of funds and data theft and contribute to funding the DPRK regime.

To counteract this risk, it is essential that businesses integrate security-minded hiring practices, ensuring thorough vetting and verification during the recruitment process. Strengthening these protocols is crucial for protecting organisational assets and preventing the infiltration of fraudulent workers into critical IT operational roles.

Enjoyed this article? Make sure to share it!

Looking for something else?